Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN_Routing

Hello,

I have misunderstanding of routing in RA VPN.

I have created ip pool for assigning ip addresses to RA Clients. It is working fine. But i can't understand how it is works. Because this pool is not routed in my corporate network.

For instance i created ip pool test 10.10.1.0 - 10.10.1.254.

So RA VPN users with ip addresses from this pool can traverse in my network without any problem. But Internal routers don't have any routes to 10.10.1.0 in their routing table.So how routers/switches route packets coming from RA Users ip 10.10.1.x ?

thanks

Leo

3 REPLIES
Hall of Fame Super Blue

Re: VPN_Routing

Hi Leo

Your internal network must know how to route back to the 10.10.1.0 network or it wouldn't work.

Is there perhaps a default route that routes it back to your VPN device ?

Jon

New Member

Re: VPN_Routing

Hi Jon,

Thanks for your reply.

I thought about default route.But i am not sure.

Because my RA VPN clients reside in internal network. And they can establish secure connection with internal hosts(which away for several hops).So if the routers send packets towards 10.10.1.0 by default route, finally all packets would be sent to Internet.But reply packets reach RA Clients.

I need to do some tests.

By the way how can i advertise this pool from VPN endpoint to internal network?

Leo

Hall of Fame Super Blue

Re: VPN_Routing

Leo

So if you sit on one of your internal non-VPN clients and do a traceroute to the 10.10.1.x network what path does it take and if you go to the last hop before it times out is there a route on there.

As for advertising this subnet into your network. Some VPN devices can do Reverse Route Injection (RRI), ie they add a route to the subnet dynamically.

The other way is to add static route for the 10.10.1.0 subnet on the nearest router pointing to your VPN device and then redistribute that into your IGP.

HTH

Jon

151
Views
3
Helpful
3
Replies