23.4  Exchange of routing information

An automatic exchange of routing information (i.e. of data informing about routes to local subnets) is performed between endpoints of any VPN tunnel (or between the VPN server and a VPN client). thus, routing tables at both sides of the tunnel are still kept updated.

Routing configuration options

Under usual circumstances, it is not necessary to define any custom routes — particular routes will be added to the routing tables automatically when configuration is changed at any side of the tunnel (or at the VPN server). However, if a routing table at any side of the VPN tunnel includes invalid routes (e.g. specified by the administrator), these routes are also interchanged. This might make traffic with some remote subnets impossible and overload VPN tunnel by too many control messages.

A similar problem may occur in case of a VPN client connecting to the WinRoute's VPN server.

To avoid the problems just described, it is possible to go to the VPN tunnel definition dialog (see chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)) or to the VPN server settings dialog (refer to chapter 23.1  VPN Server Configuration) to set which routing data will be used and define custom routes.

Kerio VPN uses the following methods to pass routing information:

  • Routes provided automatically by the remote endpoint (set as default) — routes to remote networks are set automatically with respect to the information provided by the remote endpoint. If this option is selected, no additional settings are necessary unless problems regarding invalid routes occur (see above).

  • Both automatically provided and custom routes — routes provided automatically are complemented by custom routes defined at the local endpoint. In case of any collisions, custom routes are used as prior. This option easily solves the problem where a remote endpoint provides one or more invalid route(s).

  • Custom routes only — all routes to remote networks must be set manually at the local endpoint of the tunnel. This alternative eliminates adding of invalid routes provided by a remote endpoint to the local routing table. However, it is quite demanding from the administrator's point of view (any change in the remote network's configuration requires modification of custom routes).

Routes provided automatically

Unless any custom routes are defined, the following rules apply to the interchange of routing information:

  • default routes as well as routes to networks with default gateways are not exchanged (default gateway cannot be changed for remote VPN clients and/or for remote endpoints of a tunnel),

  • routes to subnets which are identical for both sides of a tunnel are not exchanged (routing of local and remote networks with identical IP ranges is not allowed).

  • other routes (i.e. routes to local subnets at remote ends of VPN tunnels excluding the cases described above, all other VPN and all VPN clients) are exchanged.

Note: As implied from the description provided above, if two VPN tunnels are created, communication between these two networks is possible. The traffic rules can be configured so that connection to the local network will be disabled for both these remote networks.

Update of routing tables

Routing information is exchanged:

  • when a VPN tunnel is connected or when a VPN client is connected to the server,

  • when information in a routing table at any side of the tunnel (or at the VPN server) is changed,

  • periodically, every 10 minutes. The timeout starts upon each update (regardless of the update reason).