RV042 VPN *and* static routes

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by fred3, Jul 4, 2007.

  1. fred3

    fred3 Network Guru Member

    Does anyone have any experience using an RV042 as a VPN device *AND* having static routes that work?

    I'm trying to learn how the two interact.
  2. ifican

    ifican Network Guru Member

    Well what are you trying to do? Directed connected networks once the vpn is connected have access to the remote network because the router will identify the vpn traffic and send it across the tunnel. Now depending on what you want or are trying to do it can get very tricky and strange to make certain things work, and some things i have yet to make work correctly on soho environments.
  3. fred3

    fred3 Network Guru Member

    What I would *like* to do is to start with an RV042 VPN (that I already have and that is not also a general internet gateway) and then add static routes to it that will actually do what they say. What I don't know is if this will work. I have some suspicion at least that it won't - but no conclusive proof as yet.

    Here's an example:

    I want to locally route all traffic, destined for the remote LAN / subnet, to the local VPN address. I can do this on the local LAN somehow -either with a router or by adding routes to all the hosts. I think this is pretty normal.

    Then, I want to route certain traffic (that has a further private destination *beyond* the remote LAN) to a particular router IP address residing on the remote LAN as the next hop (from which it will be forwarded on).

    In general, I believe that routing devices won't route to an IP address as the next hop (or gateway) for which there is no interface. The next hop has to be on a subnet in which one interface of the router resides.

    So, it would be nice if I could add the following route to the local RV042 VPN device:
    destination [further remote IP address or address range] mask xxxxxx gateway [a particular IP address on the remote LAN of the VPN]

    If this is to work, it means that the RV042 routing table has to work in conjunction with the VPN implementation within the RV042 - as the route described above has to be magically associated with the remote LAN addresses so the packets will be directed through the VPN part of the device.

    For added clarity, let me try to differentiate between the two kinds of packets I'd like the RV042 VPN to handle:
    - normal subnet to subnet packets
    - packets destined further on but with gateways on the remote subnet.

    So, there's a real example and I just don't know if I should expect it to work (or not to work).
    I could do an experiment but it takes quite a few devices and I'd appreciate learning from the experience of others first if I can.


  4. ifican

    ifican Network Guru Member

    It is good to learn from others but not always the best, simply because I or anyone else can tell you one thing, and for some strange reason or just because something has changed since we played with it, trying it now has a different response then we previously experienced.

    What i have run across is this: Soho devices in general do not like to route vpn traffic back out the same interface it was received on to a different subnet other then the vpn. i.e. If you are trying to send traffic across a tunnel and then have the remote device send that same traffic out to the internet via its connection. This is easily doable on advanced feature set routers but not any i have ever played with in a soho world. As far as your routing questions go, VPN traffic is identified prior to a route lookup taking place. So any static route you put on the router in regards to the tunneled traffic will go "unused" as once the vpn traffic is identified the router alreadys know what the remote end gateway is suppose to be and forwards it accordingly.

    Now you do bring up some interesting ideas and some of which i have often wondered myself but have never taken the initiative to find out for sure. I dont see why you should not beable to make this work as long as you have a router sitting behing the RV on both ends thats making the routing decisions prior to the packets getting to the RV. If you want to contact me offline we can build a tunnel and test this.
  5. fred3

    fred3 Network Guru Member

    OK - thanks.

    I'm working on a suggested approach that would have the RV042 static route at the *output* of the VPN. We'll see if that works.

    Here's how that one would do it:

    Add a tunnel between the initiating subnet and the far removed subnet.
    Then, add a route on the receiving RV that points to the local subnet router that knows how to reach the far removed subnet addresses.

    Apparently this depends on VPN traffic being routed *after* it comes out of the tunnel.

    We'll see. It's going to be a couple or three weeks before I can try it.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice