Real articles are born from letters to Tucha technical support. For example, a client recently contacted us with a request to clarify what happens during connections inside the VPN tunnel between the user's office and the environment in the cloud, as well as when connecting outside the VPN tunnel. Therefore, all the text below is a real letter that we sent to one of the clients in response to his question. Of course, we changed the IP addresses so as not to de-anonymize the client. But, yes, Tucha technical support is really famous for its detailed answers and meaningful emails. :-)
Therefore, we explain in detail what happens between the server in the cloud and the office if they are connected by a site-to-site network. Note that some of the services are available only from the office, and some - from anywhere from the Internet tech support jobs.
Let's explain right away that our client wanted the 192.168.A.1 server to be able to come from anywhere via RDP, connecting to AAA2: 13389 , and to other services only from the office ( 192.168.B.0 / 24 ), connected via VPN. Also, the client was initially configured that it was also possible to go to the 192.168.B.2 machine in the office via RDP from anywhere, connecting to BBB1: 11111 . We helped set up IPSec connections between the cloud and the office, and the customer's IT professional started asking questions about what would happen. To answer all these questions, we, in fact, wrote to him all that you can read below.
Now let's look at these processes in more detail.
Position one
When something goes from 192.168.B.0 / 24 to 192.168.A.0 / 24 or from 192.168.A.0 / 24 to 192.168.B.0 / 24 , it hits the VPN. That is, this packet is additionally encrypted and transmitted between BBB1 and AAA1 , but 192.168.A.1 sees the packet from 192.168.B.1 . They can communicate with each other using any protocol. Reverse responses are transmitted in the same way via VPN, which means that a packet from 192.168.A.1 to 192.168.B.1 will be sent as an ESP datagram from AAA1 to BBB1, which the router will open on the other side, extract that packet from it and give it to 192.168.B.1 as a packet from 192.168.A.1 .
Specific example:
192.168.B.1 contacts 192.168.A.1 , wants to establish a TCP connection to 192.168.A.1: 3389 ;
192.168.B.1 sends a request to establish a connection from 192.168.B.1: 55555 (he chooses the port number for feedback himself, hereinafter we will use the number 55555 as an example of such a port number that the system chooses when forming a TCP connection) at 192.168.A.1: 3389 ;
the operating system that runs on a computer with an address 192.168.B.1 , decides to transfer the packet to the gateway address of the router ( 192.168.B.254 in our case), because other, more specific routes for 192.168.A.1 , she no, therefore, it passes the packet along the default route (0.0.0.0/0);
to do this, it tries to find the MAC address for the IP address 192.168.B.254 in the ARP cache table. If it is not detected, it sends from the address 192.168.B.1 broadcast who-has a request to the network 192.168.B.0 / 24 . When 192.168.B.254 responds with its MAC address, the system transmits an Ethernet packet for it and stores this information in its cache table;
the router accepts this packet and decides where to send it: it has a policy according to which it must transmit all packets between 192.168.B.0 / 24 and 192.168.A.0 / 24 over the VPN connection between BBB1 and AAA1 ;
the router generates an ESP datagram from BBB1 to AAA1 ;
the router decides who to send this packet to, it sends it to, say, BBB254 (ISP's gateway), because it has no more specific routes to AAA1 than 0.0.0.0/0;
in the same way as already mentioned, it finds the MAC address for the BBB254 and sends the packet to the gateway of the ISP;
ISPs broadcast an ESP datagram from BBB1 to AAA1 over their networks ;
the virtual router on AAA1 receives this datagram, decrypts it, and receives a packet from 192.168.B.1: 55555 to 192.168.A.1: 3389 ;
11) the virtual router checks who to send it to, finds the 192.168.A.0 / 24 network in the routing table and sends it directly to 192.168.A.1 , since it has the 192.168.A.254 / 24 interface ;
for this, the virtual router finds the MAC address for 192.168.A.1 and transmits this packet to it via the virtual Ethernet network;
192.168.A.1 receives this packet on port 3389, agrees to establish a connection and forms a packet in response from 192.168.A.1: 3389 to 192.168.B.1: 55555 ;
his system forwards this packet to the gateway address of the virtual router ( 192.168.A.254 in our case), because it has no other, more specific routes for 192.168.B.1 , therefore, it must forward the packet along the default route ( 0.0.0.0/0);
as in the previous cases, the system running on the server with the address 192.168.A.1 finds the MAC address 192.168.A.254 , since it is on the same network with its interface 192.168.A.1 / 24 ;
the virtual router accepts this packet and decides where to send it: it has a policy according to which it must transmit all packets between 192.168.A.0 / 24 and 192.168.B.0 / 24 over the VPN connection between AAA1 and BBB1 ;
the virtual router generates an ESP datagram from AAA1 to BBB1 ;
the virtual router decides to whom to send this packet, sends it to AAA254 (the gateway of the Internet provider, in this case, this is also us), because it does not have more specific routes to BBB1 than 0.0.0.0/0;
ISPs broadcast an ESP datagram from AAA1 to BBB1 over their networks ;
the router on BBB1 receives this datagram, decrypts it, and receives a packet from 192.168.A.1: 3389 to 192.168.B.1: 55555 ;
he understands that he should be sent exactly to 192.168.B.1 , since he is on the same network with him, therefore, he has a corresponding entry in the routing table that forces him to send packets for all 192.168.B.0 / 24 directly ;
the router finds the MAC address for 192.168.B.1 and sends this packet to it;
the operating system on the computer with the address 192.168.B.1 accepts the packet from 192.168.A.1: 3389 to 192.168.B.1: 55555 and initiates the following steps to establish a TCP connection.
In this example, it is rather concise and simplified (and here you can recall a bunch of details) what happens at levels 2-4. Levels 1, 5-7 are not considered.
No comments:
Post a Comment