One-Armed VPN Concentrator Deployment Guide
When the MX is placed in passthrough mode, it can be set up as a one-armed VPN concentrator. In this configuration, the MX is placed on the LAN with a private IP address and is attached to the network with a single Ethernet cable to its Internet port. It does not perform NAT or DHCP for any downstream devices. Local IP packets get re-directed to the passthrough MX which then encapsulates them in IPsec (ESP) and forwards them off to the remote MX VPN endpoint.
In order to accomplish this redirection, a static route must be created on the default gateway of the local LAN; because the MX is in passthrough mode, an upstream router or L3 switch must check the destination IP to see if it matches a VPN peer's local subnet. If the IP address falls within this subnet, the device must route the packet to the one-armed concentrator which knows how to get to the remote peer via an IPsec tunnel.
When deploying a one-armed VPN concentrator to connect sites, it is necessary to avoid asymmetric routing. Asymmetric routing occurs when inbound and outbound packets follow different paths between a host and the peer with which it communicates, causing problems with stateful firewalls (which, by definition, track flows). For example, if a stateful firewall sees a TCP SYN, ACK for which it has not seen an initial TCP SYN, it considers the packet invalid and will block the rest of the attempted TCP session. The firewall may also block ICMP and UDP return traffic for the same reason. For more information regarding TCP connections, please read about the TCP three way handshake.
The example in below shows a Cisco ASA blocking a TCP SYN, ACK packet from a host because it never sees the initial TCP SYN:
The solution to the problem detailed above is to create a separate network segment, for the stateful firewall and one-arm concentrator to communicate. In this solution the send and receive packets between hosts always flow through the stateful firewall because they must traverse a Layer 3 (IP) boundary in order to provide end to end communication.
In the diagram below, VLANs are used to segment the network such that the ASA and one-arm concentrator communicate on a separate subnet than the hosts on each remote VPN endpoint. This ensures the ASA sees traffic flows between hosts in both directions: