Re: RV042 - Does anyone understand it? Documentation?
- From: "Fred Marshall" <fmarshallx@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 15 Aug 2007 21:42:49 -0700
"Fred Marshall" <fmarshallx@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:AMSdndMUOtQ1BF7bnZ2dnUVZ_g2dnZ2d@xxxxxxxxxxxxxxxxx
"Mike Drechsler - SPAM PROTECTED EMAIL"
<mike-newsgroup@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:UB4ai.11534$ds2.9652@xxxxxxxxxxxxxxxxxxxxxxxxx
Fred Marshall wrote:
Mike,
I'm still working on this project having taken a bit of a nice vacation.
Thanks for your thoughtful reply. I'm going to try the larger subnet
range idea to see if that doesn't help. It may well do what I need.
That does raise a question:
Can one subnet be a subset of the other subnet? Like 192.168.1.192
255.255.255.192 AND 192.168.1.0 255.255.255.0 at the other end?
In the mean time it appears that things have moved sideways as now packets
destined for the opposite LAN seem to "bounce off" the local RV042/VPN
device - even though the VPN shows it's "connected".
If I tracert to a client on the opposite LAN, the trace goes first to the
VPN device IP and then to the default gateway IP - making it appear that
the VPN device didn't respond to that packet at all....
I can't ping through the VPN now - even though it worked "in the lab".
Fred
I think I've solved *that* problem at least....
It seems I'd switched the RV042s to Router mode - in working on the routing
issues.
So, switched back to Gateway mode gets the VPN traffic to working.
Now back to the routing question.
I'm pretty well stuck with the existing subnets because of all sorts of 3rd
party settings, etc. Changing would be a nightmare because of that.
As it stands, the two LAN subnets are parts of the same address range.
- I've determined that you can't construct a VPN on an RV042 that has
overlapping subnets at the ends.
I was advised to set up a tunnel that would target the far away subnet (plus
add a route to a gateway on the destination LAN):
So, the tunnels would look like this:
Source end: Destination hop:
RV042#2 RV042#1
**Tunnel 1 **Tunnel 1
216.123.123.4 216.123.123.5
gw 216.123.123.1 gw 216.123.123.1
Local: Local:
192.168.113.128 192.168.113.192
255.255.255.224 255.255.255.192
Remote: Remote:
192.168.113.192 192.168.113.128
255.255.255.192 255.255.255.224
**Tunnel 2 **Tunnel 2
216.123.123.4 216.123.123.5
gw 216.123.123.1 gw 216.123.123.1
Local: Local:
192.168.113.128 192.168.1.0
255.255.255.224 255.255.255.0
Remote: Remote:
192.168.1.0 192.168.113.128
255.255.255.0 255.255.255.224
But, the RV042 also doesn't like to have the same subnet at the remote end
of more than one tunnel. Why, I can't figure out because anything destined
for it would have to be coming from the designated source subnet wouldn't
it? Oh well ..... would still like to understand if there's a fundamental
reason why.
So, then I tried this using two RV042s at the source end:
Source end: Destination hop:
RV042#2 RV042#1
**Tunnel 1 **Tunnel 1
216.123.123.4 216.123.123.5
gw 216.123.123.1 gw 216.123.123.1
Local: Local:
192.168.113.128 192.168.113.192
255.255.255.224 255.255.255.192
Remote: Remote:
192.168.113.192 192.168.113.128
255.255.255.192 255.255.255.224
same as before.....
But now, introduce a second RV042 at the source end with its own public IP
address:
RV042#3 (new) RV042#1 (still)
**Tunnel 1 **Tunnel 2
216.123.123.6 216.123.123.5
gw 216.123.123.1 gw 216.123.123.1
Local: Local:
192.168.113.128 192.168.1.0
255.255.255.224 255.255.255.0
Remote: 216.123.123.5 Remote: 216.123.123.6
192.168.1.0 192.168.113.128
255.255.255.0 255.255.255.224
Even though the remote IP addresses are different, the RV042#1 doesn't seem
to like the fact that the subnets are repeated at the remote end of two
tunnels! It generates an error saying that the remote subnet IP value is in
conflict with tunnel 1.
It then seems that one is constrained from having the same private subnet
range at two different physical locations, with different public IP
addresses, and to support having VPNs to a central site through a single
RV042. How unfortunate!
My next step, subject to any suggestions or explanations I may receive, will
be to add a 2nd RV042 at the site so that the two tunnels will be supported
with completely separate RV042s. This seems a dreadful waste of hardware
and public IP addresses!
It would look like this:
RV042#3 RV042#4 (new)
**Tunnel 1 **Tunnel 1
216.123.123.6 216.123.123.7
gw 216.123.123.1 gw 216.123.123.1
Local: Local:
192.168.113.128 192.168.1.0
255.255.255.224 255.255.255.0
Remote: 216.123.123.7 Remote: 216.123.123.6
192.168.1.0 192.168.113.128
255.255.255.0 255.255.255.224
with a LAN address of:
192.168.113.xxx
with a route for 192.168.1.0
to 192.168.113.yyy
Then, all traffic destined for 192.168.1.xxx on the source LAN will be
directed to the LAN IP of RV042#3.
It will traverse the tunnel.
It will be routed by RV042 #4 (outside the tunnel) to the designated
gateway/next hop on the LAN.
Return traffic destined for the original source LAN will traverse through
the first set of tunnels / through the first pair of RV042s.
Comments?
Thanks,
Fred
.
- References:
- Re: RV042 - Does anyone understand it? Documentation?
- From: Fred Marshall
- Re: RV042 - Does anyone understand it? Documentation?
- Prev by Date: Re: RV042 - Does anyone understand it? Documentation?
- Next by Date: openswan site-to-end
- Previous by thread: Re: RV042 - Does anyone understand it? Documentation?
- Next by thread: openswan site-to-end
- Index(es):
Relevant Pages
|
