[c-nsp] VPN Concentrator routing

Brian Feeny signal at shreve.net
Tue Nov 16 18:27:51 EST 2004 

It looks like on the VPN 3000, you can Override the Tunnel Default  
Gateway, to support
hairpinning (back out the same interface it was received) traffic for  
remote vpn's.

Something tells me the linksys, netgears, etc type devices probably  
only let you
configure one "remote vpn network", and wont allow static routes to  
work over
the VPN.  I mean I will try it, but I am skeptical if you can have  
multiple networks
"reachable" over a vpn on a small cpe like linksys/netgear etc.

I think if I can get the remote to send the traffic to the vpn3000  
tunnel, then the vpn3000
can deal with it by using the "override tunnel default gateway"  
functionality, so that it uses
its own RIB to direct traffic.

If anyone has done this, multiple remote networks off a linksys/netgear  
going thru a vpn3000,
please let me know.

Brian

On Nov 16, 2004, at 5:13 PM, Bruce Pinsky wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brian Feeny wrote:
> |
> | I don't have much experience on VPN Concentrators, and would like to  
> do
> | something pretty basic that I am hoping
> | someone here can point out how.
> |
> | I am wanting to get to remote vpn's to talk to eachother.  So remoteA
> | connects to the VPN3000
> | remoteB connects to the VPN3000, and then A can talk to B and vice
> | versa.  I have read a little on
> | Reverse Route Injection, but not sure if thats going to work here.
> |
> | The remotes are not necessarily Cisco clients.  They may be netgears,
> | linksys, sonicwall etc.  I did
> | see in the:
> |
> | Configuration | Tunneling and Security | IPSec | LAN-to-LAN | Add or
> | Modify
> |
> | Where there is a Routing box and you can set it for Autodiscovery or
> | RRI, but wasn't sure if either works with
> | regular LAN to LAN type devices like Linksys, Netgear, etc.  In the
> | documentation they almost make it sound like
> | you need another VPN concentrator on the other end of the link.
> |
>
> I had a Netscreen 5 doing a tunnel to a 3000 previously.  However, it  
> was
> only remote to hub and not remote to remote.  I just used static  
> routes on
> each end to point to the appropriate destinations.
>
> - --
> =========
> bep
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
>
> iD8DBQFBmol9E1XcgMgrtyYRAk/0AJ9gntPUc7qMFn1sCn62nNpjZO3DFgCdFWoD
> tG3lzpevzXcC+v7qlv1C5R4=
> =4bSa
> -----END PGP SIGNATURE-----
>
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20041116/5d002849/PGP.bin

More information about the cisco-nsp mailing list