Setting up routing with VPN, etc. - TCP-IP

This is a discussion on Setting up routing with VPN, etc. - TCP-IP ; I'm sure this must be simple enough but I seem to have a mental block: I need to route packets: - from a local workstation destined for a remote, private server - first on the local LAN - next through ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Setting up routing with VPN, etc.

  1. Setting up routing with VPN, etc.

    I'm sure this must be simple enough but I seem to have a mental block:

    I need to route packets:
    - from a local workstation destined for a remote, private server
    - first on the local LAN
    - next through a VPN to a remote LAN
    - next to a specific IP address (a router) on the remote LAN
    The last router knows what to do thereafter....

    Local LAN 192.168.113.0
    Local host 192.168.113.2
    Local router 192.168.113.158
    Local VPN device 192.168.113.157
    tunneled to
    Remote VPN device 192.168.119.198 / Remote LAN 192.168.119.0
    Remote router / target 192.168.119.254
    Destination 192.168.1.4

    The VPN devices do not support routing - just provide a tunnel between the
    LANs.
    The operating system on the hosts is Windows XP.
    Can't route packets as destined to 192.168.1.4 directly from the local XP
    host to the remote router as gateway because the remote router isn't on the
    same subnet as the local host. That's not an allowed entry in the routing
    table.

    Some thoughts:

    At the local host, route 192.168.1.0 255.255.255.0 to the local router
    192.168.113.158
    (well, since it's the gateway anyway, this shouldn't be necessary to
    explicitly enter).

    At the local router, route 192.168.1.0 255.255.255.0 to the remote router
    192.168.119.254.

    At that point, the VPN should take care of the next hop.
    (As I understand it, it's not necessary to explicitly route to the VPN
    device in order to reach the remote LAN?)

    And then, the remote router will take over.

    Does this make sense?

    Thanks,

    Fred



  2. Re: Setting up routing with VPN, etc.

    In article ,
    "Fred Marshall" wrote:

    > I'm sure this must be simple enough but I seem to have a mental block:
    >
    > I need to route packets:
    > - from a local workstation destined for a remote, private server
    > - first on the local LAN
    > - next through a VPN to a remote LAN
    > - next to a specific IP address (a router) on the remote LAN
    > The last router knows what to do thereafter....
    >
    > Local LAN 192.168.113.0
    > Local host 192.168.113.2
    > Local router 192.168.113.158
    > Local VPN device 192.168.113.157
    > tunneled to
    > Remote VPN device 192.168.119.198 / Remote LAN 192.168.119.0
    > Remote router / target 192.168.119.254
    > Destination 192.168.1.4
    >
    > The VPN devices do not support routing - just provide a tunnel between the
    > LANs.


    If the VPN devices don't do routing, then you should have the same
    subnet at both ends of the VPN, e.g. they should both be
    192.168.113.0/24.

    > The operating system on the hosts is Windows XP.
    > Can't route packets as destined to 192.168.1.4 directly from the local XP
    > host to the remote router as gateway because the remote router isn't on the
    > same subnet as the local host. That's not an allowed entry in the routing
    > table.
    >
    > Some thoughts:
    >
    > At the local host, route 192.168.1.0 255.255.255.0 to the local router
    > 192.168.113.158
    > (well, since it's the gateway anyway, this shouldn't be necessary to
    > explicitly enter).
    >
    > At the local router, route 192.168.1.0 255.255.255.0 to the remote router
    > 192.168.119.254.
    >
    > At that point, the VPN should take care of the next hop.


    The problem is that the router doesn't know how to send to
    192.168.119.254. It's not on the local subnet, so it will look in its
    routing table for a router address, but won't find it.

    > (As I understand it, it's not necessary to explicitly route to the VPN
    > device in order to reach the remote LAN?)


    If the VPN device performs proxy ARP, then you need to configure the
    router to ARP for all the remote address blocks. If it's a Cisco, you
    could do:

    ip route 192.168.0.0 255.255.0.0 Ethernet0/1

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  3. Re: Setting up routing with VPN, etc.


    "Barry Margolin" wrote in message
    news:barmar-B7F750.13505901072007@comcast.dca.giganews.com...
    > In article ,
    > "Fred Marshall" wrote:
    >
    >> I'm sure this must be simple enough but I seem to have a mental block:
    >>
    >> I need to route packets:
    >> - from a local workstation destined for a remote, private server
    >> - first on the local LAN
    >> - next through a VPN to a remote LAN
    >> - next to a specific IP address (a router) on the remote LAN
    >> The last router knows what to do thereafter....
    >>
    >> Local LAN 192.168.113.0
    >> Local host 192.168.113.2
    >> Local router 192.168.113.158
    >> Local VPN device 192.168.113.157
    >> tunneled to
    >> Remote VPN device 192.168.119.198 / Remote LAN 192.168.119.0
    >> Remote router / target 192.168.119.254
    >> Destination 192.168.1.4
    >>
    >> The VPN devices do not support routing - just provide a tunnel between
    >> the
    >> LANs.

    >
    > If the VPN devices don't do routing, then you should have the same
    > subnet at both ends of the VPN, e.g. they should both be
    > 192.168.113.0/24.
    >
    >> The operating system on the hosts is Windows XP.
    >> Can't route packets as destined to 192.168.1.4 directly from the local XP
    >> host to the remote router as gateway because the remote router isn't on
    >> the
    >> same subnet as the local host. That's not an allowed entry in the
    >> routing
    >> table.
    >>
    >> Some thoughts:
    >>
    >> At the local host, route 192.168.1.0 255.255.255.0 to the local router
    >> 192.168.113.158
    >> (well, since it's the gateway anyway, this shouldn't be necessary to
    >> explicitly enter).
    >>
    >> At the local router, route 192.168.1.0 255.255.255.0 to the remote router
    >> 192.168.119.254.
    >>
    >> At that point, the VPN should take care of the next hop.

    >
    > The problem is that the router doesn't know how to send to
    > 192.168.119.254. It's not on the local subnet, so it will look in its
    > routing table for a router address, but won't find it.
    >
    >> (As I understand it, it's not necessary to explicitly route to the VPN
    >> device in order to reach the remote LAN?)

    >
    > If the VPN device performs proxy ARP, then you need to configure the
    > router to ARP for all the remote address blocks. If it's a Cisco, you
    > could do:
    >
    > ip route 192.168.0.0 255.255.0.0 Ethernet0/1
    >
    > --
    > Barry Margolin, barmar@alum.mit.edu
    > Arlington, MA
    > *** PLEASE post questions in newsgroups, not directly to me ***
    > *** PLEASE don't copy me on replies, I'll read them in the group ***


    Barry,

    Thanks. I've since learned that my earlier understanding:
    >> (As I understand it, it's not necessary to explicitly route to the VPN
    >> device in order to reach the remote LAN?)

    isn't correct. And you've confirmed that.

    Well, the VPN devices do enough to connect two different subnets. In fact,
    the two subnets *have* to be different I believe. And, in this case they
    are anyway and can't be changed very readily.

    Here is a similar question I posted elsewhere:

    I have two sites connected by a VPN using Linksys RV042.
    It appears the RV042 will only act as a VPN device and not as a router at
    the same time.
    (I'm investigating this further but it's my current belief).
    Subnet#1 192.168.1.0/24
    Subnet#2 192.168.2.0/24
    Subnet#3 192.168.3.0/24

    There is a router on subnet#2, say at 192.168.2.99 that is multihomed and
    can route to subnet#3. Subnet#3, the interface that connects to it and the
    link are all outside of my control.

    The VPN connects Subnet#1 to Subnet#2

    Subnet#1 VPN is at 192.168.1.254
    Subnet #1 can have a gateway router say at 192.168.1.99
    The hosts are Windows XP

    Subnet#2 VPN is at 192.168.2.254
    Subnet#2 router is at 192.168.2.99 and 192.168.3.99

    How should I configure the hosts and the routers to launch a packet from
    192.168.1.x and have it end up at 192.168.3.x??

    I'm stumped - because I'm hung up on having a subnet-wide route for the VPN
    traffic and another route that points to 3.x but has to go through the VPN
    from 1.x to 2.99. How to handle both things?

    Thanks,

    Fred



  4. Re: Setting up routing with VPN, etc.

    In article ,
    "Fred Marshall" wrote:

    > I have two sites connected by a VPN using Linksys RV042.
    > It appears the RV042 will only act as a VPN device and not as a router at
    > the same time.
    > (I'm investigating this further but it's my current belief).
    > Subnet#1 192.168.1.0/24
    > Subnet#2 192.168.2.0/24
    > Subnet#3 192.168.3.0/24
    >
    > There is a router on subnet#2, say at 192.168.2.99 that is multihomed and
    > can route to subnet#3. Subnet#3, the interface that connects to it and the
    > link are all outside of my control.
    >
    > The VPN connects Subnet#1 to Subnet#2
    >
    > Subnet#1 VPN is at 192.168.1.254
    > Subnet #1 can have a gateway router say at 192.168.1.99
    > The hosts are Windows XP
    >
    > Subnet#2 VPN is at 192.168.2.254
    > Subnet#2 router is at 192.168.2.99 and 192.168.3.99
    >
    > How should I configure the hosts and the routers to launch a packet from
    > 192.168.1.x and have it end up at 192.168.3.x??
    >
    > I'm stumped - because I'm hung up on having a subnet-wide route for the VPN
    > traffic and another route that points to 3.x but has to go through the VPN
    > from 1.x to 2.99. How to handle both things?


    Subnet #1's gateway router should have static routes for 192.168.2.0/24
    and 192.168.3.0/24 via 192.168.1.254. It will use ICMP Redirect to tell
    hosts on its subnet to use the VPN to get to these subnets.

    Subnet #2's VPN device should have a static route for 192.168.3.0/24 via
    192.168.2.99.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

+ Reply to Thread