1. Manuals
  2. Brands
  3. Extreme Networks Manuals
  4. Network Accessory
  5. Sentriant AG200
  6. Installation manual

Extreme Networks AG200 Installation Manual page 22

Version 5.0
Hide thumbs Also See for AG200:
Table of Contents

Advertisement

Deployment Flexibility
Because a connecting VPN endpoint is not on the same subnet as Sentriant AG, all of the packets that
Sentriant AG sends (in response to HTTP requests from the endpoint) go to the router at 10.1.90.254, which
knows to send them (back through the Sentriant AG bridge) to the VPN concentrator for a next hop. For normal
communication (such as testing traffic) between Sentriant AG and an endpoint, this works fine, even if it seems a
bit inefficient.
However, when Sentriant AG redirects an HTTP connection, it first constructs an HTTP redirect with a source IP
address corresponding to the original destination of the connection.
For example:
1 The endpoint connects to the VPN, and the browser requests www.google.com.
2 Sentriant AG intercepts the packets addressed to google.com.
3 Sentriant AG constructs an HTTP redirection to the Sentriant AG IP, using packets which have a source IP
address of www.google.com.
4 Sentriant AG sends the constructed redirect to the VPN endpoint using the Sentriant AG default route.
Those packets go to the LAN side router, which in our scenario is configured with best-practices egress filtering.
The router treats those packets as errors (because they are marked with a source IP address that should not
emanate from that network segment) and drops them. This is why testing works when the endpoint connects
directly to emanate—the response packets still go to the LAN-side router, but it routes them appropriately because
they have a valid source address.
The solution is to add a static route to Sentriant AG so that it knows to send packets addressed to 10.1.105 via the
VPN concentrator instead of the LAN-side router, and it will redirect correctly.
You also want to make the static route addition permanent across reboots.
To add a permanent static route to the Sentriant AG server:
1 Log in as root to the Sentriant AG server using SSH or directly with a keyboard.
2 Open the following file with a text editor, such as vi.
/etc/rc.local
3 Add something like the following:
#
# explicit routes for VPN subnets should go to the VPN router,
# not the default gateway
#
/sbin/route add -net 10.1.105.0/24 gw 10.1.90.131
Where, for other network configurations or additional VPN profiles you need to add routes appropriate to the
subnet or subnets involved.
22
Sentriant AG Installation Guide, Version 5.0

Advertisement

Table of Contents
loading

Related Manuals for Extreme Networks AG200

Related Products for Extreme Networks AG200

This manual is also suitable for:

Sentriant ag

Table of Contents