A
dynamic routing protocol daemon running on the security gateway can exchange routing
information
with a neighboring routing daemon running on the other end of an
IPSec
tunnel/connection.
An IPsec (or VPN) tunnel is a
virtual interface on a security gateway associated with an existing VPN connection,
and is used
by IP routing as a point-to-point interface directly connected to a VPN peer gateway.
Outbound packets use the following routing process:
- An IP packet with destination address X is matched against the routing table
- The routing table indicates that IP address X should be routed through a point-to-point
link
which is the VPN tunnel interface that is associated with peer gateway Y
- The VPN kernel intercepts the packet as it specifies the virtual tunnel interface
- The packet is encrypted using the proper IPsec authentication type parameters with
peer
gateway Y, and the new packet receives the peer gateway Y’s IP address as the destination
IP
- Based on the new destination IP, the packet is rerouted to the physical interface
according
to the appropriate routing table entry for Y’s address
Inbound packets use the following routing process:
- An IPsec packet specifies the machine coming from gateway Y
- The VPN kernel intercepts the packet on the physical interface
- The VPN kernel identifies the originating VPN peer gateway
- The VPN kernel decapsulates the packet, and extracts the original IP packet
- The VPN kernel detects that a VPN tunnel interface exists for the peer VPN gateway,
and
reroutes the packet from the physical interface to the associated VPN tunnel interface
- The packet specifies the IP stack through the VPN tunnel interface
