Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IPsec with ambiguous routing

  • From: David Howe
  • Date: Wed Feb 12 14:48:30 2003

> On Wednesday, February 12, 2003, at 10:40 AM, David Wilburn wrote:
> With such ambiguous routing, is my understanding correct that the
> response traffic could potentially bypass the VPN concentrator
> altogether and travel to the destination unencrypted?
I had exactly this problem - consider the situation where site a and
site b are branches of the same company, each with its own internet
gateway and site b has resources site a must (due to head office edict)
use.  Now consider vpn users of site a, who must use resources from site
b. not only is it likely that replies go via the site b gateway, but it
is impossible for them *not* to - to the extent that, as site b's
firewall sensibly doesn't allow outbound packets to random destinations,
no replies are ever received at all.
The solution was fairly simple - inbound VPN users are transparently
NATted to a block of addresses in the "site a" range, and therefore
replies, looking as they do to be sourced from site a, are returned to
the firewall at site a for vpn encapsulation and dispatch.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.