North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: IPsec with ambiguous routing
- From: David Howe
- Date: Wed Feb 12 14:48:30 2003
> On Wednesday, February 12, 2003, at 10:40 AM, David Wilburn wrote:
> With such ambiguous routing, is my understanding correct that the
> response traffic could potentially bypass the VPN concentrator
> altogether and travel to the destination unencrypted?
I had exactly this problem - consider the situation where site a and
site b are branches of the same company, each with its own internet
gateway and site b has resources site a must (due to head office edict)
use. Now consider vpn users of site a, who must use resources from site
b. not only is it likely that replies go via the site b gateway, but it
is impossible for them *not* to - to the extent that, as site b's
firewall sensibly doesn't allow outbound packets to random destinations,
no replies are ever received at all.
The solution was fairly simple - inbound VPN users are transparently
NATted to a block of addresses in the "site a" range, and therefore
replies, looking as they do to be sourced from site a, are returned to
the firewall at site a for vpn encapsulation and dispatch.