I have a site to site VPN set up. Of course, the subnets are different on each side of the tunnel.
I've been led to understand that there is no special routing needed for packets to get from one side of the tunnel to the other. But, that seems curious and I'd like to understand it better.
For one thing, I can imagine that there would be a gateway router on each subnet and that the gateway router would route all traffic going to the remote subnet to the local VPN IP address as the next hop. I can't imagine that this is somehow bad practice.
Lacking that type of implementation, how do the packets destined for the VPN know where the VPN is? Is there some kind of broadcast or what? I can't imagine that all packets destined for the VPN are broadcast .... ?
These gateways would naturally be the machines that establish the VPN connection. You need to set these up so they do routing in two directions, namely VPN LAN.
Then, you tell your clients (or, the default gateways these clients use) that they reach the other site via the gateway machine that runs the VPN, and that's it :)
To your last question: it appears it doesn't apply because of the first part of your answer.
I suppose that some folks use a gateway router to also implement their VPNs. Then the next hop targetting would be dealt with almost by default.
However, if the VPN device is separate (in parallel with the internet router) then it appears it needs to be explicitly targetted with routes as you've suggested.
If you mean that the machine/box/whatever that all clients in the network use as their default router is the one that establishes the VPN, then yes, because the router then knows everything it needs.
In that case, either each client in the network needs to know that route, or their default router. Otherwise, these clients' packages would be sent into the internet instead of the VPN because no-one would talk to the correct router :)
Yes, the routes are effectively like this, or would be.
I'm using Linksys RV042 for VPN devices (and nothing else) and the tunnel definition takes care of the site-to-site IP addresses - both public and private subnet ranges. Then, its firewall settings are shut down tight to only allow the intended tunnel traffic between the intended interfaces.
What you're telling me is that I have to also add a route pointing to the local VPN address to reach the remote subnet. That could either be a static route on each host or a route on a local gateway that all hosts point to. That makes a lot of sense to me!
So, just to test my understanding and to be clear:
If I want to destine a packet for the remote subnet in general there would have to be a route like this (from above): Route to set on machine 192.168.1.1: | route add -net 192.168.2.0/24 gw 192.168.1.254
OR
If I want to destine packets for the remote subnet in general, and if there's a gateway / router at 192.168.1.99, then there could be a route like this (from above): Route to set on machine 192.168.1.99: | route add -net 192.168.2.0/24 gw 192.168.1.254
NOW, and this is important ......
If I want to destine a packets for a a "further remote / private" subnet known only to a router on the remote subnet then there would have to be a route like the one above pointing to the router that knows the next hop. So, for a destination of 192.168.3.x via the 192.168.2.x subnet: and specifically 192.168.2.99 (a router)
Route to set on machine 192.168.1.99 (gateway / router): route add -p 192.168.3.0 mask 255.255.255.0 gw 192.168.1.254 (vpn) next hop
hmmmmm.... I guess I don't know how to do this if the VPN device won't also route and only bridges the two LANs. Can the .99 router have both: | route add -p 192.168.2.0/24 gw 192.168.1.254 AND | route add -p 192.168.3.0/24 gw 192.168.2.99 ???
Will the second route be subject to the first route? I don't think so... !
Yet, this is what I need to do. Any suggestions?
Then there need to be return paths:
Route to set on machine 192.168.2.99 route add -p 192.168.1.0 mask 255.255.255.0 gw 192.168.2.254
I think this is the only return path needed within the two subnets on the VPN.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.