Demand-Dial Routing

On-Demand Router-to-Router VPN

A router-to-router VPN connection is typically used to connect remote offices together when both routers are connected to the Internet through permanent WAN links, such as T1 or Frame Relay. In this configuration, the VPN connection is persistent and available 24 hours a day. However, when a permanent WAN link is not possible or practical, you can configure an on-demand router-to-router VPN connection.

Figure 6.2 shows an on-demand router-to-router VPN connection.

Enlarge figure

Figure 6.2 On-Demand Router-to-Router VPN Connection

An on-demand router-to-router VPN connection consists of two demand-dial interfaces that are configured on the VPN client (the calling router):

A demand-dial interface to dial-in to a local Internet service provider (ISP).
A demand-dial interface for the router-to-router VPN connection.

An on-demand router-to-router VPN connection is automatically established when you route traffic to a specific location. For example, in a branch office configuration, when a packet is received to be routed to the corporate office, the branch office router uses a dial-up link to connect to a local ISP and then creates a router-to-router VPN connection with the corporate office router located on the Internet.

Note

This discussion assumes that the corporate office router (the answering router) is connected to the Internet using a permanent WAN link. It is possible to have both routers connected to the Internet by using a dial-up WAN link. However, this is only feasible if the Internet service provider (ISP) supports demand-dialing routing to customers; the ISP calls the customer router when an IP packet is to be delivered to the customer. Demand-dial routing to customers is not widely supported by ISPs.

To configure an on-demand router-to-router VPN connection at the branch office router, do the following:

Create a demand-dial interface for the Internet connection that is configured for the appropriate equipment (a modem or ISDN device), the phone number of the local ISP, and the user name and password to gain Internet access.
Create a demand-dial interface for the VPN connection with the corporate office router that is configured for a VPN port (a PPTP or L2TP port), the IP address of the interface on the Internet for the corporate office router, and a user name and password that can be verified by the VPN server. The user name must match the name of a demand-dial interface on the corporate office router.
Create a static host route for the IP address of the corporate office router's Internet interface that uses the ISP demand-dial interface.
Create a static route (or routes) for the IP network of the corporate intranet that uses the VPN demand-dial interface.

To configure the corporate office router, do the following:

Create a demand-dial interface for the VPN connection with the branch office that is configured for a VPN port (a PPTP or L2TP port). The demand-dial interface must have the same name as the user name in the authentication credential that is used by the branch office router to create the VPN connection.
Create a static route (or routes) for the IP network IDs of the branch office that uses the VPN demand-dial interface.

The router-to-router VPN connection is automatically initiated by the branch office router through the following process:

Packets sent to a corporate network location from a computer in the branch office are forwarded to the branch office router.
The branch office router checks its routing table and finds a route to the corporate intranet network, which uses the VPN demand-dial interface.
The branch office router checks the state of the VPN demand-dial interface and finds it is in a disconnected state.
The branch office router retrieves the configuration of the VPN demand-dial interface.
Based on the VPN demand-dial interface configuration, the branch office router attempts to initialize a router-to-router VPN connection at the IP address of the corporate office router on the Internet.
To establish a VPN, either a TCP (by using PPTP) or UDP (by using L2TP over IPSec) packet must be sent to the corporate office router that acts as the VPN server. The VPN establishment packet is created.
To forward the VPN establishment packet to the corporate office router, the branch office router checks its routing table and finds the host route that is using the ISP demand-dial interface.
The branch office router checks the state of the ISP demand-dial interface and finds it is in a disconnected state.
The branch office router retrieves the configuration of the ISP demand-dial interface.
Based on the ISP demand-dial interface configuration, the branch office router uses its modem or ISDN device to dial and establish a connection with its local ISP.
Once the ISP connection is made, the VPN establishment packet is sent to the corporate office router.
A router-to-router VPN connection is negotiated between the branch office router and the corporate office router. As part of the negotiation, the branch office router sends authentication credentials that are verified by the corporate office router.
The corporate office router checks its demand-dial interfaces and finds one that matches the user name sent during authentication and changes the interface to a connected state.
The branch office router forwards the routed packet across the VPN and the corporate office router forwards the packet to the appropriate intranet location.
When the intranet location responds to the packet sent to it by the user in the branch office, the packet is forwarded to the corporate office router.
The corporate office router checks its routing table and finds a route to the branch office network that uses the VPN demand-dial interface.
The corporate office router checks the state of the VPN demand-dial interface and finds it is in a connected state.
The response packet is forwarded across the Internet by using the VPN connection.
The response packet is received by the branch office router and is forwarded to the original user.