RE: S2S VPN: why are static routes sometimes needed?

then how will ISA reach all routes outside it's own subnet?

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, January 08, 2006 3:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?


http://www.ISAserver.org

Having a default gateway configured on the internal interface will cause
BIG problems.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**



> -----Original Message-----
> From: MJ [mailto:mjtech@xxxxxxxxx]
> Sent: Sunday, January 08, 2006 1:59 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes
> sometimes needed?
>
> http://www.ISAserver.org
>
> Will not having a default gateway on the inside interface casue this
> problem?
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Sunday, January 08, 2006 1:53 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes
> sometimes needed?
>
>
> http://www.ISAserver.org
>
> In order to solve this question, you need to compare:
> - windows routing table (route print)
> - Windows IP configuration (ipconfig)
> - ISA network object addresses
>
> If there are *any* addresses defined in an ISA network
> address list that
> disagree with the Windows routing table, you'll see these alerts.
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
>
> -----Original Message-----
> From: MJ [mailto:mjtech@xxxxxxxxx]
> Sent: Sunday, January 08, 2006 10:44 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes
> sometimes needed?
>
> http://www.ISAserver.org
>
> thanks for responding.
> what you're saying makes sense to me, but what the error message is
> talking
> about is something else.
> this is something that I don't see through "route print"
> here is all the message:
> --------------------------------------------------------------
> ----------
> ----
> -------------------------------------------------
> Description: ISA Server detected routes through adapter
> InternalConnection
> that do not correlate with the network element to which this adapter
> belongs. For best practice, the address range of an ISA Server network
> should match the address ranges routable through the
> associated network
> adapter as defined in the routing table. Otherwise valid
> packets may be
> dropped as spoofed. (This alert may occur momentarily when
> you create a
> remote site network. You may safely ignore this message if it does not
> reoccur.)  The address ranges in conflict are:
> 10.1.10.0-10.1.10.15;10.2.0.0-10.2.0.255;10.2.1.16-10.2.1.48;1
> 0.2.1.51-1
> 0.2.
> 1.55;10.2.1.64-10.2.1.80;10.2.1.83-10.2.2.255;10.2.5.0-10.2.16
> .51;10.2.1
> 6.53
> -10.2.255.255;10.192.0.0-10.192.1.255;10.192.3.0-10.192.190.25
> 5;10.192.1
> 93.0
> -10.192.255.255;10.249.0.0-10.249.1.4;10.249.1.6-10.249.2.255;
> 10.249.4.0
> -10.
> 249.4.255;10.249.6.0-10.249.6.255;10.249.8.0-10.249.9.255;10.2
> 49.12.0-10
> .249
> .255.255;10.254.237.0-10.254.245.255;10.254.255.0-10.254.255.2
> 55;172.16.
> 0.0-
> 172.16.252.255;172.16.254.0-172.16.255.255;192.168.0.0-192.168
> .19.255;19
> 2.16
> 8.30.0-192.168.99.255;192.168.115.0-192.168.118.255;192.168.13
> 5.0-192.16
> 8.13
> 5.255;192.168.137.0-192.168.141.255;192.168.161.0-192.168.162.
> 255;192.16
> 8.16
> 6.0-192.168.166.255;192.168.168.0-192.168.168.255;192.168.182.
> 0-192.168.
> 198.
> 255;192.168.200.0-192.168.200.255;192.168.211.0-192.168.211.25
> 5;192.168.
> 223.
> 0-192.168.223.255;192.168.225.0-192.168.225.255;192.168.236.0-
> 192.168.24
> 4.25
> 5;192.168.246.0-192.168.247.255;192.168.249.0-192.168.253.255;
> 192.168.25
> 5.0-
> 192.168.255.255;.
> <br>ISA Server detected routes through adapter InternetConnection that
> do
> not correlate with the network element to which this adapter belongs.
> For
> best practice, the address range of an ISA Server network should match
> the
> address ranges routable through the associated network adapter as
> defined in
> the routing table. Otherwise valid packets may be dropped as spoofed.
> (This
> alert may occur momentarily when you create a remote site network. You
> may
> safely ignore this message if it does not reoccur.)  The
> address ranges
> in
> conflict are:
> 10.2.0.0-10.2.0.255;10.2.1.16-10.2.1.48;10.2.1.51-10.2.1.55;10
> .2.1.64-10
> .2.1
> .80;10.2.1.83-10.2.2.255;10.2.5.0-10.2.16.51;10.2.16.53-10.2.2
