VPN - A fundamental VPN question re: distant subnet routing

This is Interesting: Free IT Magazines  
Home > Archive > VPN > August 2007 > A fundamental VPN question re: distant subnet routing





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author A fundamental VPN question re: distant subnet routing
Fred Marshall

2007-08-30, 7:13 pm

***Situation:

Under "normal" circumstances one can route to pretty much anywhere by having
a gateway that routes packets to wherever they need to go. The routes can
be to a local host on the same subnet or to the internet (or whatever subnet
might be NAT'ed on the gateway router WAN side).

One constraint, on a Windows system at least, is that the next hop address
must be on the local subnet. That's usually OK as it's often the gateway.

Now, introduce a VPN that connects between two distinct subnets - local #1
and remote #2. So far, my experience is with RV042 routers supporting both
ends of the VPN. As such the VPN devices know nothing about gateways.

- This is OK if one is simply addressing a host on the remote subnet (from
#1 to #2).
.. route (any packets going to the remote subnet #2) to the VPN device on
the local subnet (#1). That's a "legal" route.
.. the VPN it sends the packets through the tunnel to the remote host on
the remote subnet (#2).

But what if the packets are destined for a further-removed subnet (#3) via a
gateway on the remote subnet (#2)? How is that handled? I can't find a way
to do this:

- It's been suggested to implement a tunnel that's physically between
subnets #1 and #2 and configured to be between subnets #1 and #3. Then, add
a static route at the remote VPN termination (on subnet #2) to route from
subnet #3 to the gateway on subnet #2.
.. but this doesn't seem to work on an RV042.

I have two fundamental questions:

1) This kind of need must come up all the time. So, how do you handle it?

2) Are there reasonable lower-end products that will do this job in place of
an RV042? That is, one that will at least support VPN AND static routing at
the same time?

Next, is this a crazy idea or what?

RV042 #101 gateway mode NATs from subnet #1 (LAN) to subnet A (WAN) with
RV042 #102 on subnet A entered as gateway on the WAN.
RV042 #102 gateway mode VPNs from subnet A at site #1 to subnet B at site
#2.
(correspondingly, RV042 #103 gateway mode VPNs from subnet B at site #2 to
subnet A at site #1).
RV042 #104 gateway mode NATs from subnet B (LAN) to subnet #2 (WAN) at site
#2 .. and lists gateway on subnet 2 as its gateway.
Subnets A and B are just "dummy" subnets to cause a NAT and to make the
boxes work as they "want to".

It seems crazy in that there are a lot of little boxes. But it seems like
it would work.

Comments *please*? And, again: are there reasonable lower-end products that
will do this job in place of an RV042? That is, one that will at least
support VPN AND static routing at the same time?

Fred









Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com