HP Sa3110 HP VPN Server Appliance sa3000 series - Release 6.8.2 release notes - Page 21
The Client-IP
View all HP Sa3110 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 21 highlights
When the DHCP request is submitted to the VPN device, the device must respond with an IP address and subnet mask. To determine the subnet mask, the VPN device searches its interfaces for the first match in whic h the Client-IP resides on the network defined by the interface's IP address and subnet mask. If the intention is to include only the 172.16.20.0 mask 255.255.255.248 subnet as reachable through the VPN device an interface (for example, 172.16.20.1 mask 255.255.255.248). The Client-IP also should be within that network, for example, 172.16.20.2 - 6. In other words, when a VPN Client connects using WINS/DNS to a VPN device that returns a Client-IP and mask that is different from the defined subnet reachable behind the VPN device, a route is added to the subnet defined by the Client-IP and mask. This route causes traffic to enter the virtual adapter. If, however, there is no matching subnet listed in the Connections tab after the tunnel is negotiated, packets sent to the Client-IP network are discarded. To illustrate the foregoing, given a VPN device that has a group defined with Client-IPs starting at 10.1.1.1, with an IP address defined on an Ethernet interface which is 10.1.1.254 mask 255.255.255.0, the first Client-IP/mask is 10.1.1.1 mask 255.255.255.0. Note: The Client-IP's subnet mask comes from the first IP address whose subnet matches the Client-IP. When the VPN Client establishes a tunnel, the following route is added on the Windows workstation, regardless of the fact that there is no subnet defined in the VPN Client connection or as a net-include for the tunnel: 10.1.1.0 255.255.255.0 10.1.1.1 1.0.1.1 One approach to this problem is to support a subnet mask for the Client-IP command. The Client-IP address/mask could then be used by the VPN Client to, by default, tunnel all traffic to the network received in the DHCP reply. This means that a net-include would not be necessary if only a single subnet is reachable through the tunnel. Release 6.8.2 Release Notes 21