Solved: RRI and Client Mode

turbo_engine26 · ‎09-15-2013

Hi,

I am currently reading the "Complete Cisco VPN Config Guide" by Richard Deal and no doubt it is a good book. I am facing a difficulty in understanding something here.

In my opinion, Reverse Route Injection is more useful in LAN Extension Mode than in Client mode because connections need to be initiated from the corporate network to the SOHO network. And for this to happen, the corporate network must know the SOHO network. RRI is used in this case to install a static route in the corporate's VPN gateway and then redistribute it into the corporate network.

For client mode, the opposite is true: connections are initiated from the SOHO network or Software client to the corporate network ONLY. So, why do i care about reaching the SOHO network or Software client network from the corporate network? The author didn't clarify that. This is what the author said:

"The Cisco RRI provides the best approach for remote access clients. RRI is a Cisco-proprietary enhancement for IPsec. At the end of ISAKMP/IKE Phase 1, the remote access client does one of the following:

If in client mode, the client is assigned an internal address by the VPN gateway; the VPN gateway will add this as a static route to its local routing table. ---- > WHY?
If in network extension mode, the client sends the network number of its inside interface to the VPN gateway via an ISAKMP/IKE Phase 1 message." -----> MAKE SENSE

Please clarify why do i need the RRI solution for client mode. RRI for LAN Extension mode makes more sense.

Regards,

AM

Jouni Forss · ‎09-15-2013

Hi,

As I mentioned in the first reply,

Consider a situation where you have a central office VPN device which IS NOT the device through which all internal traffic to external network goes through. In other words in your internal network the default route directs traffic to some other device, for example the edge firewall.

Now for any traffic to flow between 2 different networks you naturally need routing table(s) on the device between the networks to have a route for each of the networks or traffic will not flow between them correctly.

So consider a situation where your Client Mode hardware client connects to the central VPN device (which is not the gateway for all external traffic) which is running OSPF along with all the internal routers and the RRI is NOT used. The PAT IP address used by the Client Mode Hardware Client is never adverticed to the rest of the network and traffic will flow incorrectly to the edge firewall to which the default route points to. If RRI was enabled (along with other settings) the internal routers could have correctly forwarded the return traffic towards the PAT IP address towards the VPN device rather than the edge firewall.

The above situation naturally applies to a LAN Extension mode also but in that case naturally the VPN device is adverticing a whole network/subnet instead of a host IP address used as the Client PAT IP.

Whether the remote Client Mode or LAN Extension Mode Hardware Client connects to the central site, the central site will have to have a route for the remote network or PAT IP address for the traffic to flow between 2 endpoints in the network.

If the central VPN device doesnt install a route for the PAT IP address to the central offices network then naturally the traffic will only be one way. Traffic from the Client mode PAT IP address will reach the central site but the return traffic back towards the PAT IP address wont flow correctly without RRI.

- Jouni

View solution in original post

Jouni Forss · ‎09-15-2013

Here is a configuration example of the RRI

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

Here a VPN gateway device advertices the route towards the single VPN Client to the internal routers in the LAN network.

Though as I said before, I would imagine that in this case the default route might also be pointing to this same device to which the VPN Client is connected to and therefore RRI would not be needed.

To my understanding the RRI is used on the central VPN device to insert the VPN network/host IP addresses to the local routing table to be distributed to rest of the network through dynamic routing protocols.

- Jouni

View solution in original post

Jouni Forss · ‎09-15-2013

Hi,

Yes, to my understanding RRI is used to handle the routing for any network/host IP address that is located behind a VPN connection. Typically this would be used in a situation where this information needs to be passed on to dynamic routing protocols running in the internal network.

The RRI inserts the required network/host IP information to the routing table based on either VPN configurations or connections. I think in VPN Clients case the VPN device only insert the host IP route to the routing table with RRI. I think in L2L VPN case for example the RRI inserts the whole destination network to the routing table.

In our environments there has not really been much need for RRI as the routing environments have been pretty static in nature.

- Jouni

View solution in original post

Jouni Forss · ‎09-15-2013

Hi,

I would imagine that the RRI is important for both cases.

If I am not completely mistaken the most common setup with smaller environments is that the Internet gateway device is also the firewall and the vpn gateway device. And in those cases the default route for all networks external to this companies network always follow the default route to the firewall/vpn device and out through the external interface.

Now whether we are talking about a Client connecting to the central site or a remote site connecting to the central site it will always require a route in the routing table for the return traffic to be forwarded correctly.

I would imagine that if you were to use a separate VPN gateway device in a network running dynamic routing protocol you might need to have RRI enabled for both Client VPN and L2L VPN (or similiar) for the traffic flow back to the VPN device instead of the device holding the default route.

Though at the same time I would have to say that you could naturally handle this with static routes on the routers connected to the VPN devices to tell where the different VPN networks are located.

Or atleast thats how I understand it.

- Jouni

turbo_engine26 · ‎09-15-2013

Hi Jouni,

Sorry, i couldn't follow you. I think we need to talk more practically than theoretically . Let me explain and clarify more.

Discussion 1:

In client mode, you have a hardware client in a SOHO network is building a remote access IPSec tunnel to the corporate's firewall. During ISAKMP/IKE Phase 1, the client is assigned an IP address from the firewall's internal Pool. Because the devices behind the hardware client also need to access the corporate network, the hardware client performs dynamic PAT using the assigned IP address. The devices now can access the corporate network.

