[vpn-help] VPN client's Link Local address range behaviour
Matthew Grooms
mgrooms at shrew.net
Tue Jan 5 22:45:07 CST 2010
On 12/22/2009 5:14 PM, John Burger wrote:
> Hi all,
>
> I was wondering if Shrew Soft’s VPN client 2.1.5-release does anything
> to the 169.254.0.0/16 subnet (the Link Local or APIPA one).
>
> If the VPN Server instructs it to do something, I’m sure it would, but
> I’m trying to find out if VPN Connect does anything itself.
>
> If it does, is there any way of turning that behaviour off?
>
> My symptom is that the 169.254.0.0/16 subnet is being added to the route
> table, against the Shrew Soft’s Virtual Adapter interface. Is this
> expected behaviour?
>
Hi John,
The VPN Client has no notion of a link local address or otherwise. It
either uses a Virtual Adapter address assigned by the gateway or a
static address assigned by the user. For example, here are my adapter
settings after connecting to an ASA ...
Ethernet adapter Local Area Connection* 9:
Connection-specific DNS Suffix . : shrew.net
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
Physical Address. . . . . . . . . : AA-AA-AA-AC-A7-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::178:5946:41a1:923%23(Preferred)
IPv4 Address. . . . . . . . . . . : 10.2.20.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.1.2.100
10.1.2.1
Primary WINS Server . . . . . . . : 10.1.2.100
Secondary WINS Server . . . . . . : 10.1.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
You should set the VPN Trace output to debug level and have a look at
the output. When communicating with Cisco, ipsec-tools or Sidewinder
devices, the gateway has the ability to dictate which networks should be
reached via the tunnel. For example, when connecting to my ASA it shows
the following output ...
10/01/05 22:37:42 ii : received config pull response
10/01/05 22:37:42 ii : - IP4 Address = 10.2.20.1
10/01/05 22:37:42 ii : - IP4 Netmask = 255.255.255.0
10/01/05 22:37:42 ii : - IP4 DNS Server = 10.1.2.100
10/01/05 22:37:42 ii : - IP4 DNS Server = 10.1.2.1
10/01/05 22:37:42 ii : - IP4 WINS Server = 10.1.2.100
10/01/05 22:37:42 ii : - IP4 WINS Server = 10.1.2.1
10/01/05 22:37:42 ii : - Login Banner = Welcome to the ...
10/01/05 22:37:42 ii : - Save Password = 0
10/01/05 22:37:42 ii : - IP4 Split Network Include = ANY:10.1.2.0/24:*
10/01/05 22:37:42 ii : - IP4 Split Network Include = ANY:10.1.3.0/24:*
10/01/05 22:37:42 ii : - DNS Suffix = shrew.net
10/01/05 22:37:42 ii : - Split Domain = shrew.net
10/01/05 22:37:42 ii : - Split Domain = example.com
The two 'IP4 Split Network Include' lines are received by the client and
appropriate IPsec policies are created. Routes are also created to
ensure that traffic destined to these networks will be sourced from the
virtual adapter address. If the gateway sends 169.254.0.0/16 as an
Include network, the client will create a route to that network using
the virtual adapter as the interface. Its doesn't discriminate :)
-Matthew
More information about the vpn-help
mailing list