[Vpn-help] 2.03/xp: standard gateway should not be changed
Matthew Grooms
mgrooms at shrew.net
Fri Dec 14 21:24:49 CST 2007
Thorsten Albrecht wrote:
>
> ok, thanks, it works.
>
> Just a question concerning...
> "When Automatic Policy Configuration is enabled but the remote Gateway
> does not supply topology information, the VPN Client will install a
> default policy that tunnels all traffic to the Gateway."
>
> It would be nice to deactivate this behaviour just with a checkbox as
> in Windows ... (I think the most common case is that people do not
> want to travel all traffic to the vpn gateway)
>
Thorsten,
You mean other than the "Obtain Topology Automatically" checkbox? The
problem is that the client wont pass any traffic if there are no
policies defined. The default route exists because a default policy has
been created that will tunnel all traffic ( 0.0.0.0 / 0.0.0.0 ) to the
distant network. The routes are created to match remote policy IDs so
that packets destined for remote networks are sourced from the virtual
adapter.
To build a policy, you first need local and remote IDs. We know the
local ID which will be either the public adapter IP address or the
virtual adapter IP address. The remote IDs must be defined somehow.
The current options are ...
1) obtain the network ID list automatically from the gateway
2) use a single network ID that means everything
3) manually define a list of network IDs
The client will only be able to use option (1) when communicating with a
Cisco, ipsec-tools or Shrew Soft IKE daemon. Option (2) is the default
behavior when option (1) is not possible. Option (3) requires that you
have knowledge of the remote network topology.
Thanks,
-Matthew
More information about the vpn-help
mailing list