[Vpn-help] Connection Running Afoul of XAUTH

Matthew Grooms mgrooms at shrew.net
Mon Dec 8 21:03:44 CST 2008 

Ron Westfall wrote:
> Matthew
> 
> Thank you very much for the response!
> 
> A followup question for the list ...
> 
> As Matthew has pointed out, the D-Link DI-804HV does not fully support  
> modecfg (i.e. automatic client configuration).  Unfortunately for me,  
> I need to configure the VPN client with an IP address from the secured  
> network.  My secured network has default routers that are not the VPN  
> gateway.  If the VPN client uses a non-secured network IP address, I  
> can get packets from the VPN client through the tunnel to the  
> computers in the secured network, but the response packets get sent to  
> the default routers instead of the VPN gateway.
> 

I understand what you are trying to do, but thats not how IPsec works.

http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001834.html

As an alternative, L2TP will probably do what you want as long as your 
gateway supports it. Good luck with that. I have tried a few times to 
connect the built in windows L2TP/IPsec client to commercial gateways. 
Its really good fun :)

> What I need is a VPN gateway that will configure the VPN client  
> (presumably via modecfg) with an IP address from the secured network.   
> Ideally the VPN gateway could work with DHCP to do this, but I can  
> always assign a fixed IP address if I have to.  Once the tunnel is up,  
> the VPN gateway would be required to respond to ARP requests with its  
> own Ethernet MAC address when computers on the secured network try to  
> respond and ask for an ARP translation of the VPN client's secured  
> network IP address.  Does anybody care to recommend a VPN gateway that  
> has this behavior?  I am sure I could do it with an expensive Cisco or  
> other high end VPN gateway, but I only need to support a very few  
> remote users.
> 

I'm pretty certain that the Cisco guides specifically state that IPsec 
VPN client networks can't overlap with private networks. What you are 
describing isn't an IPsec protocol deficiency, its a routing problem :)

When the VPN gateway isn't the private network default gateway, it would 
usually reside on the far side of a firewall with its own internet IP 
address. Packets from the internal network destined to a VPN network 
would forwarded to the VPN gateway via a discrete intermediate private 
network. The other option is to place the gateway in a DMZ and forward 
UDP port 500, UDP port 4500 and ESP traffic directly to the VPN gateway 
using static NAT. Either of these options are good if you need to use a 
device other than the default border router for VPN services. Another 
incredibly unattractive solution would be to add static routes to select 
internal hosts ( bad idea ).

You could also add a route to the default gateway to forward traffic 
destined to the VPN client network back inside to the VPN gateway. The 
drawback is that the default gateway may produce ICMP redirect messages 
to inform a sender when packets should be forwarded directly to another 
peer router ( like the VPN gateway ). Besides that, it should work.

Hope this helps,

-Matthew

More information about the vpn-help mailing list