[vpn] client-gateway (nat-nat)

dgillett at deepforest.org dgillett at deepforest.org
Sun Dec 16 05:39:22 EST 2001


On 15 Dec 2001, at 1:32, Salah Eddine Bohoudi wrote:

> hallo everybody,
> 
> I have a question about the following vpn scenario:
> 
> Client
> -------------Nat----------------------------------------GW------Internet
> Network
> 
> The client must setup an vpn connection through the Nat device to
> the VPN termination point (GW). 
> The client can have any possible adress and the nat device is
> optional (allowing access the everybody with internet access). The
> problem rises if the client has a non-routable adress say in the
> range of 10.0.0.0/8 range. Actually we can get this working through
> UDP encapsulation and we can indeed build a tunnel between the
> client and the GW through the NAT device. But when de packet is
> decrypted en deencapsulated the GW faces the problem of the
> non-routable adress, as the internet network can also have a
> private adress in the same range (10.0.0.0/8). I hope that the
> point is clear and that some body has a clean fix for this. 
> 
> Thanks in advance,
> 
> 
> Salah Eddine Bohoudi

  In the cases where I have run into this, the client has TWO IP 
addresses.  It has its local LAN address, which is used to pass 
"real" packets between it and the NAT device.
  It has a second *virtual* network interface for tunnelled packets, 
and this one gets an address handed to it (via DHCP) byt the gateway 
as part of tunnel establishment.  Devices beyond the gateway address 
it via this virtual address, which the gateway knows to send through 
the tunnel to the NAT device.

  Hang on a sec -- Your placement of the Internet on your diagram is 
VERY STRANGE.
  The usual arrangement is:

Client                               Protected  
-----=====NAT=====Internet=====GW-------------
Network                                Network

  A connection between the client device and the gateway -- across 
the Internet! -- carries encapsulated/encrypted traffic between 
client applications and the protected network, so that its details 
are not exposed while it transits the Internet.
  Why would anyone build a VPN *to* the Internet, except perhaps to 
conceal Internet traffic that violates local network policy....?

Dave Gillett





VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list