1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

routing traffic through ipsec0 tunnel

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by 6stitches, Jun 13, 2007.

  1. 6stitches

    6stitches LI Guru Member

    I haven't been able to find a solution for this.
    Using 2xRV042 with 1.3.8.2 firmware. I want to force certain traffic through the ipsec tunnel, but I cannot do so on the routing table. I hope it is a simple solution that I am just missing. Here is a network setup.

    network A network B
    172.16.11.x ----vpnA----internet----vpnB----192.168.10.x
    192.168.30.x
    192.168.25.x

    How do i tell vpnB that to send traffic destine for 192.168.30, 192.168.25.x through ipsec0? It want to send these traffic to GW on wan1 but not ipsec0, so traffic fails.

    The routing table only has LAN WAN1 and WAN2, there is no way to choose ipsec tunnels. if the rv042 or any of the linksys can't do this please let me know so i can move to a commercial grade vpn. any helps, suggestions would be appreciated. thanks!

    6stitches
     
  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    There is no specific support for this with the RV042. You only have one IP subnet/mask set for each of the remote and local networks you wish to protect. You can't create a separate tunnel to the same VPN peer either....it only lets you create one...so you can't create separate tunnels with the different site-to-site traffic.

    You will have to shop upmarket for a Cisco ASA 5505 or similar to get the ability to protect multiple specific networks in a VPN.

    Possible Workaround:
    ---------------------
    The only exception to this is if you can find some classless way of masking the nets. For example, on gateway B, you could maybe create a VPN to protect local network 192.168.10.0/24 when communicating with remote network 192.168.0.0/16 Since 192.168.0.0/16 will summarize (among others) the 192.168.25.0/24 and 192.168.30.0/24 networks you might be in business. You don't have to worry about the RV042 trying to place source=192.168.10.0/24 to dest'n=192.168.10.0/24 traffic in the tunnel (even though 192.168.10.0/24 is in the 192.168.0.0/16 summary) since this traffic isn't routed anyway.

    /Eric
     
  3. 6stitches

    6stitches LI Guru Member

    route summary

    Thanks for the Note, I see this is definately a limitation on the RV042. If i change this up to this


    192.168.30.x----vpnA----internet-----vpnB----172.16.10.x
    192.168.25.x

    route summary maywork here if i tell vpnB to send 192.168.0.0/16 into ipsec0. Its a great idea, except alot of work changing corporate network. still an option though.

    Another idea is to use another RV042
    network A network B
    172.16.11.x ----vpnA----internet----vpnB----192.168.10.x
    192.168.30.x----vpnC----internet----vpnB

    I think this would work too, it doesn't scale well, should be ok if they don't expend the network.

    i will test the route summary method and get back to you.

    thanks
     
  4. 6stitches

    6stitches LI Guru Member

    case A: connects (no summary)
    ------vpnA------------------------------vpnB
    local 172.16.11.0/24 -----------------local 10.10.10.0/24
    remote 10.10.10.0/24 --------------remote 172.16.11.0/24

    Case B: doesn't connect (summary on B only)
    ------vpnA------------------------------vpnB
    local 172.16.11.0/24 -----------------local 10.10.10.0/24
    remote 10.10.10.0/24 --------------remote 172.16.0.0/16

    Case B: connects (summary on both B and A)
    ------vpnA------------------------------vpnB
    local 172.16.0.0/16 -----------------local 10.10.10.0/24
    remote 10.10.10.0/24 --------------remote 172.16.0.0/16
    (note: local IP for vpnA is 172.168.11.254/24)
    (routing table on B: 172.16.0.0 255.255.0.0 69.69.69.69 10 ipsec0 )

    it all seems to work when i try to reach other 172.16/16, but currently experiencing vpnclients problem not sure if related to the change, looking into it. thanks, we will probably end up using summary.

    6stitches
     

Share This Page