Now, your turn to clarify why do i need to use RRI if the devices can access the corporate network. The book stated that you CANNOT initiate connections from corporate to SOHO anyways. So, what is the use of RRI in this scenario? .. In the real world, remote access VPNs are mainly used to make the client to access the corporate network not the opposite. For example, why do i need to reach a telecommuter's laptop from a corporate host if client mode doesn't allow me to initiate connections from corporate to SOHO? you know what i mean.

Discussion 2:

In LAN Extension mode, you have a hardware client in a SOHO network is building a remote access IPSec tunnel to the corporate's firewall. The hardware client IS NOT assigned an IP address from the firewall. Because the idea behind LAN Extension mode is to make the corporate network initiate connections to the SOHO network, the corporate network must reach the SOHO network but it doesn't know it yet. In this case, RRI makes sense to force the hardware client to send its inside network number to the firewall during IKE Phase so the firewall install this network number as static route in its routing table and redistribute it via dynamic routing protocol later.

Hope i clarified my point correctly.

Regards,

AM

Jouni Forss · ‎09-15-2013

Hi,

As I mentioned in the first reply,

Consider a situation where you have a central office VPN device which IS NOT the device through which all internal traffic to external network goes through. In other words in your internal network the default route directs traffic to some other device, for example the edge firewall.

Now for any traffic to flow between 2 different networks you naturally need routing table(s) on the device between the networks to have a route for each of the networks or traffic will not flow between them correctly.

So consider a situation where your Client Mode hardware client connects to the central VPN device (which is not the gateway for all external traffic) which is running OSPF along with all the internal routers and the RRI is NOT used. The PAT IP address used by the Client Mode Hardware Client is never adverticed to the rest of the network and traffic will flow incorrectly to the edge firewall to which the default route points to. If RRI was enabled (along with other settings) the internal routers could have correctly forwarded the return traffic towards the PAT IP address towards the VPN device rather than the edge firewall.

The above situation naturally applies to a LAN Extension mode also but in that case naturally the VPN device is adverticing a whole network/subnet instead of a host IP address used as the Client PAT IP.

Whether the remote Client Mode or LAN Extension Mode Hardware Client connects to the central site, the central site will have to have a route for the remote network or PAT IP address for the traffic to flow between 2 endpoints in the network.

If the central VPN device doesnt install a route for the PAT IP address to the central offices network then naturally the traffic will only be one way. Traffic from the Client mode PAT IP address will reach the central site but the return traffic back towards the PAT IP address wont flow correctly without RRI.

- Jouni

Jouni Forss · ‎09-15-2013

Here is a configuration example of the RRI

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

Here a VPN gateway device advertices the route towards the single VPN Client to the internal routers in the LAN network.

Though as I said before, I would imagine that in this case the default route might also be pointing to this same device to which the VPN Client is connected to and therefore RRI would not be needed.

To my understanding the RRI is used on the central VPN device to insert the VPN network/host IP addresses to the local routing table to be distributed to rest of the network through dynamic routing protocols.

- Jouni

turbo_engine26 · ‎09-15-2013

Thanks a lot man

Jouni Forss · ‎09-15-2013

Hi,

No problem,

I've been thinking of getting some VPN related books to study a bit as I have been working with firewalls more than with VPNs so I feel there is a bit of a gap in my knowledge there. I am just wondering about the Cisco Press books since many of them are getting very old, though I guess most of the information there should be current. I guess I should probably consider getting the book you mention.

Please do remember to mark a reply as the correct answer if you felt it answered your question.

- Jouni

turbo_engine26 · ‎09-15-2013

Yes, it is an excellent book, published in 2005, not that old though. Anyways, VPN mechanics are still the same but you will find the book discuss 6.3 and 7.0 commands, that few of them are deprecated.

Name: The Complete Cisco VPN Config Guide by Richard Deal.

Please before i close this thread, confirm the below.

Regards,

AM

Jouni Forss · ‎09-15-2013

Hi,

Yes, to my understanding RRI is used to handle the routing for any network/host IP address that is located behind a VPN connection. Typically this would be used in a situation where this information needs to be passed on to dynamic routing protocols running in the internal network.

The RRI inserts the required network/host IP information to the routing table based on either VPN configurations or connections. I think in VPN Clients case the VPN device only insert the host IP route to the routing table with RRI. I think in L2L VPN case for example the RRI inserts the whole destination network to the routing table.

In our environments there has not really been much need for RRI as the routing environments have been pretty static in nature.

- Jouni

turbo_engine26 · ‎09-15-2013

Well, i didn't use RRI in my life because i worked in environemnts where the firewall was connected P2P with the other peer over Frame Relay not throught the internet. Default route did the job.

Regards,

AM

turbo_engine26 · ‎09-15-2013

Wait A Minute ... I think i got you.

Do you wanna say that RRI is just a solution for the Return Traffic in Client Mode? And Do you wanna say that RRI is a solution for both Initial Connections and Return Traffic in LAN Extension Mode?

If i am correct, so it make a comlete sense now. It is all about Routing, isn't it?

Yes, that's right. If the client knows about the corporate network, then the coporate network also must know about the client (whether it is a client or a network) to forward return traffic.

Shame on me.

But before we close this conversation, please confirm if i got it right.

Thankssss

Regards.

AM