LAN-to-LAN Routing

In LAN-to-LAN VPN implementations, VPN Concentrators typically connect to the public network through a perimeter router, which then routes the data traffic through additional routers to the destination Concentrator. Except for small corporate networks, the Concentrator is also connected to the private network through a router.

To share routing information actively with neighbor devices, the VPN Concentrator includes an IP routing subsystem supporting static routing, as well as RIP and OSPF routing protocols. The routing subsystem uses the following order of precedence in selecting routes:

Learned routes (RIP and OSPF)

Static routes

Default gateway (default static route)

Without a configured default gateway, packets without specific entries in the route table are dropped. The default gateway provides a path of last resort for packets with unrecognized network addresses. The Concentrator has a separate tunnel default gateway for tunneled traffic only.

The Configuration | System | IP Routing screen system is used to configure the following system-wide IP routing options:

Static Routes—Manually configured routing table entries.
Default Gateways—Route of last resort for otherwise unroutable traffic.
OSPF—Open Shortest Path First routing protocol.
OSPF Areas—Define OSPF areas within the OSPF domain.
DHCP—Define global parameters for DHCP Proxy and DHCP relay.
Redundancy—Define Virtual Router Redundancy Protocol (VRRP) parameters.
Reverse Route Injection—Define reverse route injection (RRI) global parameters.

Adding and modifying static routes were covered in Chapter 14. This section discusses some of the other choices.

Default Gateways

Use the Configuration | System | IP Routing | Default Gateways screen, as shown in Figure 16-19, to define the default gateway for IP routing for non-VPN traffic, as well as to define the tunnel default gateway for VPN traffic.

Figure 16-19: Configuring the default gateway

The Default Gateway address box would typically be the IP address on the public network of the near-side interface of the perimeter router. This address can’t be the same as any VPN Concentrator interface.

The Tunnel Default Gateway address box would typically be a firewall in parallel with the VPN Concentrator, and between the public and private networks. The tunnel default gateway applies to all tunneled traffic, including IPSec LAN-to-LAN traffic. If an external device other than the VPN Concentrator is performing NAT, then the tunnel default gateway must be configured.

Check the Override Default Gateway option box to allow default gateways learned via RIP or OSPF to override the configured default gateway.

Reverse Route Injection

Reverse route injection (RRI) is a feature that allows the VPN Concentrator to add static routes to its routing table, and then to share these routes with routers connected to the private and/or public network using OSPF or RIP. Use the Configuration | System | IP Routing | Reverse Route Injection screen, as shown in Figure 16-20, to configure RRI features. RRI options vary with the type of VPN connection:

LAN-to-LAN connections—Use the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen covered earlier in this chapter.

Figure 16-20: RRI configuration screen
VPN Software Clients or VPN 3002 Hardware Clients using Client (PAT) mode:Individual remote access clients—enable the Client Reverse Route Injection option.Group remote access clients—add an entry in the Address Pool Hold Down Routes box.

VPN 3002 Hardware Clients using Network Extension mode (NEM) —enable the Network Extension Reverse Route Injection option.

Client Reverse Route Injection

For individual VPN software clients and VPN 3002 hardware clients in Client (PAT) mode. To add host routes for each remote client to the VPN Concentrator routing table. The Concentrator adds the host route when the client connects and deletes it when the client disconnects. Unchecked by default.

Network Extension Reverse Route Injection

For VPN 3002 hardware clients using Network Extension mode only. To add a route for each network behind the VPN 3002 hardware client to the VPN Concentrator routing table. The Concentrator adds the route when the VPN 3002 connects and deletes the route when it disconnects. Unchecked by default.

Address Pool Hold Down Routes

For all VPN software clients and VPN 3002 hardware clients in Client (PAT) mode. This feature ensures that routes remain in the route table, even though the link to the remote client might be inactive—no traffic. Without it, the route would be flushed from all route tables and become unreachable until the client triggered another session.

Enter any hold-down routes to be added to the VPN Concentrator routing table. Routes can be entered automatically or manually. To generate a list of hold-down routes automatically, based on currently configured address pools, click the Generate Hold Down Routes button. The list can be edited.To enter routes manually, use the n.n.n.n/m.m.m.m format, for example, 192.168.10.0/255.255.255.0. Put each network address/ subnet mask pair on a single line.

If Client Reverse Route Injection is also checked, when a remote client connects to the VPN Concentrator, the VPN Concentrator checks first to see if the client address falls in any of the address pool routes listed here. If not, the VPN Concentrator adds the client’s route to the routing table.

