VPN Behavior

U

USMCGrunt

2[H]4U
Joined
Mar 19, 2010
Messages
3,103
I have recently been put in charge of a network that spans a couple different locations and uses Cisco WRVS4400N VPN-enabled routers to securely connect the sites. We are having intermittent net connection issues and while trying to diagnose this, my superior and I are having a hard time concluding where and how traffic is being routed.

I am under the assumption that, when traffic is sent to the gateway matching one of the internal networks IP addresses, it is sent through the VPN. If it does not, then its sent out as regular web traffic. My boss believes all the traffic is being sent to a central site through the VPN and then if its not internal traffic it forwards out to the net from the central site.

As far as I've seen, there are no rules setup to specify traffic routing other than how to reach other internal networks. Does anybody know where I can find the VPN behavior on this router/tech or some software that will let me follow the traffic as it crosses the network?
 
Look for a 0.0.0.0/0 route. If it has the ISP gateway on the end it's going out locally and if it has the gateway IP of another remote gateway (private IP) then it's probably sending all traffic through the tunnel.
 
I checked all the VPN routes, its five sites and each one has four tunnels setup creating a full mesh topology...but there's nothing that points out to the internet for non-internal traffic. Because of this, I'm assuming that any traffic with a destination IP not matching the intranet's IP schemes will be routed through the internet outside of the VPN tunnels? I just need a way of collecting that evidence or a place I can find that this is the actual behavior.

I'll be honest Tee...I've been hired on to a position I have no reason holding....so there's lots of things I don't know, MPLS is one of them, lol.
 
Last edited:
Command prompt and tracert? It should show you the next hop that the router is forwarding to for different networks. Try a tracert to remote LANs and then to google.com and see what you find. I assume that you've already done this step, but I didn't see it listed, so...
 
By default on a site to site VPN (between router) all Internet traffic is still routed out the local Internet Circuit. Using REMOTE default gateway is a feature of the higher end VPN routers such as a sonicwall or cisco. The Linksys VPN router I don't believe has that option
 
tporter said:
By default on a site to site VPN (between router) all Internet traffic is still routed out the local Internet Circuit. Using REMOTE default gateway is a feature of the higher end VPN routers such as a sonicwall or cisco. The Linksys VPN router I don't believe has that option
Click to expand...

I do believe this is one of the higher end small/medium business routers as the VPN tunnel uses that kind of naming structure (Local group, remote group, remote gateway).


So, the thing is, this is my first job working in the network world. I have my CCNA but that's about as far as my academic education goes. I'm in a position that I really have no reason having but my boss sees potential I guess so he's giving me a shot. With that in mind, anything that should be a "duh" in trying....probably isn't to me yet, lol.

When I attempted to do tracert on an internal, remote location vs. an external network, the internal address tracert only remoted hitting the gateway, the remote gateway, then the device. When I tracert an external site like google, it shows the full path...which should answer my question, lol.....and I didn't bring that up to him either.

I understand what VPN is but finding the technical underpinnings of it hasn't been that easy...most sites that return on a google search are likely nontechnical overviews of the technology. Really, the only question I have is what a router's behavior is when it receives traffic and it has VPN tunnels setup. What does it do when the traffic matches remote destination IP of a tunnel, when it doesn't match, how to tell it to send all traffic through the VPN tunnel, how to tell it to send JUST specific traffic...if I sit here and think about it I could come up with some testing ideas but I don't have any resources to actually test it out on...and I doubt this company would be happy with me using them as guinea pigs, lol.
 
The router uses routes. In this case, static routes. The tunnels are seen as interfaces so it just routes the traffic according to its table out the appropriate interface. A 0.0.0.0/0 route statement is used to route all other traffic.
 
In theory, as /usr said, the router just routes traffic between the networks that it knows about and anything it doesn't get send out ITS gateway. Its gateway being the ISP is this scenario. The way most entry-level VPN devices work is that they automatically create routes based on the protected subnets of the remote LANs in order to communicate through that tunnel. Higher-end devices will require routes to the immediate protected LANs as well as other subnets to be created manually.
 
/usr/home said:
The router uses routes. In this case, static routes. The tunnels are seen as interfaces so it just routes the traffic according to its table out the appropriate interface. A 0.0.0.0/0 route statement is used to route all other traffic.
Click to expand...

That's pretty much what I thought what was going on in my head...thanks for the clarification.
 
You must log in or register to reply here.
Back
Top