mailing list archives
Re: IPsec with ambiguous routing
From: "David Howe" <DaveHowe () gmx co uk>
Date: Wed, 12 Feb 2003 19:41:25 -0000
On Wednesday, February 12, 2003, at 10:40 AM, David Wilburn wrote:
With such ambiguous routing, is my understanding correct that the
response traffic could potentially bypass the VPN concentrator
altogether and travel to the destination unencrypted?
I had exactly this problem - consider the situation where site a and
site b are branches of the same company, each with its own internet
gateway and site b has resources site a must (due to head office edict)
use. Now consider vpn users of site a, who must use resources from site
b. not only is it likely that replies go via the site b gateway, but it
is impossible for them *not* to - to the extent that, as site b's
firewall sensibly doesn't allow outbound packets to random destinations,
no replies are ever received at all.
The solution was fairly simple - inbound VPN users are transparently
NATted to a block of addresses in the "site a" range, and therefore
replies, looking as they do to be sourced from site a, are returned to
the firewall at site a for vpn encapsulation and dispatch.