RE: S2S VPN: why are static routes sometimes needed?
- From: "Roy Tsao" <roy_tsao@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 28 Dec 2005 04:16:53 -0700
Stefann,
You provide a very cool expample!
Jim,
You provide a great answer, especially in understanding of ISA's
position (standing higher level based on RRAS and TCP/IP stack).
Not sure those wording in English is correct or not, "ISA provides a
logic but not physcial connection between two sites".
> That is odd, but I'll bet you find that this behavior is the same
> without ISA.
> RRAS and the TCP/IP stack, not ISA, handle the actual packet routing.
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
> Sent: Tuesday, December 27, 2005 4:58 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] S2S VPN: why are static routes sometimes needed?
>
> http://www.ISAserver.org
>
> Hi,
>
> it seems that if a S2S VPN connection of type IPSec Tunnel is used and
> if
> the remote tunnel endpoint can't be reached through the default gateway,
> then you need to create extra static routes for the remote network ID's
> reachable through that remote tunnel endpoint. I don't understand why
> this
> is needed? Take note that there were no problems in setting up the IPSec
> MM
> and QM SA's!
>
> To explain it better, here is a little diagram of the lab setup:
>
> 192.168.1.0/24
> vvv
> LAN-A -------- [ISA-A] ---+
> 192.168.22.0/24 .10 !
> +--- [RTR] --- Internet
> ! .1
> .30 !
> [RTR-B]
> ! .1
> .10 !
> LAN-B -------- [ISA-B] ---+
> 192.168.44.0/24 ^^^
> 192.168.11.0/24
>
>
> On ISA-A:
> ---------
>
> Remote Site Network contains:
> - 192.168.11.10/32
> - 192.168.44.0/24
>
> Default gateway: 192.168.1.1
>
> Static routes configured:
> - 192.168.11.0/24 Gateway 192.168.1.30
> - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
>
>
> On ISA-B:
> ---------
>
> Remote Site Network contains:
> - 192.168.1.10/32
> - 192.168.22.0/24
>
> Default Gateway: 192.168.11.1
>
> No static routes configured.
>
>
> Test:
> -----
>
> From a host on LAN-B ping a host on LAN-A. Without the static route
> '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping
> request
> and reply on LAN-A but the reply never makes it back to LAN-B. The ping
> reply just disappeared into thin air! Creating the static route and
> bingo,
> it works. What's the logic behind this behavior?
>
>
> Thanks,
> Stefaan
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
Other related posts:
