Home > Security and SD-WAN > Site-to-site VPN > One-Armed VPN Concentrator Deployment Guide

One-Armed VPN Concentrator Deployment Guide

Table of contents
No headers

When the MX is placed in passthrough mode, it can be set up as a one-armed VPN concentrator. In this configuration, the MX is placed on the LAN with a private IP address and is attached to the network with a single Ethernet cable to its Internet port. It does not perform NAT or DHCP for any downstream devices. Local IP packets get re-directed to the passthrough MX which then encapsulates them in IPsec (ESP) and forwards them off to the remote MX VPN endpoint.

In order to accomplish this redirection, a static route must be created on the default gateway of the local LAN; because the MX is in passthrough mode, an upstream router or L3 switch must check the destination IP to see if it matches a VPN peer's local subnet. If the IP address falls within this subnet, the device must route the packet to the one-armed concentrator which knows how to get to the remote peer via an IPsec tunnel.

When deploying a one-armed VPN concentrator to connect sites, it is necessary to avoid asymmetric routing. Asymmetric routing occurs when inbound and outbound packets follow different paths between a host and the peer with which it communicates, causing problems with stateful firewalls (which, by definition, track flows). For example, if a stateful firewall sees a TCP SYN, ACK for which it has not seen an initial TCP SYN, it considers the packet invalid and will block the rest of the attempted TCP session. The firewall may also block ICMP and UDP return traffic for the same reason. For more information regarding TCP connections, please read about the TCP three way handshake.

 

The example in below shows a Cisco ASA blocking a TCP SYN, ACK packet from a host because it never sees the initial TCP SYN:

442ae9fc-43d3-4d52-b1b8-bb714d00fe9a

 

The solution to the problem detailed above is to create a separate network segment, for the stateful firewall and one-arm concentrator to communicate. In this solution the send and receive packets between hosts always flow through the stateful firewall because they must traverse a Layer 3 (IP) boundary in order to provide end to end communication.

In the diagram below, VLANs are used to segment the network such that the ASA and one-arm concentrator communicate on a separate subnet than the hosts on each remote VPN endpoint. This ensures the ASA sees traffic flows between hosts in both directions:

fc687a09-6d95-49c8-8b75-89f4a8d9c654

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1358

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community