> 55.255;10.
> 192.
> 0.0-10.192.1.255;10.192.3.0-10.192.190.255;10.192.193.0-10.192
> .255.255;1
> 0.24
> 9.0.0-10.249.1.4;10.249.1.6-10.249.2.255;10.249.4.0-10.249.4.2
> 55;10.249.
> 6.0-
> 10.249.6.255;10.249.8.0-10.249.9.255;10.249.12.0-10.249.255.25
> 5;10.254.2
> 37.0
> -10.254.245.255;10.254.255.0-10.254.255.255;172.16.0.0-172.16.
> 252.255;17
> 2.16
> .254.0-172.16.255.255;192.168.0.0-192.168.19.255;192.168.30.0-
> 192.168.99
> .255
> ;192.168.115.0-192.168.118.255;192.168.135.0-192.168.135.255;1
> 92.168.137
> .0-1
> 92.168.141.255;192.168.161.0-192.168.162.255;192.168.166.0-192
> .168.166.2
> 55;1
> 92.168.168.0-192.168.168.255;192.168.182.0-192.168.198.255;192
> .168.200.0
> -192
> .168.200.255;192.168.211.0-192.168.211.255;192.168.223.0-192.1
> 68.223.255
> ;192
> .168.225.0-192.168.225.255;192.168.236.0-192.168.244.255;192.1
> 68.246.0-1
> 92.1
> 68.247.255;192.168.249.0-192.168.253.255;192.168.255.0-192.168
> .255.255;1
> 0.1.
> 10.0-10.1.10.15;10.255.255.255-10.255.255.255;.
> --------------------------------------------------------------
> ----------
> ----
> -------------------------------------------------
>
> Thanks
>
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Sunday, January 08, 2006 1:37 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes
> sometimes needed?
>
>
> http://www.ISAserver.org
>
> Hi Roy,
>
> I'm not sure I understand your question!?!?
>
> If I'm the administrator of ISA-A, I define the remote network
> 192.168.44.0/24 as reachable through the tunnel endpoint 192.168.1.30.
> Now,
> 192.168.1.0/24 is a directly connected network. Why do I need
> to create
> a
> static route for 192.168.44.0/24 with Gateway 192.168.1.30 before it
> works?
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: zondag 8 januari 2006 14:12
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes
> sometimes needed?
>
> http://www.ISAserver.org
>
> Hi Stefaan,
>
> Let us cencer on your initial diagrams you illustruated.
> In case the S2S VPN is within the protected network of ISA,
> it would be
> another story.
>
> If your saying "The route decision should be made on the outer IP
> header"
> is correct, why you need to addup a static route from ISA-A
> to internal
> network ID of ISA-B, then why you ask for this question??
>
> Thanks,
>
> Roy Tsao
>
> > Hi Roy,
> >
> > You wrote "ISA decides route before processing ESP". That would be a
> > very stupid way of determining the route! The route
> decision should be
> > made on the outer IP header (the tunnel) and not on the inner IP
> > header (the encapsulated traffic). In my case the remote tunnel
> > endpoint is on a direct connected network. So, the router RTR
> shouldn't be
> envolved at all.
> >
> > As an example, two more diagrams were a S2S VPN connection is needed
> > through a partner connection:
> >
> >                  +--- [RT1] --- Internet
> > LAN --- [ISA] ---+
> >                  +--- [RT2] --- Partner Network
> >
> >
> > LAN --- [ISA] --- [RT1] --- Internet
> >           !
> >           +------ [RT2] --- Partner Network
> >
> >
> > Thanks,
> > Stefaan
> >
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: zondag 8 januari 2006 9:24
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: S2S VPN: why are static routes sometimes
> needed?
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Stefaan,
> >
> > After various lab test by me and also other ISA fans, we suspect in
> our
> > environment, you can add up a static route from upstream router to
> ISA-B's
> > external NIC. This is becuase
> > - no route tale change at ISA after enable S2S IPsec Tunnel VPN
> > - ISA decides route before processing ESP
> > - ESP is sent based on fixed route when packet exit ISA.
> > - when upstream router receive ESP heading for ISA-B's
> exernal NIC, it
> has
> > no route information at all!
> >
> > To addup a static route at ISA-A to ISA-B's internal
> network ID is one
> of
> > soultion based on above reason. However, is it more proper to set up
> adjust
> > route setting at upstream route? or any reason like security concern
> is
> > there making impossible?
> >
> > As for your 2nd test scenario, may I understand the failure
> is due to
> > diabled packet relay at router side?
