RE: S2S VPN: why are static routes sometimes needed?

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 28 Dec 2005 08:20:14 -0800

See..?
I wouldn't lie to you in front of witnesses...
:-)

Sounds like you get to rack up another bug.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] 
Sent: Wednesday, December 28, 2005 4:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

Hi Jim, 

OK, I took up the challenge and replaced ISA-B with a Windows 2003 RRAS
server :-) 

With the help of
http://support.microsoft.com/default.aspx?scid=kb;en-us;816514 I
configured
an IPSec tunnel to the ISA-A. Guess what... you are right! I found exact
the
same behavior. 

I even simplified further the test environment as follows: 

                      192.168.1.0/24
                           vvv
  LAN-A -------- [ISA-A] ---+
192.168.22.0/24         .10 !
                            +--- [RTR] --- Internet
                            !  .1
                        .30 !
  LAN-B -------- [ISA-B] ---+
192.168.44.0/24 


On ISA-A:
---------

Remote Site Network contains: 
- 192.168.1.30/32
- 192.168.44.0/24

If Default gateway = 192.168.1.1 then the static route '192.168.44.0/24
Gateway 192.168.1.30' is needed.
If Default gateway = 192.168.1.30 then no static routes are needed.


On ISA-B:
---------

Remote Site Network contains: 
- 192.168.1.10/32
- 192.168.22.0/24

If Default gateway = 192.168.1.1 then the static route '192.168.22.0/24
Gateway 192.168.1.10' is needed.
If Default gateway = 192.168.1.10 then no static routes are needed.


Thanks, 
Stefaan 

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: dinsdag 27 december 2005 21:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

That is odd, but I'll bet you find that this behavior is the same
without
ISA.
RRAS and the TCP/IP stack, not ISA, handle the actual packet routing.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx]
Sent: Tuesday, December 27, 2005 4:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

Hi, 

it seems that if a S2S VPN connection of type IPSec Tunnel is used and
if
the remote tunnel endpoint can't be reached through the default gateway,
then you need to create extra static routes for the remote network ID's
reachable through that remote tunnel endpoint. I don't understand why
this
is needed? Take note that there were no problems in setting up the IPSec
MM
and QM SA's! 

To explain it better, here is a little diagram of the lab setup: 

                      192.168.1.0/24
                           vvv
  LAN-A -------- [ISA-A] ---+
192.168.22.0/24         .10 !
                            +--- [RTR] --- Internet
                            !  .1
                        .30 !
                         [RTR-B]
                            ! .1
                        .10 !
  LAN-B -------- [ISA-B] ---+
192.168.44.0/24            ^^^
                      192.168.11.0/24


On ISA-A:
---------

Remote Site Network contains: 
- 192.168.11.10/32
- 192.168.44.0/24

Default gateway: 192.168.1.1

Static routes configured:
- 192.168.11.0/24 Gateway 192.168.1.30
- 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???


On ISA-B:
---------

Remote Site Network contains: 
- 192.168.1.10/32
- 192.168.22.0/24

Default Gateway: 192.168.11.1

No static routes configured. 


Test:
-----

From a host on LAN-B ping a host on LAN-A. Without the static route
'192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping
request
and reply on LAN-A but the reply never makes it back to LAN-B. The ping
reply just disappeared into thin air! Creating the static route and
bingo,
it works. What's the logic behind this behavior?


Thanks,
Stefaan



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2005