Issue:-
After connecting through VPN to company network, users are not able to access resources on a specific subnet on their LAN. At the same time, they are able to access some other resources which are in a different subent on their company LAN.
Please find the below scenario:-
LAN subnet on VPN device : 192.168.1.0/24
LAN interface IP of VPN device : 192.168.1.1
Second subnet on LAN : 192.168.2.0/24
Gateway of second subnet : 192.168.2.1
IP pool for VPN : 10.10.10.0/24
Once a home user is connected through VPN to the device, they get an IP from 10.10.10.0/24 on their VPN adapter(for eg:10.10.10.1). After launching VPN, users are able to access only the resources on subnet 192.168.1.0/24 and other subnet(192.168.2.0/24) on their company LAN is not accessible through VPN. When they try to do a traceroute to any resources on 192.168.2.0/24, we will see first hop as 192.168.1.1 and then there won't be any response.
Solution:
This is because of a reverse route which needs to be configured for the VPN IP pool on the gateway interface of 192.168.2.0/24 subnet.
When a VPN user try to access a resource 192.168.2.10 from the machine with VPN adapter IP 10.10.10.1, below are the packet details
Source IP: 10.10.10.1
Destination IP: 192.168.2.10
Since the route table on the PC has a route to pass the traffic through VPN, it will reach the VPN device and the VPN device will forward it to the gateway of 192.168.2.0 subnet. Once the resource on the LAN respond back, then the packet will be as below,
Source IP: 192.168.2.10
Destination IP: 10.10.10.1
Since both source and destination are in different subnet, packet will be forwarded to it's gateway(192.168.2.1). Now that gateway should have a route for the VPN IP pool subnet(10.10.10.0/24) to pass the traffic to the VPN device( 192.168.1.1)
Add a static route with destination network : 10.10.10.0/24 and next hop as 192.168.1.1. Once the return traffic has reached on the VPN device, then the device forward it to VPN client.
Affected devices: Juniper SA/MAG VPN device, Cisco ASA firewall, Cisco ISA VPN device and all other VPN devices which uses SSL or IPsec VPN.
JT
After connecting through VPN to company network, users are not able to access resources on a specific subnet on their LAN. At the same time, they are able to access some other resources which are in a different subent on their company LAN.
Please find the below scenario:-
LAN subnet on VPN device : 192.168.1.0/24
LAN interface IP of VPN device : 192.168.1.1
Second subnet on LAN : 192.168.2.0/24
Gateway of second subnet : 192.168.2.1
IP pool for VPN : 10.10.10.0/24
Once a home user is connected through VPN to the device, they get an IP from 10.10.10.0/24 on their VPN adapter(for eg:10.10.10.1). After launching VPN, users are able to access only the resources on subnet 192.168.1.0/24 and other subnet(192.168.2.0/24) on their company LAN is not accessible through VPN. When they try to do a traceroute to any resources on 192.168.2.0/24, we will see first hop as 192.168.1.1 and then there won't be any response.
Solution:
This is because of a reverse route which needs to be configured for the VPN IP pool on the gateway interface of 192.168.2.0/24 subnet.
When a VPN user try to access a resource 192.168.2.10 from the machine with VPN adapter IP 10.10.10.1, below are the packet details
Source IP: 10.10.10.1
Destination IP: 192.168.2.10
Since the route table on the PC has a route to pass the traffic through VPN, it will reach the VPN device and the VPN device will forward it to the gateway of 192.168.2.0 subnet. Once the resource on the LAN respond back, then the packet will be as below,
Source IP: 192.168.2.10
Destination IP: 10.10.10.1
Since both source and destination are in different subnet, packet will be forwarded to it's gateway(192.168.2.1). Now that gateway should have a route for the VPN IP pool subnet(10.10.10.0/24) to pass the traffic to the VPN device( 192.168.1.1)
Add a static route with destination network : 10.10.10.0/24 and next hop as 192.168.1.1. Once the return traffic has reached on the VPN device, then the device forward it to VPN client.
Affected devices: Juniper SA/MAG VPN device, Cisco ASA firewall, Cisco ISA VPN device and all other VPN devices which uses SSL or IPsec VPN.
JT
No comments:
Post a Comment