A fundamental VPN question re: distant subnet routing

***Situation:

Under "normal" circumstances one can route to pretty much anywhere by having
a gateway that routes packets to wherever they need to go. The routes can
be to a local host on the same subnet or to the internet (or whatever subnet
might be NAT'ed on the gateway router WAN side).

One constraint, on a Windows system at least, is that the next hop address
must be on the local subnet. That's usually OK as it's often the gateway.

Now, introduce a VPN that connects between two distinct subnets - local #1
and remote #2. So far, my experience is with RV042 routers supporting both
ends of the VPN. As such the VPN devices know nothing about gateways.

- This is OK if one is simply addressing a host on the remote subnet (from
#1 to #2).
.. route (any packets going to the remote subnet #2) to the VPN device on
the local subnet (#1). That's a "legal" route.
.. the VPN it sends the packets through the tunnel to the remote host on
the remote subnet (#2).

But what if the packets are destined for a further-removed subnet (#3) via a
gateway on the remote subnet (#2)? How is that handled? I can't find a way
to do this:

- It's been suggested to implement a tunnel that's physically between
subnets #1 and #2 and configured to be between subnets #1 and #3. Then, add
a static route at the remote VPN termination (on subnet #2) to route from
subnet #3 to the gateway on subnet #2.
.. but this doesn't seem to work on an RV042.

I have two fundamental questions:

1) This kind of need must come up all the time. So, how do you handle it?

2) Are there reasonable lower-end products that will do this job in place of
an RV042? That is, one that will at least support VPN AND static routing at
the same time?

Next, is this a crazy idea or what?

RV042 #101 gateway mode NATs from subnet #1 (LAN) to subnet A (WAN) with
RV042 #102 on subnet A entered as gateway on the WAN.
RV042 #102 gateway mode VPNs from subnet A at site #1 to subnet B at site
#2.
(correspondingly, RV042 #103 gateway mode VPNs from subnet B at site #2 to
subnet A at site #1).
RV042 #104 gateway mode NATs from subnet B (LAN) to subnet #2 (WAN) at site
#2 .. and lists gateway on subnet 2 as its gateway.
Subnets A and B are just "dummy" subnets to cause a NAT and to make the
boxes work as they "want to".

It seems crazy in that there are a lot of little boxes. But it seems like
it would work.

Comments *please*? And, again: are there reasonable lower-end products that
will do this job in place of an RV042? That is, one that will at least
support VPN AND static routing at the same time?

Fred









.

Relevant Pages

  • Re: VPN and Routing in one box
    ... Any suggestions for a simple router that will do this? ... Packets originate in Subnet 1, ... The VPN is the first hop. ... should be sent through the VPN gateway at 192.168.2.0 and you ...
    (comp.dcom.vpn)
  • Re: 2 different routes
    ... you're trying to route a subnet you're in through ... its gateway -- that won't work the way you expect it to. ... gateway of the secondary public network for things that came in on that ...
    (comp.unix.bsd.freebsd.misc)
  • OT: RRAS doesnt R
    ... A remote user now needs access to our network. ... She needs to connect via VPN ... Our office is only one subnet. ... Here's the routing table from a "route print" done on Dataman, ...
    (microsoft.public.cert.exam.mcse)
  • Re: OT: RRAS doesnt R
    ... using a VPN. ... A remote user now needs access to our network. ... Our office is only one subnet. ... Here's the routing table from a "route print" done on Dataman, ...
    (microsoft.public.cert.exam.mcse)
  • Re: RRAS doesnt R
    ... A remote user now needs access to our network. ... VPN and have DNS work, ... NIC on its own subnet. ... Here's the routing table from a "route print" done on Dataman, ...
    (microsoft.public.cert.exam.mcse)