Table of Contents
Advertisement
Chapter 4
Configuration via the Command Line Interface
AutoProxyARP
The automatic addition of ProxyARP entries in VPN client/server scenarios can be
enabled or disabled. By default this setting is enabled. When disabled, the
ProxyARP entries have to be entered manually.
When do I need
In a VPN scenario, you need ProxyARP at both sides when the local and remote
ProxyARP
private network address ranges are overlapping. Because the SpeedTouch™ is
basically a router, you need to emulate some bridging functions if the address
ranges at both ends of the VPN tunnel overlap. The main issue is that ARP
messages are not propagated across a router. If a host at one side of the tunnel
wants to reach a host at the remote side, it sends an ARP message because the
destination address lies in the local address range. The Security Gateway has to
answer to the ARP request as a proxy. In order to do so, a ProxyARP entry is needed
in the ARP table.
The SpeedTouch™ supports ProxyARP. This technique allows two networks with
overlapping IP ranges to be connected using an IPsec tunnel. The SpeedTouch™,
acting as a Security Gateway, will reply to arp-who-has requests for IP addresses
belonging to the remote network. The IPsec policies will take care that packets
destined for the remote network will indeed be forwarded through the IPsec tunnel.
When the IKE ModeConfig mechanism is used to establish the tunnel (client/server
scenario), the ProxyARP entries will automatically be added to the ProxyARP table
of the SpeedTouch™. In all other cases the user has to add the ProxyARP entries
manually. At the time of writing the SpeedTouch™ can reliably forward every
packet type through the IPsec tunnel except limited broadcasts [ip.dst =
255.255.255.255].
E-DOC-CTC-20051017-0169 v0.1
153
Advertisement
Table of Contents
