How does VPN do routing?

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Hi All,

I have been thinking about this since morning but have not been able
to get a clear answer for myself. I am wondering how IPSec packets
look and how they get routed.

When we connect a VPN client to a VPN host, the host provides the
client with an IP address. The client ofcourse had an IP address from
before also. Now when it starts communicating, I believe the new IP
address is used in the IP header.

So to make things clear, I have a DSL connection at home and my IP
address is 160.10.10.2. I connect to a remote campus using VPN and get
an IP address 155.25.3.28. The remote network has a class B pool of
155.25.X.X. Now when I communicate with the remote host, I will be
communicating with a source address of 155.25.3.8. My question is how
does the routing take place. The intermediate routers will never
forward packets to the client since a packet destined for 155.25.3.28
will be forwarded to the campus while actually it is in my house.
Hmmm, guess I am not thinking correctly so please clear this concept
for me. I am fairly new with VPNs...

Do I have to put some static at the edge router in the campus?

Thanks.
Paul

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

vipul <vbahety@rediffmail.com> wrote:

> When we connect a VPN client to a VPN host, the host provides the
> client with an IP address. The client ofcourse had an IP address from
> before also. Now when it starts communicating, I believe the new IP
> address is used in the IP header.

It is tunneled, that is to say, the original IP packet is encapsulated
in a new IP packet, which has the original source and destination address.
When the encapsulated (and encrypted, though that's incidental to your
question) traffic gets to the far end of the VPN, it gets unwrapped and
forwarded on to the destination IP address -- with your tunneled source
address exposed. This is why they're called "vpn tunnels".

Google -> Images -> "vpn" ... C'mon.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

> It is tunneled, that is to say, the original IP packet is encapsulated
> in a new IP packet, which has the original source and destination address.
> When the encapsulated (and encrypted, though that's incidental to your
> question) traffic gets to the far end of the VPN, it gets unwrapped and
> forwarded on to the destination IP address -- with your tunneled source
> address exposed. This is why they're called "vpn tunnels".
>
> Google -> Images -> "vpn" ... C'mon.

Thanks for the reply Eric. I thought of this but I got confused when I
sniffed a VPN connection using Ethereal. The source address for
outgoing packets from a VPN client was the new address, i.e the one
proivded by the VPN host. If the packet got encapsulated in a new
header, shouldn't the source address be the old IP address?

Thanks for your help.

Vipul

 

[Sameer]

Archived from groups: comp.dcom.vpn (More info?)

this is for a MSFT infrascture... so if you're not on a MSFT infrastructure,
you might as well ignore this, because i don't have experience with a cisco
getup.... yet.

remember, a VPN RAS server allows an interface different logical addresses.
one address is assigned to deal with the intranet segment, while the other
is the addresses assigned to the RAS VPN connection. so durring your
transactions, it's that VPN address that's used, not the local address.

do this, i dunno if you're on a msft machine, but when you establish the
tunnel type "ipconfig /all"

you'll see there are two addresses.

i don't mean to patronize, so don't think of it like that (and just roll
with it for the sake of concept... vs. possiblity) ... but very crudely
think of a VPN as dial-up RAS connection within a parent RAS connection.
the first establishes a network and puts a setting in place, then the second
does the same and again puts a second set of settings in place.

if you ever play around with a 2000/2003 server, you'll see this first hand.
there is the need to assign an address range for the RAS connections.

and to answer your question about static addresses... according to MSFT,
you do need to place a static route for "off-subnet address range(s)"

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Thanks for the explanation Sameer.

I sat down and wrote a little explanation for myself as to how all
this is happening. Thought I should post it for others...Hope the
explanation is correct. Let me know what you think.

I have a laptop at home which is directly connected to a DSL modem.
Lets say it gets an IP address of 66.1.3.4. I set up a VPN connection
with a concentrator which is behind the edge router and in parallel
with a core router of our campus.
The IP address of the VPN's public interface is Y.Y.248.248. So after
the VPN tunnel is setup, my laptop gets an IP address of 192.168.2.1
(which is the address pool assigned to the concentrator). Now I try to
connect to a desktop Y.Y.1.93 on-campus. My understanding is that this
is how the packet is encapsulated for tunneling.

-----------------------------------------------------------------------------
| 66.1.3.4 | 192.168.2.1 | Payload | Y.Y.1.93 |
Y.Y.248.248 |
-----------------------------------------------------------------------------
Source address Destination address

After the concentrator decapsulates the packet and sees what is
inside, it forwards the packet to Y.Y.1.93. Y.Y.1.93 replies to
192.168.2.1 by forwarding it to the default gateway, which is the core
router. The core router should have a static route in its routing
table that any packet destined to 192.168.2.X should be forwarded to
Y.Y.1.90, which is the concentrators private interface. I did this and
the connection seems to work.

Thanks.