VPN - Site to site VPNs - how they work

Author

Site to site VPNs - how they work

Fred Marshall

2007-07-02, 7:13 pm

I have a site to site VPN set up.
Of course, the subnets are different on each side of the tunnel.

I've been led to understand that there is no special routing needed for
packets to get from one side of the tunnel to the other. But, that seems
curious and I'd like to understand it better.

For one thing, I can imagine that there would be a gateway router on each
subnet and that the gateway router would route all traffic going to the
remote subnet to the local VPN IP address as the next hop. I can't imagine
that this is somehow bad practice.

Lacking that type of implementation, how do the packets destined for the VPN
know where the VPN is? Is there some kind of broadcast or what? I can't
imagine that all packets destined for the VPN are broadcast .... ?

Thanks,

Fred

Michael Ziegler

2007-07-02, 7:13 pm

Fred Marshall wrote:
> For one thing, I can imagine that there would be a gateway router on each
> subnet and that the gateway router would route all traffic going to the
> remote subnet to the local VPN IP address as the next hop. I can't imagine
> that this is somehow bad practice.

These gateways would naturally be the machines that establish the VPN
connection.
You need to set these up so they do routing in two directions, namely
VPN <-> LAN.

Then, you tell your clients (or, the default gateways these clients use)
that they reach the other site via the gateway machine that runs the
VPN, and that's it

eg:
Site1:
network: 192.168.1.0/24
router to internet: 192.168.1.1
vpn gateway: 192.168.1.254
vpn address: 10.8.0.1

Site2:
network: 192.168.2.0/24
router to internet: 192.168.2.1
vpn gateway: 192.168.2.254,
vpn address: 10.8.0.2

Route to set on machine 192.168.1.1:
| route add -net 192.168.2.0/24 gw 192.168.1.254

Route to set on machine 192.168.1.254:
| route add -net 192.168.2.0/24 gw 10.8.0.2

Route to set on machine 192.168.2.1:
| route add -net 192.168.1.0/24 gw 192.168.2.254

Route to set on machine 192.168.2.254:
| route add -net 192.168.1.0/24 gw 10.8.0.1

That should do the trick

I'm not sure if these routes are sufficient on the VPN gateways, though,
as I'm not familiar with how to setup this without using a shorewall :D

> Lacking that type of implementation, how do the packets destined for the VPN
> know where the VPN is? Is there some kind of broadcast or what? I can't
> imagine that all packets destined for the VPN are broadcast .... ?

What do you mean?

Regards,
Michael

Fred Marshall

2007-07-03, 1:14 pm

"Michael Ziegler" <haettstegern@hoster.invalid> wrote in message
news:f6buo4$699$1@news.taunusstein.net...
> Fred Marshall wrote:
>
> These gateways would naturally be the machines that establish the VPN
> connection.
> You need to set these up so they do routing in two directions, namely VPN
> <-> LAN.
>
> Then, you tell your clients (or, the default gateways these clients use)
> that they reach the other site via the gateway machine that runs the VPN,
> and that's it

>
> eg:
> Site1:
> network: 192.168.1.0/24
> router to internet: 192.168.1.1
> vpn gateway: 192.168.1.254
> vpn address: 10.8.0.1
>
> Site2:
> network: 192.168.2.0/24
> router to internet: 192.168.2.1
> vpn gateway: 192.168.2.254,
> vpn address: 10.8.0.2
>
> Route to set on machine 192.168.1.1:
> | route add -net 192.168.2.0/24 gw 192.168.1.254
>
> Route to set on machine 192.168.1.254:
> | route add -net 192.168.2.0/24 gw 10.8.0.2
>
> Route to set on machine 192.168.2.1:
> | route add -net 192.168.1.0/24 gw 192.168.2.254
>
> Route to set on machine 192.168.2.254:
> | route add -net 192.168.1.0/24 gw 10.8.0.1
>
> That should do the trick

>
> I'm not sure if these routes are sufficient on the VPN gateways, though,
> as I'm not familiar with how to setup this without using a shorewall :D
>
>
> What do you mean?

To your last question: it appears it doesn't apply because of the first part
of your answer.

I suppose that some folks use a gateway router to also implement their VPNs.
Then the next hop targetting would be dealt with almost by default.

However, if the VPN device is separate (in parallel with the internet
router) then it appears it needs to be explicitly targetted with routes as
you've suggested.

Thanks,

Fred

Michael Ziegler

2007-07-03, 1:14 pm

Fred Marshall wrote:
>
> To your last question: it appears it doesn't apply because of the first part
> of your answer.
>
> I suppose that some folks use a gateway router to also implement their VPNs.
> Then the next hop targetting would be dealt with almost by default.

If you mean that the machine/box/whatever that all clients in the
network use as their default router is the one that establishes the VPN,
then yes, because the router then knows everything it needs.

> However, if the VPN device is separate (in parallel with the internet
> router) then it appears it needs to be explicitly targetted with routes as
> you've suggested.

In that case, either each client in the network needs to know that
route, or their default router. Otherwise, these clients' packages would
be sent into the internet instead of the VPN because no-one would talk
to the correct router

Regards,
Michael

Fred Marshall

2007-07-03, 7:13 pm

>
> I'm not sure if these routes are sufficient on the VPN gateways, though,
> as I'm not familiar with how to setup this without using a shorewall :D
>

Michael,

Yes, the routes are effectively like this, or would be.

I'm using Linksys RV042 for VPN devices (and nothing else) and the tunnel
definition takes care of the site-to-site IP addresses - both public and
private subnet ranges. Then, its firewall settings are shut down tight to
only allow the intended tunnel traffic between the intended interfaces.

What you're telling me is that I have to also add a route pointing to the
local VPN address to reach the remote subnet. That could either be a static
route on each host or a route on a local gateway that all hosts point to.
That makes a lot of sense to me!

So, just to test my understanding and to be clear:

If I want to destine a packet for the remote subnet in general there would
have to be a route like this (from above):
Route to set on machine 192.168.1.1:
| route add -net 192.168.2.0/24 gw 192.168.1.254

OR

If I want to destine packets for the remote subnet in general, and if
there's a gateway / router at 192.168.1.99, then there could be a route like
this (from above):
Route to set on machine 192.168.1.99:
| route add -net 192.168.2.0/24 gw 192.168.1.254

NOW, and this is important ......

If I want to destine a packets for a a "further remote / private" subnet
known only to a router on the remote subnet then there would have to be a
route like the one above pointing to the router that knows the next hop.
So, for a destination of 192.168.3.x via the 192.168.2.x subnet: and
specifically 192.168.2.99 (a router)

Route to set on machine 192.168.1.99 (gateway / router):
route add -p 192.168.3.0 mask 255.255.255.0 gw 192.168.1.254 (vpn) next hop

hmmmmm.... I guess I don't know how to do this if the VPN device won't also
route and only bridges the two LANs.
Can the .99 router have both:
| route add -p 192.168.2.0/24 gw 192.168.1.254
AND
| route add -p 192.168.3.0/24 gw 192.168.2.99 ???

Will the second route be subject to the first route?
I don't think so... !

Yet, this is what I need to do. Any suggestions?

Then there need to be return paths:

Route to set on machine 192.168.2.99
route add -p 192.168.1.0 mask 255.255.255.0 gw 192.168.2.254

I think this is the only return path needed within the two subnets on the
VPN.

Sound right to you?

Thanks,

Fred