From letters to Tucha technical support, real articles are born. For example, we were recently approached by a client with a request to clarify what happens when connecting inside the VPN tunnel between the user's office and the environment in the cloud, as well as when connecting outside the VPN tunnel. Therefore, all the text below is a real letter that we sent to one of the clients in response to his question. Of course, they changed the IP addresses so as not to deanonymize the client. But, yes, Tucha technical support is really famous for its detailed answers and informative emails. π
Of course, we understand that for many this article will not be a discovery. But, since articles for novice administrators appear on Habr from time to time, and also due to the fact that this article came from a real letter to a real client, we still share this information here. There is a high probability that it will be useful to someone.
Therefore, we explain in detail what happens between a server in the cloud and an office if they are connected by a site-to-site network. Note that in this case, some of the services are available only from the office, and some - from anywhere on the Internet.
We will immediately explain what our client wished for the server 192.168.A.1 it was possible to come from anywhere via RDP, connecting to AAA2:13389, and to other services - only from the office (192.168.B.0/24)connected via VPN. Also, the client was initially configured that the car 192.168.B.2 in the office, too, it was possible to walk on RDP from anywhere, connecting to BBB1:11111. We helped establish IPSec connections between the cloud and the office, and the customer's IT specialist began to ask questions about what would happen in this or that case. To answer all these questions, we, in fact, wrote to him everything that you can read below.
Now let's look at these processes in more detail.
Position one
When something is sent from 192.168.B.0/24 Π² 192.168.A.0/24 or from 192.168.A.0/24 Π² 192.168.B.0/24, it gets into the VPN. That is, this packet is additionally encrypted and transmitted between BBB1 ΠΈ AAA1But 192.168.A.1 sees the package from 192.168.B.1. They can communicate with each other using any protocol. Return replies are transmitted in the same way through the VPN, which means that the packet from 192.168.A.1 for 192.168.B.1 will be sent as an ESP datagram from AAA1 on BBB1, which the router will deploy on the other side, get that packet from it and send it to 192.168.B.1 as package from 192.168.A.1.
Specific example:
1) 192.168.B.1 appeals to 192.168.A.1wants to establish a TCP connection with 192.168.A.1:3389;
2) 192.168.B.1 sends a connection request from 192.168.B.1:55555 (the port number for feedback is chosen by him, hereinafter we will use the number 55555 as an example of such a port number that the system selects when forming a TCP connection) to 192.168.A.1:3389;
3) the operating system that runs on the computer with the address 192.168.B.1, decides to forward this packet to the gateway address of the router (192.168.B.254 in our case), because other, more specific routes for 192.168.A.1, it does not, therefore, it transmits the packet along the default route (0.0.0.0/0);
4) for this it tries to find the MAC address for the IP address 192.168.B.254 in the ARP cache table. If it is not found, sends from the address 192.168.B.1 broadcast who-has request to the network 192.168.B.0/24. When 192.168.B.254 in response, it sends its MAC address to it, the system sends an Ethernet packet for it and enters this information into its cache table;
5) the router receives this packet and decides where to send it: it has a policy according to which it must all packets between 192.168.B.0/24 ΠΈ 192.168.A.0/24 transfer over a VPN connection between BBB1 ΠΈ AAA1;
6) the router generates an ESP datagram from BBB1 on AAA1;
7) the router decides who to send this packet to, it sends it to, say, BBB254 (ISP gateway) because more specific routes to AAA1than 0.0.0.0/0, it doesn't;
8) in the same way as already said, it finds the MAC address for BBB254 and sends the packet to the ISP's gateway;
9) ISPs transmit an ESP datagram over their networks from BBB1 on AAA1;
10) virtual router on AAA1 receives this datagram, decrypts it, and receives a packet from 192.168.B.1:55555 for 192.168.A.1:3389;
11) the virtual router checks who to send it to, finds the network in the routing table 192.168.A.0/24 and send it directly to 192.168.A.1, since it has an interface 192.168.A.254/24;