Advertising the Routes Locally

If you don’t want the VPN Concentrator to advertise learned routes to the private network, disable routing on the private interface. To advertise the learned routes to the private network, enable OSPF or RIP on the Concentrator private interface using the Configuration | Interfaces | Ethernet 1 2 3 screen, RIP, or OSPF tabs screen. Figure 16-21 shows the RIP configuration screen. Notice OSPF is another tab on the same screen.

Figure 16-21: Enabling RIP on the private interface

Virtual Router Redundancy Protocol

Virtual Router Redundancy Protocol (VRRP) provides automatic switchover (failover) from one VPN Concentrator to another in a redundant Concentrator installation. This feature ensures users have access to the VPN, even if the primary VPN Concentrator is out of service. VRRP requires two or more VPN Concentrators be in parallel, where one VPN Concentrator is the master system and all others are backup systems. The backup device remains idle unless the active VPN Concentrator fails, so the backup device can’t be configured to enable load balancing.

VRRP supports user access via IPSec LAN-to-LAN connections, IPSec client (single- user remote-access) connections, and PPTP client connections.

IPSec LAN-to-LAN—Switchover is fully automatic and typically takes three to ten seconds.
Single-User IPSec and PPTP—Users are disconnected from the failed device, but they can reconnect without changing any settings.

Before configuring or enabling VRRP:

All Ethernet interfaces that apply to the installation on all redundant VPN Concentrators must be configured. Use the Configuration | Interfaces screens.VRRP can’t be used if the VPN Concentrator interfaces are configured as DHCP clients. Use static IP addressing with VRRP.
Identical IPSec LAN-to-LAN parameters must be configured on the redundant VPN Concentrators. Use the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screens.

Interface Failures

If either the public or private interface on the master system goes down in a VRRP implementation, the other interfaces shut down automatically, triggering the backup VPN device to take over. The backup VPN device monitors VRRP messages from the master system on both the public and private interfaces. If the backup VPN device stops receiving the messages from the master system, the backup will automatically take over the master system responsibilities.

The VPN Concentrators monitor the interface connections at the link level, so some types of failure might not be detected. If a router or switch fails on a network connecting the master and backup units, the master unit might not detect the failure at the link level. As long as the link layer remains up, the master doesn’t detect the interface as “down” and, therefore, doesn’t stop sending VRRP messages to the backup device on all its interfaces. Because the backup device still hears VRRP messages on at least one interface, it doesn’t take over as the master.

Spanning-Tree Issue

A second issue pertains to the delay (45+ seconds) Spanning-Tree Protocol (STP) introduces when a switch interface changes from down to up status. Enable the Portfast feature on STP-enabled switch ports that are connected to a VRRP implementation. This reduces the delay to 15 seconds.

Configuring VRRP

Use the Configuration | System | IP Routing | Redundancy screen to configure the VRRP parameters, as shown in Figure 16-22.

Figure 16-22: Configuring VRRP

Enable VRRP	Check to enable VRRP functions. Unchecked by default.
Group ID	A unique number that identifies the group of redundant VPN Concentrators. Must be the same on all systems in the group. Range is 1 to 255. Default is 1.
Group Password	Enter a password for additional security in identifying group devices. Must be the same on all systems in the group. Maximum length is eight characters. Password is displayed and transmitted as Cleartext. Default is no password.
Role	Drop-down menu button to choose the role of this VPN Concentrator. Master—Master system in the group (the default). Configure only one Master in each group (Group ID).Backup 1 through Backup 5—Backup system in the group.
Advertisement Interval	Time interval in seconds between VRRP advertisements to other systems in this group. Range is 1 to 255 seconds. Default is 1.Only the Master system sends advertisements, so this field is ignored on Backup systems while they remain backups. Because a backup can become a Master system, consider the default for all systems.
Group Shared Addresses	Enter the IP addresses to be used by all virtual routers in the group. The Manager displays only the previously configured Ethernet interfaces.On the Master system—Entries are the IP addresses configured on its Ethernet interfaces. The Manager supplies them by default. On a Backup system—Fields are empty by default and must match the addresses used on the Master system.
1 (Private)	IP address for Ethernet 1 (Private) interface—same on all devices.
2 (Public)	IP address for Ethernet 2 (Public) interface—same on all devices.
3 (External)	IP address for Ethernet 3 (External) interface—same on all devices.

LAN-to-LAN Routing