RE: S2S VPN: why are static routes sometimes needed?
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 9 Jan 2006 11:15:53 +0100
Hi Roy,
That's just the point! It's not logical at all you need the help of one or
more static routes to instruct ISA-A to go for the right route path *before*
sending ESP.
I see it this way:
1. Packet comes into ISA-A destined for a Remote Site (LAN-B).
2. This traffic matches the IPSec filter list and IPSec is negotiated.
3. The traffic gets handed off to IPSec which encapsulates the traffic with
a new outer IP header (DST=192.168.11.10).
4. The traffic is re-injected to the TCP/IP stack from IPSec for further
delivery.
5. The IP stack then decides where to send the packet by consulting the
routing table. Since the destination is not a directly connected network,
the IP stack should deliver the packet to the most specific route or the
default gateway if nothing else matches. In our case there is a known
specific route for the destination 192.168.11.10/32 being the remote site's
VPN endpoint.
So, where the traffic destined for the remote site (LAN-B) should be send is
implied in the remote network definition by specifying the remote site's VPN
endpoint in the configuration. Therefore a route to that VPN endpoint must
be known, not a route to the remote site (LAN-B).
Thanks,
Stefaan
-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
Sent: maandag 9 januari 2006 3:31
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
http://www.ISAserver.org
Hi Stefaan,
To avoid confusion, let us disucss on your initial diagram:
> >
> > 192.168.1.0/24
> > vvv
> > LAN-A -------- [ISA-A] ---+
> > 192.168.22.0/24 .10 !
> > +--- [RTR] --- Internet
> > ! .1
> > .30 !
> > [RTR-B]
> > ! .1
> > .10 !
> > LAN-B -------- [ISA-B] ---+
> > 192.168.44.0/24 ^^^
> > 192.168.11.0/24
> >
> >
> > On ISA-A:
> > ---------
> >
> > Remote Site Network contains:
> > - 192.168.11.10/32
> > - 192.168.44.0/24
> >
> > Default gateway: 192.168.1.1
> >
> > Static routes configured:
> > - 192.168.11.0/24 Gateway 192.168.1.30
> > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
The question is why that addtional static route 192.168.44.0/24 Gateway
192.168.1.30 is needed?
Then I provide answer as per
> > After various lab test by me and also other ISA fans, we suspect in
> > our environment, you can add up a static route from upstream router
> > to ISA-B's external NIC. This is becuase
> > - no route tale change at ISA after enable S2S IPsec Tunnel VPN
> > - ISA decides route before processing ESP
> > - ESP is sent based on fixed route when packet exit ISA.
> > - when upstream router receive ESP heading for ISA-B's exernal NIC,
> > it has no route information at all!
> >
> > To addup a static route at ISA-A to ISA-B's internal network ID is
> > one of soultion based on above reason. However, is it more proper to
> > set up /adjust route setting at upstream router? or any reason like
> > security concern is there making impossible?
If the route decision should be made on the outer IP header of the tunnel
(as I understand before seeing your post), it is no need to add up that
static route on route table entry at ISA-A, isn't it? However, you need a
help of one more static route to instruct ISA-A go for right route path
before sending ESP.
Thanks,
Roy Tsao
> Hi Roy,
>
> I'm not sure I understand your question!?!?
>
> If I'm the administrator of ISA-A, I define the remote network
> 192.168.44.0/24 as reachable through the tunnel endpoint 192.168.1.30.
> Now,
> 192.168.1.0/24 is a directly connected network. Why do I need to
> create a static route for 192.168.44.0/24 with Gateway 192.168.1.30 before
it works?
>
> Thanks,
> Stefaan
>
> -----Original Message-----
> From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> Sent: zondag 8 januari 2006 14:12
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
>
> http://www.ISAserver.org
>
> Hi Stefaan,
>
> Let us cencer on your initial diagrams you illustruated.
> In case the S2S VPN is within the protected network of ISA, it would
> be another story.
>
> If your saying "The route decision should be made on the outer IP header"
> is correct, why you need to addup a static route from ISA-A to
> internal network ID of ISA-B, then why you ask for this question??
>
> Thanks,
>
> Roy Tsao
>
> > Hi Roy,
> >
> > You wrote "ISA decides route before processing ESP". That would be a
> > very stupid way of determining the route! The route decision should
> > be made on the outer IP header (the tunnel) and not on the inner IP
> > header (the encapsulated traffic). In my case the remote tunnel
> > endpoint is on a direct connected network. So, the router RTR
> > shouldn't be
> envolved at all.
> >
> > As an example, two more diagrams were a S2S VPN connection is needed
> > through a partner connection:
> >
> > +--- [RT1] --- Internet LAN --- [ISA] ---+
> > +--- [RT2] --- Partner Network
> >
> >
> > LAN --- [ISA] --- [RT1] --- Internet
> > !
