VPN input

Jon Carnes jonc at HAHT.COM
Tue Jun 13 17:45:35 EDT 2000 

----- Original Message -----
From: "David Gillett" <dgillett at niku.com>
To: "'Jon Carnes'" <jonc at haht.com>; <VPN at SECURITYFOCUS.COM>
Sent: Tuesday, June 13, 2000 4:18 PM
Subject: RE: VPN input


> John,
>   I'd like to drill down a little on one particular point:
>
> > My company's WAN is setup in a star configuration - all the branches vpn
> to
> > our corporate offices, ....
>
>   Do you have cases where two remote locations need to exchange traffic?
> I'm facing a particular issue with wanting to convey traffic A<->C by
having
> site B route packets between the A<->B tunnel and the B<->C tunnel,
instead
> of creating a low-volume A<->C tunnel.  I haven't found a way to make this
> happen yet.
>
>   I'm asking in response to your message because this is inherent in using
a
> star rather than a mesh configuration....
>
> David Gillett
> Enterprise Networking Services Manager, Niku Corp.
> (650) 701-2702
> "Transforming the Service Economy"
>

That works just fine here.  The key is setting up the routing correctly.

For your case, B is the corporate hub.  A attaches to B.  Similarly, C
attaches to B.

If the speeds are acceptable there is no reason to setup a direct link for A
to C:  you can let B relay the traffic.

To make it work:
   - On A's router, add a route to network C that uses as a gateway B's
router.
   - On C's router, add a route to network A that uses as a gateway B's
router.

If you are on network A then all your traffic for either B or C should go
down the vpn to the B network.  Traffic for the B network has reached its
destination.  Traffic for the C network will go to the router on network B
and be directed to the C network (just like any local traffic going from
network B to C).  Once on the C network, your journey ends.

Return packets will go to the network C router, travel down the vpn back to
network B, go to the Router on Network B, and then be directed to the A
Network via that vpn.

Note: you must have a distinct network for each site.  In other words, each
site must use a different ip network.  We use various 192.168.x.0 networks
for our satellite offices.  Their firewalls all use IP Masquerading, so the
internal addresses don't really matter.

As an example:
  Network A = 192.168.22.0 / 255.255.255.0
  Network B = 192.168.1.0  / 255.255.255.0
  Network C = 192.168.33.0 /255.255.255.0

Good Luck!

Jon Carnes
MIS - HAHT Software

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list