Re: VPN and Routing in one box

Fred Marshall wrote:
"Rome On Crestes" <romeoncrestes@xxxxxxxxxxxxxxxxxxx> wrote in message news:e9SEi.16757$gR1.5033@xxxxxxxxxxxxxxxxxxxxxxxxx
Fred Marshall wrote:
I need a router that can be a VPN end point AND will route packets coming out of the VPN.

Any suggestions for a simple router that will do this?

Thanks,

Fred
Linksys RV042 will do that.

Oh! How I wish that were true as I have a number of them on hand! I have done a number things to make them do it and have become convinced that they can't. I'd be very happy to be found deficient in my thinking / testing or configuration.

Here is the scenario:

Subnet 1 < VPN > Subnet 2 > [router] > Subnet 3
192.168.1.0 192.168.2.0 192.168.3.0

Packets originate in Subnet 1, destined for Subnet 3.
The VPN (Subnet 1 end) is the first hop.
When packets arrive via the VPN at Subnet 2, they have to be routed to a particular router / IP address on Subnet 2, which is the next hop in order to be futher routed to Subnet 3.
Thus, a route has to be effective at the Subnet 2 end of the VPN that sends packets destined for Subnet 3 to the router on Subnet 2.
(The return path is already taken care of separately).

That route might look like this:
192.168.3.0 255.255.255.0 192.168.2.199 where .199 is the address of the router on Subnet 2.

Here is the setup I used:

Subnet 1 < RV042 VPN > Subnet 2 > [router] > Subnet 3
192.168.1.0 192.168.2.0 192.168.3.0

The RV042 Tunnel goes from 192.168.1.0 to 192.168.3.0
The Subnet 2 RV042 VPN end LAN is on subnet 2.
The static route in the Subnet 2 RV042 points packets destined for Subnet 3 to the [router] on Subnet 2.

Packets destined for Subnet 3 are routed to the VPN on Subnet 1.
When they come out of the VPN, there needs to be something to tell them to go to the [router] as the next hop.
Thus the static route.

I have rather conclusively shown that the static route does nothing. So, I wonder what I'm missing?

---
What one can't do is to have the "forward" VPN Tunnel defined between Subnet 1 and Subnet 2. Then packets destined for Subnet 3 won't *enter* the tunnel at the source end. Thus, it appears a static route at the receiving end is necessary. Then a separate tunnel between Subnets 1 and 2 can be used as the return path without this kind of problem.

Thanks,

Fred

You can NEVER forward packets through a VPN unless there is a valid security association for them. A security association includes the source and destination of the packet even if that destination is for another subnet. Source and destination do not include intermediate points or next hops unless there is a router doing network address translation and rewriting the packet.


SUBNET 1 (192.168.1.0) < SUBNET 2 (192.168.2.0) < SUBNET 3 (192.168.3.0)

So you have a VPN between subnet 1 and subnet 2 and then a router on the link between subnet 2 and subnet 3 right?

Simple case: So you want packets to go from subnet 1 to subnet 2. Very easy you create a VPN entry where the source network is 192.168.1.0 and the destination is 192.168.2.0.

Case 2: You want packets to go from subnet 1 to subnet 3 via the VPN gateway on subnet 2. So the way you are trying to force this to happen is to create a static route on the VPN routers that says that packets for 192.168.3.0 should be sent through the VPN gateway at 192.168.2.0 and you expect those packets will be sent through the existing VPN link but they don't work that way. This is entirely correct and expected behavior for every implementation of IPSEC. You need to create another VPN between the very same 2 routers as before but with a different destination. Create a second VPN entry: source 192.168.1.0 destination 192.168.3.0 the remote gateway will still be the VPN router on subnet 2. This will allow the packets to get to the remote network. Now your static route on the vpn router at subnet 2 will be able to work to send those packets over to the router to get to subnet 3.

On the linksys routers when you add a VPN gateway to gateway entry for the link from subnet 1 to subnet 3 it will look like this:
Local group setup:
Local security gateway type: IP Only if you have static IP's on both ends.
Local security group type: Subnet
IP Address: 192.168.1.0
Subnet mask: 255.255.255.0
Remote Group setup
Remote security gateway type: IP Only
IP address: Give the public static IP of the VPN Router on subnet 2 here.
Remote security group type: subnet
IP Address: 192.168.3.0
Subnet mask: 255.255.255.0
IPSec Setup:
All of these settings need to match between the two gateways. I trust you can figure this part out.

For the link on the router at subnet 2 the corresponding entries for this VPN link will look like this:
Local group setup:
Local security gateway type: IP Only if you have static IP's on both ends.
Local security group type: Subnet
IP Address: 192.168.3.0 <- THIS IS THE SETTING YOU HAVE BEEN MISSING
Subnet mask: 255.255.255.0
Remote Group setup
Remote security gateway type: IP Only
IP address: Give the public static IP of the VPN Router on subnet 1 here.
Remote security group type: subnet
IP Address: 192.168.1.0
Subnet mask: 255.255.255.0
IPSec Setup:
All of these settings need to match between the two gateways. I trust you can figure this part out.

On the VPN router at subnet 2 you will add a static route in the Setup->More->Advanced routing screen.
Destination IP: 192.168.3.0
Subnet mask: 255.255.255.0
Default gateway: 192.168.2.??? Whatever the IP of the router that is moving packets to subnet 3 is.
Hop count metric: 1
Interface: LAN

No static route entries will be required on the router at VPN 1. The router for the link between subnet 2 and 3 will need to either use the VPN gateway on subnet 2 as it's default route or it will need static a static route entry for subnet 1 to point to the VPN gateway on subnet 2.

So on both VPN routers you will now have 2 nearly identical VPN entries created but with a small change in the IP address of the subnet.


Feel free to send tips via paypal.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@xxxxxxxxxxxxxxxxxxxxxxxxxxxx)
.

Relevant Pages

  • Re: RV042 - Does anyone understand it? Documentation?
    ... if one is using an RV042 for VPN, then what affect does the routing table have on the VPN packets? ... When the packet is received at the other end of the tunnel, it will still be destined for a "foreign" private subnet. ... In other words the range of IP's you are trying to reach and the range of IP's the traffic is coming from MUST be included in the subnets for the encrypted tunnel. ...
    (comp.dcom.vpn)
  • Re: Routing outbound IP packets on multihomed box
    ... The router for the 126 subnet is ... Using my workstation on a third subnet, ... sure how to get packets sourced from the 126 subnet to the router on the ... I tried the following ipfw rule right after allow loopback ...
    (freebsd-net)
  • Re: Can VPN be tested from inside the network?
    ... PPP adapter WTA VPN: ... both the remote client and the SBS are ... on to the router configuration page and change the router's IP address ... to something on another subnet e.g. 192.168.10.1. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN and Routing in one box
    ... Any suggestions for a simple router that will do this? ... Packets originate in Subnet 1, ... The VPN is the first hop. ... should be sent through the VPN gateway at 192.168.2.0 and you ...
    (comp.dcom.vpn)
  • Re: need help installing openVPN
    ... The subnet for the VPN must not conflict with the subnet being used for ... ethX to talk to your your router or any other local subnets. ... The VPN uses ... tun0 as though it were a real interface. ...
    (alt.linux)