Site to site VPN : how does the routing work

routingsite-to-site-vpnvpn

I've established a site to site VPN with two Zyxell routers. Site A (LAN: 192.168.16.x) is the main office, and site B (LAN: 192.168.17.x) is a branch office. Both sites are able to reach each other, and things work as they should.

Now, what I don't really understand is how it really works!

How does the router at site A know that requests going to 192.168.17.x should go to site B? I'm thinking that, upon establishing the connection, the router at site A tells the router at site B that it's IP range is within 192.168.16.x and then the router at site B modifies its routing table to reflect this – and vice versa. However, this is just as assumption. Is that really how it works?

Furthermore, what happens if I add more branch offices? Say I'd like to establish a site to site connection between site C (192.168.18.x) and site A. Will machines at site C be able to reach machines at site B through site A? This would of course mean that site C must know about site D. Will I have to create custom routing policies for this, or is this also "automagically" taken care of?

Best Answer

I'm no routing expert but assuming the Zyxells are like the Drayteks I've been deploying, when you set up the VPN, you specify the remote LAN details and whether or not it should be a route in the local LAN. You do this on both sides so that both routers known about the other router.

When you add a 3rd site you have a choice of building a star shaped network (all VPNs terminate at a central point) or a mesh shaped network (all routers VPN to every other router). It would depend on your traffic patterns on which to build.

If you build a Mesh, it acts the same as your current setup, each router has static routes to every other router. If you build a star, you can usually specify all internal traffic to go to the hub of the star using a simple route, and then the central VPN server will have the individual routes to each other router.

You need to do a little reading about routing to get it all working perfectly, but in the star network I set up with Site A being the centre. Site A: 192.168.10.x / 255.255.255.0 Site B: 192.168.11.x / 255.255.255.0 Site C: 192.168.12.x / 255.255.255.0

Each site has the default Internet routes, as well as the following VPN routes. Site A Routes: 192.168.11.0 / 255.255.255.0 -> VPNB 192.168.12.0 / 255.255.255.0 -> VPNC

Site B Routes: 192.168.0.0 / 255.255.0.0 -> VPNA

Site C Routes: 192.168.0.0 / 255.255.0.0 -> VPNA

Related Topic