Solved: IPSec VPNs and routing

jimgrumbles · ‎08-09-2012

Hi,

I've been polishing up on my CCSP since I'm currently in a job where I don't have to touch a lot of that stuff. While doing a lab I setup an IPSec site to site VPN between two IOS routers.

For example:

https://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

The routers have to specify how to route to the protected network. Although I assume they could just use a default route to 172.17.1.2 as well.

e.g. ip route 10.10.10.0 255.255.255.0 172.17.1.2

172.17.1.2 isn't going to have the slightest clue as to how to route to 10.10.10.0

Even in an example with a tunnel between an ASA and IOS router the ASA doesn't have to specify a direct route to the protected subnet of 10.20.10.0 but it still has to have a default route setup. (https://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI)

So it is basically saying, to reach the protected subnet I have to set the next hop to a device that has no idea where that subnet is anyhow. Shouldn't all the routing be based on the peer IP and not on a subnet that routers in between should have no idea they exist?

The main assumption I have here is that the protected subnets should not be reachable unless the VPN tunnel is up. Most of my site to site VPN experience is with PIX/ASA and I never had to specify a route to the protected subnet (e.g. 172.16.228.0). I assume it just used its default gateway which was a public internet IP address belonging to the ISP. However the ISP has no idea where 172.16.228.0 is.

Edit: I found a thread, not related to Cisco but IPSec in general, that seems to be the question in case I didn't make much sense:

http://comments.gmane.org/gmane.os.openbsd.misc/192986

It still just doesn't seem logical to me. If I have a tunnel connecting two Class C networks over the internet, the only routers with knowledge of those networks are the two peers. Why should a route be established (static, default, dynamic, etc) that would appear to send the traffic to a device that won't know where those Class C networks are? Although I have to assume in my example with 172.17.228.0 that my ASA wasn't actually sending packets to my ISP gateway with 172.17.228.0 in them.

Karsten Iwen · ‎08-09-2012

The purpose of the route is *not* to send the traffic to your next hop. You are right that the next-hop router has no clue what to do with that packet. That route is only important for the local operation. The router needs to find the outgoing interface for the packet. That is done with the route pointing to the next-hop-router. If you would point that route to your IPSec-peer, your router has to do a recursive routing-lookup. After the outging interface is found, the traffic is sent towards that interface, the crypto map on that interface jumps in and protects your traffic which gets routed to your IPSec peer.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎08-09-2012

The purpose of the route is *not* to send the traffic to your next hop. You are right that the next-hop router has no clue what to do with that packet. That route is only important for the local operation. The router needs to find the outgoing interface for the packet. That is done with the route pointing to the next-hop-router. If you would point that route to your IPSec-peer, your router has to do a recursive routing-lookup. After the outging interface is found, the traffic is sent towards that interface, the crypto map on that interface jumps in and protects your traffic which gets routed to your IPSec peer.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jimgrumbles · ‎08-14-2012

Thank you Karsten!