VPN network problems on multigateway infrastructures
Many people ask me about VPN network problems that they face, when they have multigateway environments in their infrastructure. So I decided to share some of my experience on this.
Let’s have a simple scenario, showed on the sketch below.
Some VPN users connect through VPN (IPsec, L2TP etc) to your local LAN and use some of your internal apps. The problem some of us have faced in the past, is the fact that they can reach some servers, but they cannot reach some others, or they may ping (reach a server) but somehow the application they use does not work they way it supposed to. This may happen due to different gateways. For example, I have a FreePBX supporting my internal lan for VOIP apps, and this server has a gateway of eg. 10.0.10.1. The internal DHCP addresses clients to gateway 10.0.10.2. If VPN clients -having served their IP needs through that DHCP- they will never be able to register their account on the PBX.
The reason is simple when you put things down in pen and paper…
The packet that leaves the VPN computer/device and has a header of the ip/name of the server hosting the application will reach the server. But the server having a different gateway than the one the VPN client has will never post his response to the client. And that’s because it sends its response packet through another way –gateway to be exact!
So if you want to avoid this you should carefully design your DHCP server according to the gateways your services servers have and your external clients as well.
This may also happen when you have an Exchange server with gateway on one ISA, but is published through another ISA. You may access your OWA/OMA/Activesync only when your Exchange has as gateway the ISA that publishes his services.
I had a discussion with a colleague on that and we suggested putting a second NIC in order our server to have both gateways. Multiple gateways though may cause other problems, sometimes not seen directly… From my point of view you should check your actual needs and infrastructure prior going to such a solution.
Have a good day with less IT issues J