HP Sa3110 HP VPN Server Appliance sa3000 series - Release 6.8.2 release notes - Page 21

The Client-IP

Get HP Sa3110 - VPN Server Appliance PDF manuals and user guides View all HP Sa3110 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

When the DHCP request is submitted to the VPN device, the device must respond with an IP address and subnet mask. To determine the subnet mask, the VPN device searches its interfaces for the first match in whic h the Client-IP resides on the network defined by the interface's IP address and subnet mask. If the intention is to include only the 172.16.20.0 mask 255.255.255.248 subnet as reachable through the VPN device an interface (for example, 172.16.20.1 mask 255.255.255.248). The Client-IP also should be within that network, for example, 172.16.20.2 - 6. In other words, when a VPN Client connects using WINS/DNS to a VPN device that returns a Client-IP and mask that is different from the defined subnet reachable behind the VPN device, a route is added to the subnet defined by the Client-IP and mask. This route causes traffic to enter the virtual adapter. If, however, there is no matching subnet listed in the Connections tab after the tunnel is negotiated, packets sent to the Client-IP network are discarded. To illustrate the foregoing, given a VPN device that has a group defined with Client-IPs starting at 10.1.1.1, with an IP address defined on an Ethernet interface which is 10.1.1.254 mask 255.255.255.0, the first Client-IP/mask is 10.1.1.1 mask 255.255.255.0. Note: The Client-IP's subnet mask comes from the first IP address whose subnet matches the Client-IP. When the VPN Client establishes a tunnel, the following route is added on the Windows workstation, regardless of the fact that there is no subnet defined in the VPN Client connection or as a net-include for the tunnel: 10.1.1.0 255.255.255.0 10.1.1.1 1.0.1.1 One approach to this problem is to support a subnet mask for the Client-IP command. The Client-IP address/mask could then be used by the VPN Client to, by default, tunnel all traffic to the network received in the DHCP reply. This means that a net-include would not be necessary if only a single subnet is reachable through the tunnel. Release 6.8.2 Release Notes 21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
Release 6.8.2 Release Notes
21
When the DHCP request is submitted to the VPN device,
the device must respond with an IP address and subnet
mask. To determine the subnet mask, the VPN device
searches its interfaces for the first match in which the
Client-IP resides on the network defined by the interface's
IP address and subnet mask.
If the intention is to include only the 172.16.20.0 mask
255.255.255.248 subnet as reachable through the VPN
device an interface (for example, 172.16.20.1 mask
255.255.255.248). The Client-IP also should be within that
network, for example, 172.16.20.2 - 6.
In other words, when a VPN Client connects using
WINS/DNS to a VPN device that returns a Client-IP and
mask that is different from the defined subnet reachable
behind the VPN device, a route is added to the subnet
defined by the Client-IP and mask.
This route causes traffic to enter the virtual adapter. If,
however, there is no matching subnet listed in the
Connections tab after the tunnel is negotiated, packets sent
to the Client-IP network are discarded.
To illustrate the foregoing, given a VPN device that has a
group defined with Client-IPs starting at 10.1.1.1, with an
IP address defined on an Ethernet interface which is
10.1.1.254 mask 255.255.255.0, the first Client-IP/mask is
10.1.1.1 mask 255.255.255.0.
Note:
The Client-IP
s subnet mask comes from the first IP
address whose subnet matches the Client-IP. When the
VPN Client establishes a tunnel, the following route is
added on the Windows workstation, regardless of the fact
that there is no subnet defined in the VPN Client
connection or as a net-include for the tunnel:
10.1.1.0
255.255.255.0
10.1.1.1
1.0.1.1
One approach to this problem is to support a subnet mask
for the Client-IP command. The Client-IP address/mask
could then be used by the VPN Client to, by default, tunnel
all traffic to the network received in the DHCP reply. This
means that a net-include would not be necessary if only a
single subnet is reachable through the tunnel.