> > +------ [RT2] --- Partner Network
> >
> >
> > Thanks,
> > Stefaan
> >
> >
> > -----Original Message-----
> > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx]
> > Sent: zondag 8 januari 2006 9:24
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Stefaan,
> >
> > After various lab test by me and also other ISA fans, we suspect in
> > our environment, you can add up a static route from upstream router
> > to ISA-B's external NIC. This is becuase
> > - no route tale change at ISA after enable S2S IPsec Tunnel VPN
> > - ISA decides route before processing ESP
> > - ESP is sent based on fixed route when packet exit ISA.
> > - when upstream router receive ESP heading for ISA-B's exernal NIC,
> > it has no route information at all!
> >
> > To addup a static route at ISA-A to ISA-B's internal network ID is
> > one of soultion based on above reason. However, is it more proper to
> > set up
> adjust
> > route setting at upstream route? or any reason like security concern
> > is there making impossible?
> >
> > As for your 2nd test scenario, may I understand the failure is due
> > to diabled packet relay at router side?
> >
> >
> >
> > > Hi Jim,
> > >
> > > OK, I took up the challenge and replaced ISA-B with a Windows 2003
> > > RRAS server :-)
> > >
> > > With the help of
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I
> > > configured an IPSec tunnel to the ISA-A. Guess what... you are right!
> > > I found exact the same behavior.
> > >
> > > I even simplified further the test environment as follows:
> > >
> > > 192.168.1.0/24
> > > vvv
> > > LAN-A -------- [ISA-A] ---+
> > > 192.168.22.0/24 .10 !
> > > +--- [RTR] --- Internet
> > > ! .1
> > > .30 !
> > > LAN-B -------- [ISA-B] ---+
> > > 192.168.44.0/24
> > >
> > >
> > > On ISA-A:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.30/32
> > > - 192.168.44.0/24
> > >
> > > If Default gateway = 192.168.1.1 then the static route
> > > '192.168.44.0/24 Gateway 192.168.1.30' is needed.
> > > If Default gateway = 192.168.1.30 then no static routes are needed.
> > >
> > >
> > > On ISA-B:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.10/32
> > > - 192.168.22.0/24
> > >
> > > If Default gateway = 192.168.1.1 then the static route
> > > '192.168.22.0/24 Gateway 192.168.1.10' is needed.
> > > If Default gateway = 192.168.1.10 then no static routes are needed.
> > >
> > >
> > > Thanks,
> > > Stefaan
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: dinsdag 27 december 2005 21:23
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes
needed?
> > >
> > > http://www.ISAserver.org
> > >
> > > That is odd, but I'll bet you find that this behavior is the same
> > > without ISA.
> > > RRAS and the TCP/IP stack, not ISA, handle the actual packet routing.
> > >
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > -----Original Message-----
> > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> > > Sent: Tuesday, December 27, 2005 4:58 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] S2S VPN: why are static routes sometimes needed?
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi,
> > >
> > > it seems that if a S2S VPN connection of type IPSec Tunnel is used
> > > and if the remote tunnel endpoint can't be reached through the
> > > default gateway, then you need to create extra static routes for
> > > the remote network ID's reachable through that remote tunnel
> > > endpoint. I don't understand why this is needed? Take note that
> > > there were no problems in setting up the IPSec MM and QM SA's!
> > >
> > > To explain it better, here is a little diagram of the lab setup:
> > >
> > > 192.168.1.0/24
> > > vvv
> > > LAN-A -------- [ISA-A] ---+
> > > 192.168.22.0/24 .10 !
> > > +--- [RTR] --- Internet
> > > ! .1
> > > .30 !
> > > [RTR-B]
> > > ! .1
> > > .10 !
> > > LAN-B -------- [ISA-B] ---+
> > > 192.168.44.0/24 ^^^
> > > 192.168.11.0/24
> > >
> > >
> > > On ISA-A:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.11.10/32
> > > - 192.168.44.0/24
> > >
> > > Default gateway: 192.168.1.1
> > >
> > > Static routes configured:
> > > - 192.168.11.0/24 Gateway 192.168.1.30
> > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
> > >
> > >
> > > On ISA-B:
> > > ---------
> > >
> > > Remote Site Network contains:
> > > - 192.168.1.10/32
> > > - 192.168.22.0/24
> > >
> > > Default Gateway: 192.168.11.1
> > >
> > > No static routes configured.
> > >
> > >
> > > Test:
> > > -----
> > >
> > > From a host on LAN-B ping a host on LAN-A. Without the static
> > > route
> > > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the
> > > ping request and reply on LAN-A but the reply never makes it back to
LAN-B.
> > > The ping reply just disappeared into thin air! Creating the static
> > > route and bingo, it works. What's the logic behind this behavior?
> > >
> > >
> > > Thanks,
> > > Stefaan
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
stefaan.pouseele@xxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
