[vpn-help] VPN client's Link Local address range behaviour

Matthew Grooms mgrooms at shrew.net
Tue Jan 5 22:45:07 CST 2010 

On 12/22/2009 5:14 PM, John Burger wrote:
> Hi all,
>
> I was wondering if Shrew Soft’s VPN client 2.1.5-release does anything
> to the 169.254.0.0/16 subnet (the Link Local or APIPA one).
>
> If the VPN Server instructs it to do something, I’m sure it would, but
> I’m trying to find out if VPN Connect does anything itself.
>
> If it does, is there any way of turning that behaviour off?
>
> My symptom is that the 169.254.0.0/16 subnet is being added to the route
> table, against the Shrew Soft’s Virtual Adapter interface. Is this
> expected behaviour?
>

Hi John,

The VPN Client has no notion of a link local address or otherwise. It 
either uses a Virtual Adapter address assigned by the gateway or a 
static address assigned by the user. For example, here are my adapter 
settings after connecting to an ASA ...

Ethernet adapter Local Area Connection* 9:

    Connection-specific DNS Suffix  . : shrew.net
    Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
    Physical Address. . . . . . . . . : AA-AA-AA-AC-A7-00
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : 
fe80::178:5946:41a1:923%23(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.2.20.1(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 10.1.2.100
                                        10.1.2.1
    Primary WINS Server . . . . . . . : 10.1.2.100
    Secondary WINS Server . . . . . . : 10.1.2.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

You should set the VPN Trace output to debug level and have a look at 
the output. When communicating with Cisco, ipsec-tools or Sidewinder 
devices, the gateway has the ability to dictate which networks should be 
reached via the tunnel. For example, when connecting to my ASA it shows 
the following output ...

10/01/05 22:37:42 ii : received config pull response
10/01/05 22:37:42 ii : - IP4 Address = 10.2.20.1
10/01/05 22:37:42 ii : - IP4 Netmask = 255.255.255.0
10/01/05 22:37:42 ii : - IP4 DNS Server = 10.1.2.100
10/01/05 22:37:42 ii : - IP4 DNS Server = 10.1.2.1
10/01/05 22:37:42 ii : - IP4 WINS Server = 10.1.2.100
10/01/05 22:37:42 ii : - IP4 WINS Server = 10.1.2.1
10/01/05 22:37:42 ii : - Login Banner = Welcome to the  ...
10/01/05 22:37:42 ii : - Save Password = 0
10/01/05 22:37:42 ii : - IP4 Split Network Include = ANY:10.1.2.0/24:*
10/01/05 22:37:42 ii : - IP4 Split Network Include = ANY:10.1.3.0/24:*
10/01/05 22:37:42 ii : - DNS Suffix = shrew.net
10/01/05 22:37:42 ii : - Split Domain = shrew.net
10/01/05 22:37:42 ii : - Split Domain = example.com

The two 'IP4 Split Network Include' lines are received by the client and 
appropriate IPsec policies are created. Routes are also created to 
ensure that traffic destined to these networks will be sourced from the 
virtual adapter address. If the gateway sends 169.254.0.0/16 as an 
Include network, the client will create a route to that network using 
the virtual adapter as the interface. Its doesn't discriminate :)

-Matthew

More information about the vpn-help mailing list