12) for this, the virtual router finds the MAC address for 192.168.A.1 and sends this packet to it via a virtual Ethernet network;
13) 192.168.A.1 receives this packet on port 3389, agrees to establish a connection, and forms a packet in response from 192.168.A.1:3389 on 192.168.B.1:55555;
14) his system forwards this packet to the gateway address of the virtual router (192.168.A.254 in our case), because other, more specific routes for 192.168.B.1, it does not, therefore, it must send the packet along the default route (0.0.0.0/0);
15) just like in the previous cases, the system that runs on the server with the address 192.168.A.1, finds MAC address 192.168.A.254, since it is on the same network as its interface 192.168.A.1/24;
16) the virtual router receives this packet and decides where to send it: it has a policy according to which it must all packets between 192.168.A.0/24 ΠΈ 192.168.B.0/24 transfer over a VPN connection between AAA1 ΠΈ BBB1;
17) the virtual router generates an ESP datagram from AAA1 for BBB1;
18) the virtual router decides who to send this packet to, sends it to AAA254 (the ISP's gateway, in this case, that's also us) because more specific routes to BBB1than 0.0.0.0/0, it doesn't;
19) ISPs transmit an ESP datagram over their networks with AAA1 on BBB1;
20) router on BBB1 receives this datagram, decrypts it, and receives a packet from 192.168.A.1:3389 for 192.168.B.1:55555;
21) he understands that it should be transferred precisely to 192.168.B.1, since he is on the same network with him, therefore, he has a corresponding entry in the routing table that forces him to send packets for the whole 192.168.B.0/24 directly;
22) the router finds the MAC address for 192.168.B.1 and passes this packet to him;
23) operating system on the computer with the address 192.168.B.1 receives a packet from 192.168.A.1:3389 for 192.168.B.1:55555 and initiates the next steps to establish a TCP connection.
In this example, it is rather concise and simplified (and here you can recall a bunch of details) what happens at levels 2-4. Levels 1, 5-7 are not considered.
Position two
If with 192.168.B.0/24 something is sent to AAA2, it does not go to the VPN, but directly. That is, if the user from the address 192.168.B.1 appeals to AAA2:13389, this package is loaded from the address BBB1, passes to AAA2, and there the router receives it and transmits it to 192.168.A.1. 192.168.A.1 knows nothing about 192.168.B.1, he sees the packet from BBB1because he got him. Therefore, the response to this request goes along the general route, it is exactly the same from the address AAA2 and goes to BBB1, and that router sends this response to 192.168.B.1, he sees the answer from AAA2to which he referred.
Specific example:
1) 192.168.B.1 appeals to AAA2wants to establish a TCP connection with AAA2:13389;
2) 192.168.B.1 sends a connection request from 192.168.B.1:55555 (this number, as in the previous example, may be different) to AAA2:13389;
3) the operating system that runs on the computer with the address 192.168.B.1, decides to forward this packet to the gateway address of the router (192.168.B.254 in our case), because other, more specific routes for AAA2, it does not, which means it sends the packet along the default route (0.0.0.0/0);
4) for this, she, as we mentioned in the previous example, tries to find the MAC address for the IP address 192.168.B.254 in the ARP cache table. If it is not found, sends from the address 192.168.B.1 broadcast who-has request to the network 192.168.B.0/24. When 192.168.B.254 in response, it sends its MAC address to it, the system sends an Ethernet packet for it and enters this information into its cache table;
5) the router receives this packet and decides where to send it: it has a policy according to which it must send (changing the return address) all packets from 192.168.B.0/24 to other Internet nodes;
6) since this policy implies that the return address must match the low address on the interface through which this packet will be transmitted, the router first decides to whom exactly to send this packet, and it, as in the previous example, must send it to BBB254 (ISP gateway) because more specific routes to AAA2than 0.0.0.0/0, it doesn't;
7) therefore, the router replaces the return address of the packet, from now on the packet from BBB1:44444 (port number may be different, of course) AAA2:13389;
8) the router remembers what it did, so when from AAA2:13389 ΠΊ BBB1:44444 response, it will know that it should change the destination address and port to 192.168.B.1:55555.
9) the router should now forward it to the ISP's network via BBB254, therefore, just like we already mentioned, it finds the MAC address for BBB254 and sends the packet to the ISP's gateway;
10) Internet providers transmit over their networks a packet from BBB1 on AAA2;
11) virtual router on AAA2 receives this packet on port 13389;
12) there is a rule on the virtual router that stipulates that packets that arrived from any sender on this port should be forwarded to 192.168.A.1:3389;
13) the virtual router finds the network in the routing table 192.168.A.0/24 and send it directly 192.168.A.1 because it has an interface 192.168.A.254/24;
14) for this, the virtual router finds the MAC address for 192.168.A.1 and sends this packet to it via a virtual Ethernet network;
15) 192.168.A.1 receives this packet on port 3389, agrees to establish a connection, and forms a packet in response from 192.168.A.1:3389 on BBB1:44444;
16) his system forwards this packet to the gateway address of the virtual router (192.168.A.254 in our case), because other, more specific routes for BBB1, it does not, therefore, it must send the packet along the default route (0.0.0.0/0);
17) in the same way as in the previous cases, the system that runs on the server with the address 192.168.A.1, finds MAC address 192.168.A.254, since it is on the same network as its interface 192.168.A.1/24;
18) the virtual router receives this packet. It should be noted that he remembers what he received on AAA2:13389 package from BBB1:44444 and changed the recipient's address and port to 192.168.A.1:3389, hence the packet from 192.168.A.1:3389 for BBB1:44444 it changes the sender address to AAA2:13389;
19) the virtual router decides who to send this packet to, it sends it to AAA254 (the ISP's gateway, in this case, that's also us) because more specific routes to BBB1than 0.0.0.0/0, it doesn't;
20) ISPs transmit a packet over their networks with AAA2 on BBB1;
21) router on BBB1 receives this packet and remembers that when he transmitted the packet from 192.168.B.1:55555 for AAA2:13389, he changed his address and sender port to BBB1:44444, so this is the answer to be sent to 192.168.B.1:55555 (actually, there are a few more checks, but we won't go into that);
22) he understands that he should be transferred directly to 192.168.B.1, since he is on the same network with him, therefore, he has a corresponding entry in the routing table that forces packets to be sent to the entire 192.168.B.0/24 directly;
23) the router finds the MAC address for 192.168.B.1 and passes this packet to him;
24) operating system on the computer with the address 192.168.B.1 receives a packet from AAA2:13389 for 192.168.B.1:55555 and initiates the next steps to establish a TCP connection.
It should be noted that in this case the computer with the address 192.168.B.1 knows nothing about the server with the address 192.168.A.1, it communicates only with AAA2. Similarly, the server with the address 192.168.A.1 knows nothing about the computer with the address 192.168.B.1. He believes that he was connected from the address BBB1and he knows nothing more, so to speak.
It should also be noted that if this computer accesses AAA2:1540, the connection will not be established because connection forwarding to port 1540 is not configured on the virtual router, even if it is on any servers in the virtual network 192.168.A.0/24 (for example, on a server with the address 192.168.A.1) and there are some services that are waiting for a connection on that port. If the user of the computer with the address 192.168.B.1 it is imperative to establish a connection with this service, it must use a VPN, i.e. apply directly to 192.168.A.1:1540.
It should be emphasized that any attempt to establish a connection with AAA1 (except IPSec connection on the side BBB1 won't be successful. Any attempt to establish connections with AAA2, except for connections to port 13389, will also fail.
We also note that if AAA2 if someone else applies (for example, CCCC), everything that is indicated in paragraphs 10-20 will apply to him too. What happens before and after this depends on what exactly is behind this CCCC We do not have such information, therefore we advise you to contact the administrators of the node with the CCCC address for advice
Position three
And vice versa, if 192.168.A.1 something is sent to some port that is configured to forward inward on BBB1 (for example, 11111), it also does not get into the VPN, but simply flows from AAA1 and gets into BBB1, and that one already transfers it somewhere in, say, 192.168.B.2:3389. He sees this package not from 192.168.A.1, but from AAA1. And when 192.168.B.2 replies, the packet comes from BBB1 on AAA1, and later gets to the initiator of the connection - 192.168.A.1.
