4

I've established a site to site VPN with two Zyxell routers. Site A (LAN: 192.168.16.x) is the main office, and site B (LAN: 192.168.17.x) is a branch office. Both sites are able to reach each other, and things work as they should.

Now, what I don't really understand is how it really works!

How does the router at site A know that requests going to 192.168.17.x should go to site B? I'm thinking that, upon establishing the connection, the router at site A tells the router at site B that it's IP range is within 192.168.16.x and then the router at site B modifies its routing table to reflect this - and vice versa. However, this is just as assumption. Is that really how it works?

Furthermore, what happens if I add more branch offices? Say I'd like to establish a site to site connection between site C (192.168.18.x) and site A. Will machines at site C be able to reach machines at site B through site A? This would of course mean that site C must know about site D. Will I have to create custom routing policies for this, or is this also "automagically" taken care of?

sbrattla
  • 1,578
  • 4
  • 28
  • 52
  • What you're asking depends a lot on which technology is used. What kind of VPN connection is it? IPSec in itself doesn't fix everything for you, and routing is a thing you need to deal with. If there isn't a high layer of abstraction on top, site c and D probably don't know anything about site B, and will try their default route. However, you should be able to print the routing table on the routers, to figure out where it wants to send the traffic. – Kvisle Oct 15 '11 at 22:09
  • It is indeed IPSec connections. However, I can't really say anything about abstraction layers as the entire process of connecting and configuring routing is taken care of by the Zyxell boxes. – sbrattla Oct 16 '11 at 07:57

1 Answers1

2

I'm no routing expert but assuming the Zyxells are like the Drayteks I've been deploying, when you set up the VPN, you specify the remote LAN details and whether or not it should be a route in the local LAN. You do this on both sides so that both routers known about the other router.

When you add a 3rd site you have a choice of building a star shaped network (all VPNs terminate at a central point) or a mesh shaped network (all routers VPN to every other router). It would depend on your traffic patterns on which to build.

If you build a Mesh, it acts the same as your current setup, each router has static routes to every other router. If you build a star, you can usually specify all internal traffic to go to the hub of the star using a simple route, and then the central VPN server will have the individual routes to each other router.

You need to do a little reading about routing to get it all working perfectly, but in the star network I set up with Site A being the centre. Site A: 192.168.10.x / 255.255.255.0 Site B: 192.168.11.x / 255.255.255.0 Site C: 192.168.12.x / 255.255.255.0

Each site has the default Internet routes, as well as the following VPN routes. Site A Routes: 192.168.11.0 / 255.255.255.0 -> VPNB 192.168.12.0 / 255.255.255.0 -> VPNC

Site B Routes: 192.168.0.0 / 255.255.0.0 -> VPNA

Site C Routes: 192.168.0.0 / 255.255.0.0 -> VPNA

Dom
  • 741
  • 1
  • 8
  • 19
  • Yeah i think you are corrct because its all on the same vpn. what happens on a upper level is when you try connecting out side of ur class C subnet it has to go to the gateway and the gate way looks at the 3rd number block and knows that its real ip address is something like 1.2.3.4 and sends the request there under the vpn connection there for it gets resoved as if it came from a local ip. – WojonsTech Oct 16 '11 at 06:33
  • Thanks for your answer! It is a bit strange, but the routers have not asked me to provide any details about the network on the "other side". That is why I can't see how it figures out the routing. I did have to set up VPN policies, but on site A this just involved referring to the remote site with IP 0.0.0.0 and subnet 0.0.0.0. It just seems like the two routers tell each other about their IP address and new routes are created based on these addresses. Does that make sense at all? – sbrattla Oct 16 '11 at 07:51
  • @sbrattla Depends on the type of VPN and if you're using a PPTP style connection or IPSec style connection. With PPTP, one router connects to the other and gets assigned a local address from DHCP, so it knows all about the other network. But all your packets are encapsulated in PPP on top of everything else. With IPSec, the routers do not exchange DHCP info, you need to set this manually, but from my previous research IPSec with AES gets you the best encryption with the least overhead, so that's what I used. – Dom Oct 16 '11 at 23:50
  • The VPN tunnel is created with IPSec and AES, and it works great! I am certainly happy that it works, but it just puzzled me how the routing takes place. However, I have figured out that the Zywall routers most likely creates a new routing policy on each side when the connection is established so that traffic can flow between the two networks. I've settled with the thought that it must be some kind of Zyxell specific functionality which takes care of "automagically" creating the policies. – sbrattla Oct 17 '11 at 19:46