[Vpn-help] Connection Running Afoul of XAUTH
Matthew Grooms
mgrooms at shrew.net
Mon Dec 8 21:03:44 CST 2008
Ron Westfall wrote:
> Matthew
>
> Thank you very much for the response!
>
> A followup question for the list ...
>
> As Matthew has pointed out, the D-Link DI-804HV does not fully support
> modecfg (i.e. automatic client configuration). Unfortunately for me,
> I need to configure the VPN client with an IP address from the secured
> network. My secured network has default routers that are not the VPN
> gateway. If the VPN client uses a non-secured network IP address, I
> can get packets from the VPN client through the tunnel to the
> computers in the secured network, but the response packets get sent to
> the default routers instead of the VPN gateway.
>
I understand what you are trying to do, but thats not how IPsec works.
http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001834.html
As an alternative, L2TP will probably do what you want as long as your
gateway supports it. Good luck with that. I have tried a few times to
connect the built in windows L2TP/IPsec client to commercial gateways.
Its really good fun :)
> What I need is a VPN gateway that will configure the VPN client
> (presumably via modecfg) with an IP address from the secured network.
> Ideally the VPN gateway could work with DHCP to do this, but I can
> always assign a fixed IP address if I have to. Once the tunnel is up,
> the VPN gateway would be required to respond to ARP requests with its
> own Ethernet MAC address when computers on the secured network try to
> respond and ask for an ARP translation of the VPN client's secured
> network IP address. Does anybody care to recommend a VPN gateway that
> has this behavior? I am sure I could do it with an expensive Cisco or
> other high end VPN gateway, but I only need to support a very few
> remote users.
>
I'm pretty certain that the Cisco guides specifically state that IPsec
VPN client networks can't overlap with private networks. What you are
describing isn't an IPsec protocol deficiency, its a routing problem :)
When the VPN gateway isn't the private network default gateway, it would
usually reside on the far side of a firewall with its own internet IP
address. Packets from the internal network destined to a VPN network
would forwarded to the VPN gateway via a discrete intermediate private
network. The other option is to place the gateway in a DMZ and forward
UDP port 500, UDP port 4500 and ESP traffic directly to the VPN gateway
using static NAT. Either of these options are good if you need to use a
device other than the default border router for VPN services. Another
incredibly unattractive solution would be to add static routes to select
internal hosts ( bad idea ).
You could also add a route to the default gateway to forward traffic
destined to the VPN client network back inside to the VPN gateway. The
drawback is that the default gateway may produce ICMP redirect messages
to inform a sender when packets should be forwarded directly to another
peer router ( like the VPN gateway ). Besides that, it should work.
Hope this helps,
-Matthew
More information about the vpn-help
mailing list