[VPN] Cisco VPN and Proxy ARP
cgripp at automotive.com
Thu May 8 19:24:12 EDT 2003
Couldn't you workaround by providing the 2 clients seperate IP networks and then having routes to those on a central router on your network?
The packet flow would be:
From: David Goldsmith [mailto:dgoldsmith at sans.org]
Sent: Tuesday, May 06, 2003 12:30 PM
To: vpn at lists.shmoo.com
Subject: Re: [VPN] Cisco VPN and Proxy ARP
Just got off the phone with Cisco TAC. This is a known bug in the proxy
ARP code. It was discovered in the 3.6.7A firmware and is still a bug
in 4.0. The 4.1 firmware includes a fix and will be out shortly.
On Tue, 2003-05-06 at 11:57, David Goldsmith wrote:
> I have a working setup using a Cisco 3000 concentrator and Cisco VPN
> clients. Users who activate the the VPN Client can communicate with any
> 'internal' servers that the firewall allows. While clients are
> connected, the internal servers can also communicate with the VPN
> Clients tunneled IP address.
> What I am trying to do is to allow two VPN clients to talk directly to
> each other. I have configured a 'Tunnel Default Gateway' which points
> to the internal firewall connected to the same network segment as the
> internal private interface on the VPN concentrator.
> The VPN private network segment is 192.168.100.0/24. The internal
> firewall is 192.168.100.1 and the private VPN interface is
> 192.168.100.2. If Client A (192.168.100.128) pings Client B
> (192.168.100.140), I see ICMP echo requests that are sent from .128 to
> the .140 IP address but that use the firewall's MAC address as the
> destination MAC address.
> Is this method of communication (client-to-client) possible and if so,
> what configuration option(s) do I need to change?
> David Goldsmith
> VPN mailing list
> VPN at lists.shmoo.com
VPN mailing list
VPN at lists.shmoo.com
More information about the VPN