CAN WE DO ENCRYPTION AND ROUTING OVER SINGLE INTERFACE OF THE ROUTER??

Unanswered Question
Feb 21st, 2007

Hi,

Below is my network set up.

VPN Router

Site 2

------

|

|(Internet Cloud)

|

Site 1

------

InternetRouter

|

|

Firewall----VPNRouter(having 1 interface)

|

|

LANSwitching

|

PC

I would wish to achieve a site to site VPN from the VPNRouter connected to the firewall in Site 1 to the VPN Router in the site 2.

If you could notice i have only one interface for the VPNRouter(Site 1) and so the traffic from the PC in the Site 1 LAN when trying to establish connectivity to the servers in the Site 2 when going to the second phase(with the help of the interesting traffic) needs to do both encryption as well as routing through the same available single interface only.Is this possible.

Am sure the first phase would happen, but when going to the second phase the interesting traffic has to go from the PC to Firewall to VPNRouter(get encrypted and as well route the traffic to the same Firewall interface again) to the InternetRouter and to the Site 2 VPN Router.So is that second phase possible?

Kindly let me know if i can go for such a solution and is it possible.

Regards,

Jithesh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Wed, 02/21/2007 - 03:46

Jithesh,

This would be interesting..!!

First of all you need to disable "ip redirects" on the Router's intf.

The default gateway for the LAN would be the FW.

E.G. Let's say the local n/w on Site 2 is 10.x.x.x and local n/w on Site 1 is 11.x.x.x

Say, router is conneected to dmz of the FW.

The FW would have a route:

route dmz 10.x.x.x 255.0.0.0

And on Router, you have a route :

ip route 0.0.0.0 0.0.0.0

So,traffic originating from site 1 LAN, when needs to go to site 2 LAN, will hit the PIX, and then would be routed to the router, the router will check the default gateway, would again send it to the PIX but after encrypting it.

The PIX will then route the encrypted traffic across the internet. The return traffic will hit the router through the PIX, will be decrypted, the router will then send the decrypted traffic again to PIX, and PIX will then route it inside.

Phew !!!

HTH,

-Kanishka

daviddtran Wed, 02/21/2007 - 04:16

Yes,

this can be done rather easily. Remember, the

VPN router is NOT a pix so these things can

be done rather easily. Furthermore, you can

do it on a VPN concentrator as well.

David

CCIE security

Actions

This Discussion