Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
3
Helpful
3
Replies

VPN_Routing

Leo_Stobbe
Level 1
Level 1

‎08-30-2007 12:15 AM - edited ‎02-21-2020 03:14 PM

Hello,

I have misunderstanding of routing in RA VPN.

I have created ip pool for assigning ip addresses to RA Clients. It is working fine. But i can't understand how it is works. Because this pool is not routed in my corporate network.

For instance i created ip pool test 10.10.1.0 - 10.10.1.254.

So RA VPN users with ip addresses from this pool can traverse in my network without any problem. But Internal routers don't have any routes to 10.10.1.0 in their routing table.So how routers/switches route packets coming from RA Users ip 10.10.1.x ?

thanks

Leo

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎08-30-2007 12:19 AM

Hi Leo

Your internal network must know how to route back to the 10.10.1.0 network or it wouldn't work.

Is there perhaps a default route that routes it back to your VPN device ?

Jon

0 Helpful

Leo_Stobbe
Level 1
Level 1
In response to Jon Marshall

‎08-30-2007 01:11 AM

Hi Jon,

Thanks for your reply.

I thought about default route.But i am not sure.

Because my RA VPN clients reside in internal network. And they can establish secure connection with internal hosts(which away for several hops).So if the routers send packets towards 10.10.1.0 by default route, finally all packets would be sent to Internet.But reply packets reach RA Clients.

I need to do some tests.

By the way how can i advertise this pool from VPN endpoint to internal network?

Leo

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Leo_Stobbe

‎08-30-2007 02:00 AM

Leo

So if you sit on one of your internal non-VPN clients and do a traceroute to the 10.10.1.x network what path does it take and if you go to the last hop before it times out is there a route on there.

As for advertising this subnet into your network. Some VPN devices can do Reverse Route Injection (RRI), ie they add a route to the subnet dynamically.

The other way is to add static route for the 10.10.1.0 subnet on the nearest router pointing to your VPN device and then redistribute that into your IGP.

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents