HP Sa3110 - VPN Server Appliance Release Notes page 21
Hp vpn server appliance sa3000 series - release 6.8.2 release notes
Hide thumbs
Also See for Sa3110 - VPN Server Appliance:
- Manual (99 pages) ,
- Installation manual (92 pages) ,
- Getting started manual (46 pages)
Table of Contents
Advertisement
When the DHCP request is submitted to the VPN device,
the device must respond with an IP address and subnet
mask. To determine the subnet mask, the VPN device
searches its interfaces for the first match in whic h the
Client-IP resides on the network defined by the interface's
IP address and subnet mask.
If the intention is to include only the 172.16.20.0 mask
255.255.255.248 subnet as reachable through the VPN
device an interface (for example, 172.16.20.1 mask
255.255.255.248). The Client-IP also should be within that
network, for example, 172.16.20.2 - 6.
In other words, when a VPN Client connects using
WINS/DNS to a VPN device that returns a Client-IP and
mask that is different from the defined subnet reachable
behind the VPN device, a route is added to the subnet
defined by the Client-IP and mask.
This route causes traffic to enter the virtual adapter. If,
however, there is no matching subnet listed in the
Connections tab after the tunnel is negotiated, packets sent
to the Client-IP network are discarded.
To illustrate the foregoing, given a VPN device that has a
group defined with Client-IPs starting at 10.1.1.1, with an
IP address defined on an Ethernet interface which is
10.1.1.254 mask 255.255.255.0, the first Client-IP/mask is
10.1.1.1 mask 255.255.255.0.
Note: The Client-IP's subnet mask comes from the first IP
address whose subnet matches the Client-IP. When the
VPN Client establishes a tunnel, the following route is
added on the Windows workstation, regardless of the fact
that there is no subnet defined in the VPN Client
connection or as a net-include for the tunnel:
10.1.1.0 255.255.255.0
10.1.1.1 1.0.1.1
One approach to this problem is to support a subnet mask
for the Client-IP command. The Client-IP address/mask
could then be used by the VPN Client to, by default, tunnel
all traffic to the network received in the DHCP reply. This
means that a net-include would not be necessary if only a
single subnet is reachable through the tunnel.
21
Release 6.8.2 Release Notes
Advertisement
Table of Contents
