[vpn] client-gateway (nat-nat)

dgillett at deepforest.org dgillett at deepforest.org
Mon Dec 17 15:47:12 EST 2001


On 17 Dec 2001, at 20:20, Salah Eddine Bohoudi wrote:

> -----Original Message-----
> From: dgillett at deepforest.org [mailto:dgillett at deepforest.org]
> Sent: Sunday, December 16, 2001 11:39 AM
> To: Salah Eddine Bohoudi; vpn at securityfocus.com
> Subject: Re: [vpn] client-gateway (nat-nat)
> 
> 
>   In the cases where I have run into this, the client has TWO IP
> addresses.  It has its local LAN address, which is used to pass
> "real" packets between it and the NAT device.
>   It has a second *virtual* network interface for tunnelled packets,
> and this one gets an address handed to it (via DHCP) byt the gateway
> as part of tunnel establishment.  Devices beyond the gateway address
> it via this virtual address, which the gateway knows to send through
> the tunnel to the NAT device.
> 
> 
> Many clients (SafeNet, Ashley-Laurent
> OEMs) let you statically configure an inner IP address (VIP) for a tunnel. I
> am using the checkpoint vpn secureclient en the gateway is a FW-1 VPN box. I
> wonder whether it's possible to specify an inner IP adress en how a specific
> application can use the ip adress of this virtual interface instead of the
> ip adress of the local lan adress ?
> Is is for instance possible to let some traffic (say ftp) use this the
> virtual ip adress as source adress and some other application use the local
> lan adress (binding aspect).
> 
> Thanks in advance

  Some VPN products let remote client applications access the local 
LAN/WAN interface while there is a virtual connection to the VPN.  
Vendors call this feature "split tunnelling".  (The selection of 
which interface to use for outbound packets, where there are several 
available, is *usually* determined by routing, based on destination, 
rather than by application....)

  Because it opens the possibility that that the client machine might 
act as a backdoor route from untrusted networks, including the 
Internet, to the network hosting the VPN, this feature generally 
defaults to "off" -- and most admins prefer to leave it that way.

Dave Gillett



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list