VPN input
Jon Carnes
jonc at HAHT.COM
Tue Jun 13 17:45:35 EDT 2000
----- Original Message -----
From: "David Gillett" <dgillett at niku.com>
To: "'Jon Carnes'" <jonc at haht.com>; <VPN at SECURITYFOCUS.COM>
Sent: Tuesday, June 13, 2000 4:18 PM
Subject: RE: VPN input
> John,
> I'd like to drill down a little on one particular point:
>
> > My company's WAN is setup in a star configuration - all the branches vpn
> to
> > our corporate offices, ....
>
> Do you have cases where two remote locations need to exchange traffic?
> I'm facing a particular issue with wanting to convey traffic A<->C by
having
> site B route packets between the A<->B tunnel and the B<->C tunnel,
instead
> of creating a low-volume A<->C tunnel. I haven't found a way to make this
> happen yet.
>
> I'm asking in response to your message because this is inherent in using
a
> star rather than a mesh configuration....
>
> David Gillett
> Enterprise Networking Services Manager, Niku Corp.
> (650) 701-2702
> "Transforming the Service Economy"
>
That works just fine here. The key is setting up the routing correctly.
For your case, B is the corporate hub. A attaches to B. Similarly, C
attaches to B.
If the speeds are acceptable there is no reason to setup a direct link for A
to C: you can let B relay the traffic.
To make it work:
- On A's router, add a route to network C that uses as a gateway B's
router.
- On C's router, add a route to network A that uses as a gateway B's
router.
If you are on network A then all your traffic for either B or C should go
down the vpn to the B network. Traffic for the B network has reached its
destination. Traffic for the C network will go to the router on network B
and be directed to the C network (just like any local traffic going from
network B to C). Once on the C network, your journey ends.
Return packets will go to the network C router, travel down the vpn back to
network B, go to the Router on Network B, and then be directed to the A
Network via that vpn.
Note: you must have a distinct network for each site. In other words, each
site must use a different ip network. We use various 192.168.x.0 networks
for our satellite offices. Their firewalls all use IP Masquerading, so the
internal addresses don't really matter.
As an example:
Network A = 192.168.22.0 / 255.255.255.0
Network B = 192.168.1.0 / 255.255.255.0
Network C = 192.168.33.0 /255.255.255.0
Good Luck!
Jon Carnes
MIS - HAHT Software
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list