Source Address

David Gillett dgillett at niku.com
Tue Dec 7 12:47:49 EST 1999 

  The VPN device appears as destination of the encrypted packet.  The
payload, when unencrypted, carries its original source and destination
addresses.
  Typically, however, the source address will refer to a *virtual* adapter
in the originating machine, rather than the machine's "real" address.  This
virtual address can be one issued via DHCP at the time the tunnel is
connected.
  Since you've chosen to terminate the tunnel in front of the firewall, if
you use DHCP this way, I would designate a particular block of addresses to
be issued to VPN connections (and recognized by the firewall policies).
[Many VPN devices can serve DHCP for precisely this purpose.]  If the tunnel
terminated behind the firewall, then remote users could be issued addresses
from the same DHCP scope (and server) as users directly on the internal
network.

David Gillett
Enterprise Server Manager, Niku Corp.
(650) 701-2702


-----Original Message-----
From: owner-vpn at listserv.secnetgroup.com
[mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Jeffery Eric
Contr 95CS/TYBRIN
Sent: Friday, December 03, 1999 1:53 PM
To: 'vpn at listserv.secnetgroup.com'
Subject: Source Address


Scenario:

VPN set up has External Router connected to a Firewall via port 1 and a VPN
Device via port 2.  The VPN Device is connected to the Firewall as well, but
NOT to the Enterprise WAN.  The Firewall is connected to an Internal switch
and from there reaches the Enterprise WAN.  A VPN user located across the
country establishes a successful VPN connection with the VPN Device.  The
user then makes a SQL call to a server inside the Enterprise.  The External
Router will send the packet to the VPN Device.

Router-----------------------------------------------VPN Device
				|	|
				|	|
				|	|

|--------Firewall---------------------------------------Internal Network
Question:

The VPN device will then forward the packet to the Firewall.  Is the source
address on this packet from the User across the country or is it the source
address from the VPN Device.  Assume all VPN traffic uses IPSec.

Eric Jeffery, MCSE
Network Systems Analyst


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list