> >
> >
> >
> > > Hi Jim,
> > >
> > > OK, I took up the challenge and replaced ISA-B with a Windows 2003
> > > RRAS server :-)
> > >
> > > With the help of
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I
> > > configured an IPSec tunnel to the ISA-A. Guess what... you are
> right!
> > > I found exact the same behavior.
> > >
> > > I even simplified further the test environment as follows:
> > >
> > >                       192.168.1.0/24
> > >                            vvv
> > >   LAN-A -------- [ISA-A] ---+
> > > 192.168.22.0/24         .10 !
> > >                             +--- [RTR] --- Internet
> > >                             !  .1
> > >                         .30 !
> > >   LAN-B -------- [ISA-B] ---+
> > > 192.168.44.0/24
> > >
> > >
> > > On ISA-A:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.30/32
> > > - 192.168.44.0/24
> > >
> > > If Default gateway = 192.168.1.1 then the static route
> > > '192.168.44.0/24 Gateway 192.168.1.30' is needed.
> > > If Default gateway = 192.168.1.30 then no static routes
> are needed.
> > >
> > >
> > > On ISA-B:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.10/32
> > > - 192.168.22.0/24
> > >
> > > If Default gateway = 192.168.1.1 then the static route
> > > '192.168.22.0/24 Gateway 192.168.1.10' is needed.
> > > If Default gateway = 192.168.1.10 then no static routes
> are needed.
> > >
> > >
> > > Thanks,
> > > Stefaan
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: dinsdag 27 december 2005 21:23
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes
> needed?
> > >
> > > http://www.ISAserver.org
> > >
> > > That is odd, but I'll bet you find that this behavior is the same
> > > without ISA.
> > > RRAS and the TCP/IP stack, not ISA, handle the actual packet
> routing.
> > >
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Tuesday, December 27, 2005 4:58 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] S2S VPN: why are static routes
> sometimes needed?
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi,
> > >
> > > it seems that if a S2S VPN connection of type IPSec Tunnel is used
> and
> > > if the remote tunnel endpoint can't be reached through the default
> > > gateway, then you need to create extra static routes for
> the remote
> > > network ID's reachable through that remote tunnel
> endpoint. I don't
> > > understand why this is needed? Take note that there were
> no problems
> > > in setting up the IPSec MM and QM SA's!
> > >
> > > To explain it better, here is a little diagram of the lab setup:
> > >
> > >                       192.168.1.0/24
> > >                            vvv
> > >   LAN-A -------- [ISA-A] ---+
> > > 192.168.22.0/24         .10 !
> > >                             +--- [RTR] --- Internet
> > >                             !  .1
> > >                         .30 !
> > >                          [RTR-B]
> > >                             ! .1
> > >                         .10 !
> > >   LAN-B -------- [ISA-B] ---+
> > > 192.168.44.0/24            ^^^
> > >                       192.168.11.0/24
> > >
> > >
> > > On ISA-A:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.11.10/32
> > > - 192.168.44.0/24
> > >
> > > Default gateway: 192.168.1.1
> > >
> > > Static routes configured:
> > > - 192.168.11.0/24 Gateway 192.168.1.30
> > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed
> ???
> > >
> > >
> > > On ISA-B:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.10/32
> > > - 192.168.22.0/24
> > >
> > > Default Gateway: 192.168.11.1
> > >
> > > No static routes configured.
> > >
> > >
> > > Test:
> > > -----
> > >
> > > From a host on LAN-B ping a host on LAN-A. Without the
> static route
> > > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can
> see the ping
> > > request and reply on LAN-A but the reply never makes it back to
> LAN-B.
> > > The ping reply just disappeared into thin air! Creating the static
> > > route and bingo, it works. What's the logic behind this behavior?
> > >
> > >
> > > Thanks,
> > > Stefaan
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> mjtech@xxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> mjtech@xxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



Other related posts: