VPN_Routing

Unanswered Question
Aug 30th, 2007
User Badges:

Hello,


I have misunderstanding of routing in RA VPN.


I have created ip pool for assigning ip addresses to RA Clients. It is working fine. But i can't understand how it is works. Because this pool is not routed in my corporate network.

For instance i created ip pool test 10.10.1.0 - 10.10.1.254.


So RA VPN users with ip addresses from this pool can traverse in my network without any problem. But Internal routers don't have any routes to 10.10.1.0 in their routing table.So how routers/switches route packets coming from RA Users ip 10.10.1.x ?


thanks

Leo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Thu, 08/30/2007 - 00:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Leo


Your internal network must know how to route back to the 10.10.1.0 network or it wouldn't work.


Is there perhaps a default route that routes it back to your VPN device ?


Jon

Leo_Stobbe Thu, 08/30/2007 - 01:11
User Badges:

Hi Jon,


Thanks for your reply.

I thought about default route.But i am not sure.

Because my RA VPN clients reside in internal network. And they can establish secure connection with internal hosts(which away for several hops).So if the routers send packets towards 10.10.1.0 by default route, finally all packets would be sent to Internet.But reply packets reach RA Clients.


I need to do some tests.

By the way how can i advertise this pool from VPN endpoint to internal network?


Leo

Jon Marshall Thu, 08/30/2007 - 02:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leo


So if you sit on one of your internal non-VPN clients and do a traceroute to the 10.10.1.x network what path does it take and if you go to the last hop before it times out is there a route on there.


As for advertising this subnet into your network. Some VPN devices can do Reverse Route Injection (RRI), ie they add a route to the subnet dynamically.


The other way is to add static route for the 10.10.1.0 subnet on the nearest router pointing to your VPN device and then redistribute that into your IGP.


HTH


Jon

Actions

This Discussion