Specific example:
1) 192.168.A.1 appeals to BBB1wants to establish a TCP connection with BBB1:11111;
2) 192.168.A.1 sends a connection request from 192.168.A.1:55555 (this number, as in the previous example, may be different) to BBB1:11111;
3) the operating system that runs on the server with the address 192.168.A.1, decides to forward this packet to the gateway address of the router (192.168.A.254 in our case), because other, more specific routes for BBB1, it does not, therefore, it transmits the packet along the default route (0.0.0.0/0);
4) for this, she, as we mentioned in previous examples, tries to find the MAC address for the IP address 192.168.A.254 in the ARP cache table. If it is not found, sends from the address 192.168.A.1 broadcast who-has request to the network 192.168.A.0/24. When 192.168.A.254 in response, it sends its MAC address to it, the system transmits an Ethernet packet for it and enters this information into its cache table;
5) the virtual router receives this packet and decides where to send it: it has a policy according to which it must send (changing the return address) all packets from 192.168.A.0/24 to other Internet nodes;
6) since this policy assumes that the return address must match the low address on the interface through which this packet will be transmitted, the virtual router first decides to whom exactly to forward this packet, and it, as in the previous example, must send it on AAA254 (the ISP's gateway, in this case, that's also us) because more specific routes to BBB1than 0.0.0.0/0, it doesn't;
7) means that the virtual router replaces the return address of the packet, from now on it is a packet from AAA1:44444 (port number may be different, of course) BBB1:11111;
8) the virtual router remembers what it did, therefore, when from BBB1:11111 for AAA1:44444 response, it will know that it should change the destination address and port to 192.168.A.1:55555.
9) now the virtual router should pass it to the ISP network via AAA254, so in the same way as we already mentioned, it finds the MAC address for AAA254 and sends the packet to the ISP's gateway;
10) Internet providers transmit over their networks a packet from AAA1 to BBB1;
11) router on BBB1 receives this packet on port 11111;
12) there is a rule on the virtual router that stipulates that packets that have arrived from any sender on this port should be forwarded to 192.168.B.2:3389;
13) the router finds the network in the routing table 192.168.B.0/24 and send it directly to 192.168.B.2, since it has an interface 192.168.B.254/24;
14) for this, the virtual router finds the MAC address for 192.168.B.2 and sends this packet to it via a virtual Ethernet network;
15) 192.168.B.2 receives this packet on port 3389, agrees to establish a connection, and forms a packet in response from 192.168.B.2:3389 on AAA1:44444;
16) his system forwards this packet to the gateway address of the router (192.168.B.254 in our case), because other, more specific routes for AAA1, it does not, therefore, it must send the packet along the default route (0.0.0.0/0);
17) in the same way as in the previous cases, the system that runs on the computer with the address 192.168.B.2, finds MAC address 192.168.B.254, since it is on the same network as its interface 192.168.B.2/24;
18) the router will accept this packet. It should be noted that he remembers what he received on BBB1:11111 package from AAA1 and changed the recipient's address and port to 192.168.B.2:3389, hence the packet from 192.168.B.2:3389 for AAA1:44444 it changes the sender address to BBB1:11111;
19) the router decides to whom to forward this packet. He sends it to, say, BBB254 (ISP gateway, whose exact address we do not know), because more specific routes to AAA1than 0.0.0.0/0, it doesn't;
20) ISPs transmit a packet over their networks with BBB1 on AAA1;
21) virtual router on AAA1 receives this packet and remembers that when he transmitted the packet from 192.168.A.1:55555 for BBB1:11111, he changed his address and sender port to AAA1:44444. So this is the answer that needs to be sent to 192.168.A.1:55555 (in fact, as we mentioned in the previous example, there are also a few more checks there, but this time we donβt go into them);
22) he understands that he should be transferred directly to 192.168.A.1, since he is on the same network with him, it means that he has a corresponding entry in the routing table that makes him send packets to the whole 192.168.A.0/24 directly;
23) the router finds the MAC address for 192.168.A.1 and passes this packet to him;
24) operating system on the server with the address 192.168.A.1 receives a packet from BBB1:11111 for 192.168.A.1:55555 and initiates the next steps to establish a TCP connection.
In the same way as in the previous case, in this case the server with the address 192.168.A.1 knows nothing about the computer with the address 192.168.B.1, it communicates only with BBB1. Computer with address 192.168.B.1 also knows nothing about the server with the address 192.168.A.1. He believes that he was connected from the address AAA1and the rest is hidden from him.
Hack and predictor Aviator
This is how it works for connections inside the VPN tunnel between the client's office and the environment in the cloud, as well as for connections outside the VPN tunnel. And if you have any questions or need our help in solving cloud problems,
Source: habr.com