Skip to main content

 

Cisco Meraki Documentation

One-Armed VPN Concentrator Deployment Guide

  1. Last updated
  2. Save as PDF

When the MX is placed in passthrough mode, it can be set up as a one-armed VPN concentrator. In this configuration, the MX is placed on the LAN with a private IP address and is attached to the network with a single Ethernet cable to its Internet port. It does not perform NAT or DHCP for any downstream devices. Local IP packets get re-directed to the passthrough MX which then encapsulates them in IPsec (ESP) and forwards them off to the remote MX VPN endpoint.

In order to accomplish this redirection, a static route must be created on the default gateway of the local LAN; because the MX is in passthrough mode, an upstream router or L3 switch must check the destination IP to see if it matches a VPN peer's local subnet. If the IP address falls within this subnet, the device must route the packet to the one-armed concentrator which knows how to get to the remote peer via an IPsec tunnel.

When deploying a one-armed VPN concentrator to connect sites, it is necessary to avoid asymmetric routing. Asymmetric routing occurs when inbound and outbound packets follow different paths between a host and the peer with which it communicates, causing problems with stateful firewalls (which, by definition, track flows). For example, if a stateful firewall sees a TCP SYN, ACK for which it has not seen an initial TCP SYN, it considers the packet invalid and will block the rest of the attempted TCP session. The firewall may also block ICMP and UDP return traffic for the same reason. For more information regarding TCP connections, please read about the TCP three way handshake.

 

The example in below shows a Cisco ASA blocking a TCP SYN, ACK packet from a host because it never sees the initial TCP SYN:

Topology diagram showing the traffic flow described in the steps below. LaptopA has IP 10.0.0.2/24 and GW 10.0.0.1, and is connected to MX80-A. MX80-A has LAN interface IP 10.0.0.1/24 and is connected to the internet. The Cisco ASA is also connected to the internet. Its inside IP is 192.168.1.1/24 and has IP route for 10.0.0.0/24 to send to 192.168.1.2. MX80-B is connected to the ASA and has internet IP 192.168.1.2/24 and GW 192.168.1.1. LaptopB is connected to MX80-B and has IP 192.168.1.3/24 and GW 192.168.1.1.

  1. LaptopA sends a TCP SYN packet to LaptopB to establish an RDP session. The packet is sent to the LAN interface of MX80-A which is the default gateway for the subnet. The packet's source and destination are src: 10.0.0.2:5000 dst: 192.168.1.3:3389
  2. MX80-A receives the packet destined for LaptopB. The destination address of the packet is 192.168.1.3. This matches a VPN route for 192.168.1.0/24 subnet which is reachable through the IPsec peer MX80-B. The packet is encrypted and encapsulated in an IPsec datagram and sent to MX80-B which is located behind the ASA.
  3. The ASA receives the IPsec datagram from MX80-A on its outside interface. The traffic matches an existing UDP NAT entry for MX80-B. It translates the datagram and forwards it to 192.168.1.2 which is the real IP address of the MX80-B located on the LAN.
  4. MX80-B receives the IPsec datagram from MX80-A on its internet interface. The datagram is unencapsulated and decrypted. The real destination of the TCP packet is the LaptopB. Since they are both of the same subnet the packet is sent directly to LaptopB at 192.168.1.3.
  5. LaptopB receives the TCP SYN packet. It responds to the source of the packet 10.0.0.2 with a TCP SYN,ACK. This packet is sent to the ASA which is the default gateway for the LAN at 192.168.1.1. The packet source and destination is now src: 192.168.1.3:3389 dst: 10.0.0.2:5000.
  6. The Cisco ASA receives the TCP SYN,ACK from LaptopB on its inside interface. A static route on the ASA specifies the subnet for LaptopA is reachable via MX80-B. However, the ASA is an intelligent security appliance. Because the ASA never saw the TCP SYN from LaptopA, the packet does not match an existing traffic flow so the TCP session is blocked.

The solution to the problem detailed above is to create a separate network segment, for the stateful firewall and one-arm concentrator to communicate. In this solution the send and receive packets between hosts always flow through the stateful firewall because they must traverse a Layer 3 (IP) boundary in order to provide end to end communication.

In the diagram below, VLANs are used to segment the network such that the ASA and one-arm concentrator communicate on a separate subnet than the hosts on each remote VPN endpoint. This ensures the ASA sees traffic flows between hosts in both directions:

Topology diagram showing the traffic flow described in the steps below. LaptopA has IP 10.0.0.2/24 and GW 10.0.0.1, and is connected to the Routed mode MX. The Routed mode MX has an IPsec tunnel over the internet through a Cisco ASA to a concentrator MX. The Cisco ASA is also connected to the internet. Its VLAN 1 IP is 172.16.1.1/24, and its VLAN 2 IP is 192.168.1.1/24 and has IP route for 10.0.0.0/24 to send to 172.16.1.2. an MS22 is connected to the Cisco ASA. The concentrator MX is connected to the MS22 with Internet IP 172.16.1.2/24 and GW 172.16.1.1. LaptopB is also connected to the MS 22 and has IP 192.168.1.3/24 and GW 192.168.1.1.

  1. LaptopA sends a TCP SYN packet to LaptopB to establish an RDP session. The packet is sent to the LAN interface of MX80-A which is the default gateway for the subnet. The packet's source and destination are src: 10.0.0.2:5000 dst: 192.168.1.3:3389
  2. MX80-A receives the packet destined for LaptopB. The destination address of the packet is 192.168.1.3. This matches a VPN route for 192.168.1.0/24 subnet which is reachable through the IPsec peer MX80-B. The packet is encrypted and encapsulated in an IPsec datagram and sent to MX80-B which is located behind the ASA.
  3. The ASA receives the IPsec datagram from MX80-A on its outside interface. The traffic matches an existing UDP NAT entry for MX80-B. It translates the datagram and forwards it to 172.16.1.2 which is the real IP address of the MX80-B on VLAN 1.
  4. MX80-B receives the IPsec datagram from MX80-A on its internet interface. The datagram is unencapsulated and decrypted. The real destination of the TCP packet is the LaptopB. Since LaptopB is on another subnet the packet is sent to its default gateway which is the ASA at IP address 172.16.1.1.
  5. The ASA receives the TCP SYN packet from LaptopA on its VLAN 1 interface.
  6. LaptopB receives the TCP SYN packet from LaptopA. It responds to the source of the packet 10.0.0.2 with a TCP SYN,ACK. This packet is sent to the ASA at 192.168.1.1 which is the default gateway for the subnet
  7. The Cisco ASA receives the TCP SYN,ACK from LaptopB on its inside interface. The packet matches an existing traffic flow. The destination matches a static route specifying 10.0.0.0/24 is reachable via 172.16.1.2 which is the IP address of MX80B for VLAN 1. So the ASA forwards the packet to that IP address.
  8. MX80-B receives the TCP SYN,ACK from Laptop B on its internet interface. The datagram is unencapsulated and decrypted. The real destination of the TCP packet is the LaptopB. Since LaptopB is on another subnet the packet is sent to its default gateway which is the ASA at IP address 172.16.1.1.
  9. The ASA receives the IPsec datagram from MX80-B destined for MX80-A. It sends this out its outside interface onto the internet.
  10. MX80-A receives the IPsec datagram from MX80-B on its internet interface. It unencrypts and unencapsulates the datagram. The TCP packet inside is destined for LaptopA. LaptopA is on the same subnet so the MX80-A forwards the TCP SYN.ACK directly to the Laptop.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    1. vpn concentrator