RE: S2S VPN: why are static routes sometimes needed?

Will not having a default gateway on the inside interface casue this
problem?

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, January 08, 2006 1:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?


http://www.ISAserver.org

In order to solve this question, you need to compare:
- windows routing table (route print)
- Windows IP configuration (ipconfig)
- ISA network object addresses

If there are *any* addresses defined in an ISA network address list that
disagree with the Windows routing table, you'll see these alerts.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Sunday, January 08, 2006 10:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

thanks for responding.
what you're saying makes sense to me, but what the error message is
talking
about is something else.
this is something that I don't see through "route print"
here is all the message:
------------------------------------------------------------------------
----
-------------------------------------------------
Description: ISA Server detected routes through adapter
InternalConnection
that do not correlate with the network element to which this adapter
belongs. For best practice, the address range of an ISA Server network
should match the address ranges routable through the associated network
adapter as defined in the routing table. Otherwise valid packets may be
dropped as spoofed. (This alert may occur momentarily when you create a
remote site network. You may safely ignore this message if it does not
reoccur.)  The address ranges in conflict are:
10.1.10.0-10.1.10.15;10.2.0.0-10.2.0.255;10.2.1.16-10.2.1.48;10.2.1.51-1
0.2.
1.55;10.2.1.64-10.2.1.80;10.2.1.83-10.2.2.255;10.2.5.0-10.2.16.51;10.2.1
6.53
-10.2.255.255;10.192.0.0-10.192.1.255;10.192.3.0-10.192.190.255;10.192.1
93.0
-10.192.255.255;10.249.0.0-10.249.1.4;10.249.1.6-10.249.2.255;10.249.4.0
-10.
249.4.255;10.249.6.0-10.249.6.255;10.249.8.0-10.249.9.255;10.249.12.0-10
.249
.255.255;10.254.237.0-10.254.245.255;10.254.255.0-10.254.255.255;172.16.
0.0-
172.16.252.255;172.16.254.0-172.16.255.255;192.168.0.0-192.168.19.255;19
2.16
8.30.0-192.168.99.255;192.168.115.0-192.168.118.255;192.168.135.0-192.16
8.13
5.255;192.168.137.0-192.168.141.255;192.168.161.0-192.168.162.255;192.16
8.16
6.0-192.168.166.255;192.168.168.0-192.168.168.255;192.168.182.0-192.168.
198.
255;192.168.200.0-192.168.200.255;192.168.211.0-192.168.211.255;192.168.
223.
0-192.168.223.255;192.168.225.0-192.168.225.255;192.168.236.0-192.168.24
4.25
5;192.168.246.0-192.168.247.255;192.168.249.0-192.168.253.255;192.168.25
5.0-
192.168.255.255;.
<br>ISA Server detected routes through adapter InternetConnection that
do
not correlate with the network element to which this adapter belongs.
For
best practice, the address range of an ISA Server network should match
the
address ranges routable through the associated network adapter as
defined in
the routing table. Otherwise valid packets may be dropped as spoofed.
(This
alert may occur momentarily when you create a remote site network. You
may
safely ignore this message if it does not reoccur.)  The address ranges
in
conflict are:
10.2.0.0-10.2.0.255;10.2.1.16-10.2.1.48;10.2.1.51-10.2.1.55;10.2.1.64-10
.2.1
.80;10.2.1.83-10.2.2.255;10.2.5.0-10.2.16.51;10.2.16.53-10.2.255.255;10.
192.
0.0-10.192.1.255;10.192.3.0-10.192.190.255;10.192.193.0-10.192.255.255;1
0.24
9.0.0-10.249.1.4;10.249.1.6-10.249.2.255;10.249.4.0-10.249.4.255;10.249.
6.0-
10.249.6.255;10.249.8.0-10.249.9.255;10.249.12.0-10.249.255.255;10.254.2
37.0
-10.254.245.255;10.254.255.0-10.254.255.255;172.16.0.0-172.16.252.255;17
2.16
.254.0-172.16.255.255;192.168.0.0-192.168.19.255;192.168.30.0-192.168.99
.255
;192.168.115.0-192.168.118.255;192.168.135.0-192.168.135.255;192.168.137
.0-1
92.168.141.255;192.168.161.0-192.168.162.255;192.168.166.0-192.168.166.2
55;1
92.168.168.0-192.168.168.255;192.168.182.0-192.168.198.255;192.168.200.0
-192
.168.200.255;192.168.211.0-192.168.211.255;192.168.223.0-192.168.223.255
;192
.168.225.0-192.168.225.255;192.168.236.0-192.168.244.255;192.168.246.0-1
92.1
68.247.255;192.168.249.0-192.168.253.255;192.168.255.0-192.168.255.255;1
0.1.
10.0-10.1.10.15;10.255.255.255-10.255.255.255;.
------------------------------------------------------------------------
----
-------------------------------------------------

Thanks

-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Sunday, January 08, 2006 1:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?


http://www.ISAserver.org

Hi Roy,

I'm not sure I understand your question!?!?

If I'm the administrator of ISA-A, I define the remote network
192.168.44.0/24 as reachable through the tunnel endpoint 192.168.1.30.
Now,
192.168.1.0/24 is a directly connected network. Why do I need to create
a
static route for 192.168.44.0/24 with Gateway 192.168.1.30 before it
works?

Thanks,
Stefaan

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: zondag 8 januari 2006 14:12
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

Hi Stefaan,

Let us cencer on your initial diagrams you illustruated.
In case the S2S VPN is within the protected network of ISA, it would be
another story.

If your saying "The route decision should be made on the outer IP
header"
is correct, why you need to addup a static route from ISA-A to internal
network ID of ISA-B, then why you ask for this question??

Thanks,

Roy Tsao

> Hi Roy,
>
> You wrote "ISA decides route before processing ESP". That would be a
> very stupid way of determining the route! The route decision should be
> made on the outer IP header (the tunnel) and not on the inner IP
> header (the encapsulated traffic). In my case the remote tunnel
> endpoint is on a direct connected network. So, the router RTR
shouldn't be
envolved at all.
>
> As an example, two more diagrams were a S2S VPN connection is needed
> through a partner connection:
>
>                  +--- [RT1] --- Internet
> LAN --- [ISA] ---+
>                  +--- [RT2] --- Partner Network
>
>
> LAN --- [ISA] --- [RT1] --- Internet
>           !
>           +------ [RT2] --- Partner Network
>
>
> Thanks,
> Stefaan
>
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: zondag 8 januari 2006 9:24
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes sometimes
needed?
>
> http://www.ISAserver.org
>
>
> Hi Stefaan,
>
> After various lab test by me and also other ISA fans, we suspect in
our
> environment, you can add up a static route from upstream router to
ISA-B's
> external NIC. This is becuase
> - no route tale change at ISA after enable S2S IPsec Tunnel VPN
> - ISA decides route before processing ESP
> - ESP is sent based on fixed route when packet exit ISA.
> - when upstream router receive ESP heading for ISA-B's exernal NIC, it
has
> no route information at all!
>
> To addup a static route at ISA-A to ISA-B's internal network ID is one
of
> soultion based on above reason. However, is it more proper to set up
adjust
> route setting at upstream route? or any reason like security concern
is
> there making impossible?
>
> As for your 2nd test scenario, may I understand the failure is due to
> diabled packet relay at router side?
>
>
>
> > Hi Jim,
> >
> > OK, I took up the challenge and replaced ISA-B with a Windows 2003
> > RRAS server :-)
> >
> > With the help of
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I
> > configured an IPSec tunnel to the ISA-A. Guess what... you are
right!
> > I found exact the same behavior.
> >
> > I even simplified further the test environment as follows:
> >
> >                       192.168.1.0/24
> >                            vvv
> >   LAN-A -------- [ISA-A] ---+
> > 192.168.22.0/24         .10 !
> >                             +--- [RTR] --- Internet
> >                             !  .1
> >                         .30 !
> >   LAN-B -------- [ISA-B] ---+
> > 192.168.44.0/24
> >
> >
> > On ISA-A:
> > ---------
> >
> > Remote Site Network contains:
> > - 192.168.1.30/32
> > - 192.168.44.0/24
> >
> > If Default gateway = 192.168.1.1 then the static route
> > '192.168.44.0/24 Gateway 192.168.1.30' is needed.
> > If Default gateway = 192.168.1.30 then no static routes are needed.
> >
> >
> > On ISA-B:
> > ---------
> >
> > Remote Site Network contains:
> > - 192.168.1.10/32
> > - 192.168.22.0/24
> >
> > If Default gateway = 192.168.1.1 then the static route
> > '192.168.22.0/24 Gateway 192.168.1.10' is needed.
> > If Default gateway = 192.168.1.10 then no static routes are needed.
> >
> >
> > Thanks,
> > Stefaan
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: dinsdag 27 december 2005 21:23
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: S2S VPN: why are static routes sometimes
needed?
> >
> > http://www.ISAserver.org
> >
> > That is odd, but I'll bet you find that this behavior is the same
> > without ISA.
> > RRAS and the TCP/IP stack, not ISA, handle the actual packet
routing.
> >
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> > -----Original Message-----
> > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > Sent: Tuesday, December 27, 2005 4:58 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] S2S VPN: why are static routes sometimes needed?
> >
> > http://www.ISAserver.org
> >
> > Hi,
> >
> > it seems that if a S2S VPN connection of type IPSec Tunnel is used
and
> > if the remote tunnel endpoint can't be reached through the default
> > gateway, then you need to create extra static routes for the remote
> > network ID's reachable through that remote tunnel endpoint. I don't
> > understand why this is needed? Take note that there were no problems
> > in setting up the IPSec MM and QM SA's!
> >
> > To explain it better, here is a little diagram of the lab setup:
> >
> >                       192.168.1.0/24
> >                            vvv
> >   LAN-A -------- [ISA-A] ---+
> > 192.168.22.0/24         .10 !
> >                             +--- [RTR] --- Internet
> >                             !  .1
> >                         .30 !
> >                          [RTR-B]
> >                             ! .1
> >                         .10 !
> >   LAN-B -------- [ISA-B] ---+
> > 192.168.44.0/24            ^^^
> >                       192.168.11.0/24
> >
> >
> > On ISA-A:
> > ---------
> >
> > Remote Site Network contains:
> > - 192.168.11.10/32
> > - 192.168.44.0/24
> >
> > Default gateway: 192.168.1.1
> >
> > Static routes configured:
> > - 192.168.11.0/24 Gateway 192.168.1.30
> > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed
???
> >
> >
> > On ISA-B:
> > ---------
> >
> > Remote Site Network contains:
> > - 192.168.1.10/32
> > - 192.168.22.0/24
> >
> > Default Gateway: 192.168.11.1
> >
> > No static routes configured.
> >
> >
> > Test:
> > -----
> >
> > From a host on LAN-B ping a host on LAN-A. Without the static route
> > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping
> > request and reply on LAN-A but the reply never makes it back to
LAN-B.
> > The ping reply just disappeared into thin air! Creating the static
> > route and bingo, it works. What's the logic behind this behavior?
> >
> >
> > Thanks,
> > Stefaan


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



Other related posts: