[Vpn-help] Routing and IP address assignment questions
mgrooms
mgrooms at shrew.net
Thu Oct 18 12:34:41 CDT 2007
On Wed, 17 Oct 2007 18:18:16 -0700, Marc Goldburg <mgoldburg at assia-inc.com>
wrote:
> I'm using the Shrewsoft v2.0.1 Windows client (on WinXP) to connect to a
> Linksys RV042 (v1.3.8.2) firmware. The tunnel establishes reliably, but
> IP packet routing is not reliable. Only certain hosts on the subnet
> behind the router are visible to the client (e.g., via ICMP ping) and
> only certain TCP/UDP protocols work well to those hosts (e.g., for one
> of the machines behind the RV042, SIP and telnet from the client work
> reliably, but not http).
>
> I've looked at the routing tables on the router and at the netstat -r
> and ipconfig outputs on the client to try to debug this, but I'm not
> sure what the "correct" output looks like. Answers to the following
> would be greatly appreciated (apologies in advance for the long list).
>
> - When the client is configured with "use an existing adapter and
> current address" for its address method, should the routing table on the
> router have an entry for the client's nominal IP address when the tunnel
> is up? Or does the router do something similar to NAT/PAT for the IP
> address of the client on the interface to its LAN-side subnet, so that
> traffic between the client and machines on the router's LAN-side subnet
> has the IP address of the router's LAN-side interface rather than the
> client's?
>
I'm not sure how your particular Gateway handles local route management. As
for the NAT question, I have seen Checkpoint gateways ( in non-office
connect mode ) perform NAT on the packet so that return packets can find
their way back to the gateway and then be tunneled to the client. In office
mode, the Checkpoint client uses a virtual network adapter that gets
assigned an IP address from a private address pool. Of course the NAT trick
is only required when your VPN Gateway is not also the route of last resort
for the private network it protects.
Almost all modern VPN Gateway/Clients use the assigned address and virtual
network adapter method since its a cleaner solution. This also solves the
problem where multiple remote clients are behind different NAT devices and
have been assigned identical private network address. The Shrew Soft client
only supports the direct non-virtual adapter method to work with legacy
gateways that are not capable of assigning virtual network adapter address.
> - When the client is configured with "use a virtual adapter and assigned
> address" for its address method:
>
> 1) if the virtual client address is on the subnet on the LAN-side of the
> router, how do other machines on the subnet know how to send traffic
> destined for the client to the router? Does the router do a proxy ARP
> for the virtual client IP address?
>
The gateway can't know as IPsec doesn't work this way. IPsec policies are
evaluated at layer 3 so the remote client can't use an address that exists
in a network that is behind the VPN Gateway. This is another problem that
is avoided by having the Gateway assign a virtual network adapter address
to the Client :)
> 2) when the client is set to "obtain automatically" the assigned address
> for the virtual adapter (a) does it do this via DHCP and (b) can the
> DHCP server be a device on LAN-side subnet of the router other than the
> router itself? Currently, when I bring the tunnel up with "use a
> virtual adapter ..." for the address method, ipconfig on the local
> machine shows the virtual hardware address (aa:aa:aa:aa:aa:00 if I
> recall correctly), but no assigned IP address.
>
There are several methods used by VPN Gateways to assign a virtual network
address to a VPN Client. The most common is the Config Mode exchange (
modecfg or IKE-Config ) which is a protocol extension defined in an RFC
draft. The second option that I am aware of is the DHCP over IPsec standard
which is defined in a finalized RFC. The modecfg methods are supported by
the Shrew Soft Client Ver 2.0.1 and the DHCP over IPsec method is available
in the 2.1.0 pre-release I posted on the list a few days ago ( certtest
release ). Unfortunately, I would be surprised if either of these methods
are supported by your Linksys router. Try contacting Linksys and asking
them. If they say one is supported, I would be more than happy to do what I
can to help you get this working.
> Thanks.
More information about the vpn-help
mailing list