Default route for a VPN Tunnel that has overlapping Subnet IP's

NEResearch
NEResearch used Ask the Experts™
on
The url below is very detailed about how to setup a VPN with Overlapping Subnets.  In that doc it states that you'll need to create the following Static route:  page 9

Network > Routing > Destination > New trust-vr: Enter the following, then click OK.
IP Address/Netmask: 0.0.0.0/0 Next Hop: Gateway Interface: ethernet0/3 Gateway IP Address: 1.1.1.1

This route uses IP 1.1.1.1 as the Gateway, but in the Diagram on page 6 the Gateway should be 1.1.1.2.  is this an over site or is this this something that needs to be done while configuring the Tunnel?  In the initial configuration of the Firewall there would already be a cleanup route for 1.1.1.2.  

http://kb.juniper.net/kb/documents/public
/VPN/ScreenOS_VPN_with_Overlapping_Subnets.pdf

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Nope, the doc is right bud

The default route, ie the route for all non VPN traffic needs to go to its proper default gateway.  As the IP address of the interface is 1.1.1.2, then its reasonable to assume that the default GW for that interface is 1.1.1.1

The 2nd route is for the VPN traffic, to send traffic for the VPN subnet over the tunnel.1 interface

Author

Commented:
I appreciate your response.  I had a follow-up question.

In the attached image the default GW would have to be 1.1.1.2 because that is the IP of the untrusted interface.  All internal systems would use that Interface for its Default GW.  I see that the second route is for the tunnel traffic, so it looks like there should only be one Default 0.0.0.0 route for all traffic.  Is there supposed to be another default GW for the VPN tunnel traffic using 1.1.1.1?

Thanks

network-config.bmp
Your default gateway, is the host that you send traffic to in the event you dont have a more specific route to the destination.  In this case, and in all cases, the next hop for any route whether its a default route, static route or dynamic route MUST be to another host connected to the device.

So, in the diagram above, the untrust interface is 1.1.1.2, so the default route needs to be another connected host on that network ie 1.1.1.1.

For the VPN, if your aim is to send ALL traffic over the VPN and none in clear via the untrust interface, then by all means set another default route with a lower preference (ie when the tunnel is active, use the VPN as the default route)

However, most route based VPNs are only between individual sites and networks, so you would only add a route for the target network to go over the tunnel interface.  The tunnel does not need a default GW, just a route.

Does that help any?

Author

Commented:
We decided not to use a tunnel after all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial