Table of Contents
Advertisement
Chapter 1
Understanding the VPN 3002 Hardware Client
Client Mode with Split Tunneling
You always assign the VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable
split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002
to networks within the network list for that group behind the central-site VPN Concentrator.
Traffic from the VPN 3002 to any destination other than those within the network list for that group on
the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the
network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address
of the public interface and also keeps track of these mappings so that it can forward replies to the correct
device.
The network and addresses on the private side of the VPN 3002 are hidden, and cannot be accessed
directly.
Network Extension Mode
Network Extension mode allows the VPN 3002 to present a single, routable network to the remote
private network over the VPN tunnel. IPSec encapsulates all traffic from the VPN 3002 private network
to networks behind the central-site VPN Concentrator. PAT does not apply. Therefore, devices behind
the VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel,
and only over the tunnel, and vice versa. The VPN 3002 must initiate the tunnel, but after the tunnel is
up, either side can initiate data exchange.
In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it
does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned
IP address). To use Network Extension mode, you must configure an IP address other than the default of
192.168.10.1 and disable PAT.
Network Extension Mode per Group
Software versions 3.6 and later let a network administrator restrict the use of network extension mode.
On the VPN Concentrator, you enable network extension mode for VPN 3002 hardware clients on a
group basis.
Note
If you disallow network extension mode, which is the default setting on the VPN Concentrator, the
VPN 3002 can connect to that VPN Concentrator in PAT mode only. In this case, be careful that all
VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network
extension mode and the VPN Concentrator to which it connects disallows network extension mode,
the VPN 3002 will attempt to connect every 4 seconds, and every attempt will be rejected; this is the
equivalent of denial of service attack.
Network Extension Mode with Split Tunneling
You always assign the VPN 3002 to a tunnel group on the central-site VPN Concentrator. If you enable
split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks
within the network list for that group behind the central-site VPN Concentrator. PAT does not apply.
OL-2854-01
Client Mode and Network Extension Mode
VPN 3002 Hardware Client Getting Started
1-3
Advertisement
Table of Contents
