RE: S2S VPN: why are static routes sometimes needed?

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 28 Dec 2005 08:22:00 -0800

Hi Roy,

I'm not sure I'd characterize it that way, either.
ISA hooks in to the TCP/IP stack very deeply so as to provide IP-based
attack resilience, but it doesn't get involved in actual routing
decisions.

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Roy Tsao [mailto:roy_tsao@xxxxxxxxxxxx] 
Sent: Wednesday, December 28, 2005 3:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: S2S VPN: why are static routes sometimes needed?

http://www.ISAserver.org

Stefann,

You provide a very cool expample!

Jim,

You provide a great answer, especially in understanding of ISA's
position (standing higher level based on RRAS and TCP/IP stack).
Not sure those wording in English is correct or not, "ISA provides a
logic but not physcial connection between two sites". 
> That is odd, but I'll bet you find that this behavior is the same
> without ISA.
> RRAS and the TCP/IP stack, not ISA, handle the actual packet routing.
> 
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxxxx] 
> Sent: Tuesday, December 27, 2005 4:58 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] S2S VPN: why are static routes sometimes needed?
> 
> http://www.ISAserver.org
> 
> Hi, 
> 
> it seems that if a S2S VPN connection of type IPSec Tunnel is used and
> if
> the remote tunnel endpoint can't be reached through the default
gateway,
> then you need to create extra static routes for the remote network
ID's
> reachable through that remote tunnel endpoint. I don't understand why
> this
> is needed? Take note that there were no problems in setting up the
IPSec
> MM
> and QM SA's! 
> 
> To explain it better, here is a little diagram of the lab setup: 
> 
>                       192.168.1.0/24
>                            vvv
>   LAN-A -------- [ISA-A] ---+
> 192.168.22.0/24         .10 !
>                             +--- [RTR] --- Internet
>                             !  .1
>                         .30 !
>                          [RTR-B]
>                             ! .1
>                         .10 !
>   LAN-B -------- [ISA-B] ---+
> 192.168.44.0/24            ^^^
>                       192.168.11.0/24
> 
> 
> On ISA-A:
> ---------
> 
> Remote Site Network contains: 
> - 192.168.11.10/32
> - 192.168.44.0/24
> 
> Default gateway: 192.168.1.1
> 
> Static routes configured:
> - 192.168.11.0/24 Gateway 192.168.1.30
> - 192.168.44.0/24 Gateway 192.168.1.30 <<<< WHY is this one needed ???
> 
> 
> On ISA-B:
> ---------
> 
> Remote Site Network contains: 
> - 192.168.1.10/32
> - 192.168.22.0/24
> 
> Default Gateway: 192.168.11.1
> 
> No static routes configured. 
> 
> 
> Test:
> -----
> 
> From a host on LAN-B ping a host on LAN-A. Without the static route
> '192.168.44.0/24 Gateway 192.168.1.30' on ISA-A, I can see the ping
> request
> and reply on LAN-A but the reply never makes it back to LAN-B. The
ping
> reply just disappeared into thin air! Creating the static route and
> bingo,
> it works. What's the logic behind this behavior?
> 
> 
> Thanks,
> Stefaan
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2005