Hi Roy, That's just the point! It's not logical at all you need the help of one or more static routes to instruct ISA-A to go for the right route path *before* sending ESP. I see it this way: 1. Packet comes into ISA-A destined for a Remote Site (LAN-B). 2. This traffic matches the IPSec filter list and IPSec is negotiated. 3. The traffic gets handed off to IPSec which encapsulates the traffic with a new outer IP header (DST=192.168.11.10). 4. The traffic is re-injected to the TCP/IP stack from IPSec for further delivery. 5. The IP stack then decides where to send the packet by consulting the routing table. Since the destination is not a directly connected network, the IP stack should deliver the packet to the most specific route or the default gateway if nothing else matches. In our case there is a known specific route for the destination 192.168.11.10/32 being the remote site's VPN endpoint. So, where the traffic destined for the remote site (LAN-B) should be send is implied in the remote network definition by specifying the remote site's VPN endpoint in the configuration. Therefore a route to that VPN endpoint must be known, not a route to the remote site (LAN-B). Thanks, Stefaan -----Original Message----- From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] Sent: maandag 9 januari 2006 3:31 To: [ISAserver.org Discussion List] Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? http://www.ISAserver.org Hi Stefaan, To avoid confusion, let us disucss on your initial diagram: > > > > 192.168.1.0/24 > > vvv > > LAN-A -------- [ISA-A] ---+ > > 192.168.22.0/24 .10 ! > > +--- [RTR] --- Internet > > ! .1 > > .30 ! > > [RTR-B] > > ! .1 > > .10 ! > > LAN-B -------- [ISA-B] ---+ > > 192.168.44.0/24 ^^^ > > 192.168.11.0/24 > > > > > > On ISA-A: > > --------- > > > > Remote Site Network contains: > > - 192.168.11.10/32 > > - 192.168.44.0/24 > > > > Default gateway: 192.168.1.1 > > > > Static routes configured: > > - 192.168.11.0/24 Gateway 192.168.1.30 > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ??? The question is why that addtional static route 192.168.44.0/24 Gateway 192.168.1.30 is needed? Then I provide answer as per > > After various lab test by me and also other ISA fans, we suspect in > > our environment, you can add up a static route from upstream router > > to ISA-B's external NIC. This is becuase > > - no route tale change at ISA after enable S2S IPsec Tunnel VPN > > - ISA decides route before processing ESP > > - ESP is sent based on fixed route when packet exit ISA. > > - when upstream router receive ESP heading for ISA-B's exernal NIC, > > it has no route information at all! > > > > To addup a static route at ISA-A to ISA-B's internal network ID is > > one of soultion based on above reason. However, is it more proper to > > set up /adjust route setting at upstream router? or any reason like > > security concern is there making impossible? If the route decision should be made on the outer IP header of the tunnel (as I understand before seeing your post), it is no need to add up that static route on route table entry at ISA-A, isn't it? However, you need a help of one more static route to instruct ISA-A go for right route path before sending ESP. Thanks, Roy Tsao > Hi Roy, > > I'm not sure I understand your question!?!? > > If I'm the administrator of ISA-A, I define the remote network > 192.168.44.0/24 as reachable through the tunnel endpoint 192.168.1.30. > Now, > 192.168.1.0/24 is a directly connected network. Why do I need to > create a static route for 192.168.44.0/24 with Gateway 192.168.1.30 before it works? > > Thanks, > Stefaan > > -----Original Message----- > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > Sent: zondag 8 januari 2006 14:12 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? > > http://www.ISAserver.org > > Hi Stefaan, > > Let us cencer on your initial diagrams you illustruated. > In case the S2S VPN is within the protected network of ISA, it would > be another story. > > If your saying "The route decision should be made on the outer IP header" > is correct, why you need to addup a static route from ISA-A to > internal network ID of ISA-B, then why you ask for this question?? > > Thanks, > > Roy Tsao > > > Hi Roy, > > > > You wrote "ISA decides route before processing ESP". That would be a > > very stupid way of determining the route! The route decision should > > be made on the outer IP header (the tunnel) and not on the inner IP > > header (the encapsulated traffic). In my case the remote tunnel > > endpoint is on a direct connected network. So, the router RTR > > shouldn't be > envolved at all. > > > > As an example, two more diagrams were a S2S VPN connection is needed > > through a partner connection: > > > > +--- [RT1] --- Internet LAN --- [ISA] ---+ > > +--- [RT2] --- Partner Network > > > > > > LAN --- [ISA] --- [RT1] --- Internet > > ! > > +------ [RT2] --- Partner Network > > > > > > Thanks, > > Stefaan > > > > > > -----Original Message----- > > From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] > > Sent: zondag 8 januari 2006 9:24 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? > > > > http://www.ISAserver.org > > > > > > Hi Stefaan, > > > > After various lab test by me and also other ISA fans, we suspect in > > our environment, you can add up a static route from upstream router > > to ISA-B's external NIC. This is becuase > > - no route tale change at ISA after enable S2S IPsec Tunnel VPN > > - ISA decides route before processing ESP > > - ESP is sent based on fixed route when packet exit ISA. > > - when upstream router receive ESP heading for ISA-B's exernal NIC, > > it has no route information at all! > > > > To addup a static route at ISA-A to ISA-B's internal network ID is > > one of soultion based on above reason. However, is it more proper to > > set up > adjust > > route setting at upstream route? or any reason like security concern > > is there making impossible? > > > > As for your 2nd test scenario, may I understand the failure is due > > to diabled packet relay at router side? > > > > > > > > > Hi Jim, > > > > > > OK, I took up the challenge and replaced ISA-B with a Windows 2003 > > > RRAS server :-) > > > > > > With the help of > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I > > > configured an IPSec tunnel to the ISA-A. Guess what... you are right! > > > I found exact the same behavior. > > > > > > I even simplified further the test environment as follows: > > > > > > 192.168.1.0/24 > > > vvv > > > LAN-A -------- [ISA-A] ---+ > > > 192.168.22.0/24 .10 ! > > > +--- [RTR] --- Internet > > > ! .1 > > > .30 ! > > > LAN-B -------- [ISA-B] ---+ > > > 192.168.44.0/24 > > > > > > > > > On ISA-A: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.1.30/32 > > > - 192.168.44.0/24 > > > > > > If Default gateway = 192.168.1.1 then the static route > > > '192.168.44.0/24 Gateway 192.168.1.30' is needed. > > > If Default gateway = 192.168.1.30 then no static routes are needed. > > > > > > > > > On ISA-B: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.1.10/32 > > > - 192.168.22.0/24 > > > > > > If Default gateway = 192.168.1.1 then the static route > > > '192.168.22.0/24 Gateway 192.168.1.10' is needed. > > > If Default gateway = 192.168.1.10 then no static routes are needed. > > > > > > > > > Thanks, > > > Stefaan > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: dinsdag 27 december 2005 21:23 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > That is odd, but I'll bet you find that this behavior is the same > > > without ISA. > > > RRAS and the TCP/IP stack, not ISA, handle the actual packet routing. > > > > > > -------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > -------------------------------------------- > > > -----Original Message----- > > > From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] > > > Sent: Tuesday, December 27, 2005 4:58 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] S2S VPN: why are static routes sometimes needed? > > > > > > http://www.ISAserver.org > > > > > > Hi, > > > > > > it seems that if a S2S VPN connection of type IPSec Tunnel is used > > > and if the remote tunnel endpoint can't be reached through the > > > default gateway, then you need to create extra static routes for > > > the remote network ID's reachable through that remote tunnel > > > endpoint. I don't understand why this is needed? Take note that > > > there were no problems in setting up the IPSec MM and QM SA's! > > > > > > To explain it better, here is a little diagram of the lab setup: > > > > > > 192.168.1.0/24 > > > vvv > > > LAN-A -------- [ISA-A] ---+ > > > 192.168.22.0/24 .10 ! > > > +--- [RTR] --- Internet > > > ! .1 > > > .30 ! > > > [RTR-B] > > > ! .1 > > > .10 ! > > > LAN-B -------- [ISA-B] ---+ > > > 192.168.44.0/24 ^^^ > > > 192.168.11.0/24 > > > > > > > > > On ISA-A: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.11.10/32 > > > - 192.168.44.0/24 > > > > > > Default gateway: 192.168.1.1 > > > > > > Static routes configured: > > > - 192.168.11.0/24 Gateway 192.168.1.30 > > > - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ??? > > > > > > > > > On ISA-B: > > > --------- > > > > > > Remote Site Network contains: > > > - 192.168.1.10/32 > > > - 192.168.22.0/24 > > > > > > Default Gateway: 192.168.11.1 > > > > > > No static routes configured. > > > > > > > > > Test: > > > ----- > > > > > > From a host on LAN-B ping a host on LAN-A. Without the static > > > route > > > '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the > > > ping request and reply on LAN-A but the reply never makes it back to LAN-B. > > > The ping reply just disappeared into thin air! Creating the static > > > route and bingo, it works. What's the logic behind this behavior? > > > > > > > > > Thanks, > > > Stefaan ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx