• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 742
  • Last Modified:

VPN basics

If I have multiple site-site or LAN to LAN VPNs setup, and use RDC, what is used to direct the traffic thru the appropriate tunnel?
0
comtekso
Asked:
comtekso
4 Solutions
 
jhanceCommented:
This is the purpose of the ROUTING TABLES in the system.  You can view them, in Windows at least, by using the  command: ROUTE PRINT

Whenever a packet is handed off to TCPIP to send the destination IP is examined and then a matching route is found in the routing table.  If there is no explicit match, the the default route (i.e. the 0.0.0.0 route) is used and the packet is sent to that destination IP.

Normally when a VPN is connected, Windows will make the VPN connections remote endpoint be the default route.
0
 
RPPreacherCommented:
Actually, a routing table would only be not appropriate give the question...

Normally, an access-list is in the VPN endpoint.  This (VPN) endpoint might be a PIX, VPN concentrator, VPN enabled router, or server.  The endpoint looks at the layer 3 (routing) destination or IP address and compares it with a list (access-list).  If the destination is one of the IP addresses in the access-list, then the packet is encapsulated with the selected VPN protocols/encryptors (GRE/IPSec/whatever) and sent to the next hop.  If the destination is NOT on the access-list, the traffic is processed normally.

So if you have 2 VPN endpoints, you would have 2 access-lists.  Access-list 1 might say 10.0.1.x traffic gets encapsulated via IPSec and forwarded to IP address 66.66.66.66 and access-list 2 might say traffic to 10.0.2.x gets encapsulated via AES and forwarded to IP address 77.77.77.77.  All other traffic is not encapsulated/encrypted and gets handled like normal traffic.
0
 
rburns50Commented:
It is a vague question: depends on the VPN devices at each end. I have used Nortel Contivity switches extensively in the past for Lan2Lan connections (called "branch office tunnels" in Nortel-speak), and when you set up tunnels between sites, you list the local subnets and the remote subnets relative to each end of the link. That info is shared via the setup/handshaking of the IPSEC tunnel- if both sides agree that a particular subnet is at one end, it is added to the routing table of the remote end VPN device...wth the next hop being the remote end of the tunnel.

For example, VPN-A says it has 10.x at it's end, and VPN-B says it has 11.x at it's end. When an IPsec tunnel is being established between them, they exchange that local subnet info in the handshaking phase. VPN-A adds 11.x to it's routing table (next hop VPN-B) and VPN-B adds 10.x to it's routing table (next hop VPN-A).
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
comteksoAuthor Commented:
Great info, Thanks.

We currently have have a Cisco PIX 506e and a 1700 series router in our main office, so we will almost certainly use cisco at the remote ends as well.
0
 
rburns50Commented:
In this case, RPPreacher is correct...I believe that PIX firewalls use access-list statements to define what traffic is classified as "interesting" and should be sent down a VPN tunnel.

In my eyes, Cisco does it in a very stupid method- access-lists are getting SO old. But they are Cisco so....I guess they know best.

I had no issues with Nortel at all...very easy to setup and manage. Netscreen (now Juniper-owned) is also a better option.
0
 
rburns50Commented:
In this case, RPPreacher is correct...I believe that PIX firewalls use access-list statements to define what traffic is classified as "interesting" and should be sent down a VPN tunnel.

In my eyes, Cisco does it in a very stupid method- access-lists are getting SO old. But they are Cisco so....I guess they know best.

I had no issues with Nortel at all...very easy to setup and manage. Netscreen (now Juniper-owned) is also a better option.
0
 
lrmooreCommented:
rburns is closest, but not quite.. No route entries get added to the router for traffic over an IPSEC VPN tunnel between two Cisco devices, unless you create tunnel interfaces and encrypt data over that tunnel interface, but since you have a PIX at one end, that option is out.
Here's what happens:
 access-list is created to match traffic from local subnet to remote subnet
 a crypto map entry is created to establish a peer relationship with remote side
 crypto map entry says any traffic matching this acl goes to this peer

It is not technically a routing table entry, it is all maintained in the crypto process
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now