2 route for same destination

zaherercisco · ‎10-01-2018

Hello everyone ,

I hope someone can help me with this

I have vpn client on 192.168.1.0 network want to reach 192.168.42.0 network , will connect to vpn servers via dns load balance sometimes will pick server1 and sometimes server2 , behind those vpn servers there cisco router that route traffic to 192.168.42.0

my question is what route I need to add on the router side to reverse the traffic to the vpn client.

before I had one vpn server and I simply added static route

ip route 192.168.1.0 255.255.252.0 10.10.10.1 and it worked nicely

but when I added vpnserver 2 I got confused about the route I need to add

Note:- this is virtual machines inside esxi , the cisco route is CSR1000V

thanks

Georg Pauwen · ‎10-01-2018

Hello,

this looks tricky indeed. What do you have configured on the Cisco ? Check the link below for a feature called RRI (Reverse Route Injection)...

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/xe-16/sec-vpn-availability-xe-16-book/sec-rev-rte-inject.html

Richard Burts · ‎10-01-2018

We do not know enough about your specific environment to adequately understand what is happening and therefore it is difficult to give you good answers at this point. Your drawing shows the two servers with different addresses. So it seems logical to assume that as they build the IP packets for the vpn that each server would use a unique source address. So the response packet coming back should have that unique address as the destination. And that would suggest that you need routes for the two addresses that the vpn servers use.

Can you tell us when you had the single vpn server did it use the 10.10.10.1 address? And was that the address for which you configured a route on your router?

HTH

Rick

HTH

Rick

zaherercisco · ‎10-01-2018

Yes with a single VPN server I used 10.10.10.1 in the static route and that what I configured in the router

ip route 192.168.1.0 255.255.255.0 10.10.10.1

As for my environment any VPN server will route the traffic as it is which in this case 192.168.1.0/24 , there no SNAT or NAT on the vpn server

Basically those VPN servers are redundant for the client meaning the client will be pick up randomally vpn server 1 if couldn't reach it will try vpn server 2 .

Thanks

Richard Burts · ‎10-01-2018

Thank you for the clarification. But I am still quite confused. Am I correct in assuming that the vpn servers that you mention are doing site to site (tunneled) vpn? That each vpn server negotiates an encrypted tunnel session with the remote peer providing service to the 192.168.42.0 network? And that traffic from the original client goes through the tunnel without any translation so that the source address of 192.168.1.x is preserved through the tunnel?

But if that were the case then the router (10.10.10.3) should not be seeing an IP packet with destination 192.168.1.X but should be seeing a tunneled packet whose destination should be either 10.10.10.1 or 10.10.10.2.

Please tell us more about these vpn servers. What are they and how are they working? Are they providing tunneled vpn or providing remote access vpn, or something else??

HTH

Rick

HTH

Rick

paul driver · ‎10-01-2018

Hello

@zaherercisco wrote:

Hello everyone ,

I hope someone can help me with this

I have vpn client on 192.168.1.0 network want to reach 192.168.42.0 network , will connect to vpn servers via dns load balance sometimes will pick server1 and sometimes server2 , behind those vpn servers there cisco router that route traffic to 192.168.42.0

What does this sometimes mean exactly, Do you mean specific hosts from 192.168.40/0/24 to be routed between the two vpn servers, if so PBR should be able to provide such request without having to state another default route, please can you elaborate on you query?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul