I've googled and found several VPN primers but they seem to skip over the issue of the client's IP. If it is virtually part of a LAN, then the client must appear to the LAN as a local IP address, no? Is it statically set at the client or does DHCP work through the tunnel or what?
Most VPN clients create a device that looks like a NIC to the operating system but is obviously implemented in software. This NIC has an address on the remote segment and has a default route, etc. The OS takes it from there. I suppose the same address is presented to the remote LAN as a "proxy" for the VPN-connected machine. Then it's NAT- [VPN segment IP]- NAT from there on.
There may be other ways but that's what I've seen.
Either. Depends on the product. Depends on how you configure it. E.
While I'd love to be proven wrong, as far as we can discover no machine specific (i.e. MAC or other machine specific id) transfers over the IPsec connection (there doesn't look to be any such field in the protocol). Thus the termination device (hardware box or client in the machine, a Cisco 30xx being our interest) assigns an IP from a local pool without regard to the identity of the remote machine (i.e. a constant IP to the same machine on the end of the VPN tunnel doesn't appear to be possible). For the same reason I don't think that DHCP from the far end will work (I believe a local DHCP server in the VPN termination box is common though), there is no MAC address to tie to the lease. Likely the reason the primers don't mention this is that it isn't part of the IPSEC protocol but left up to the end point to do something sensible.
Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada
As far as Windows goes most VPN clients are a shim into the network stack. But for IP assignment have a look at xauth stuff - its usually thrown IPs in as part of an xauth setup.
The VPN server assigns the IP by DHCP.
It is vendor specific,
Checkpoint for example offers what is called office mode, where you can assign an IP-Pool to allocate an IP-address from, or even tie in a dhcp server, secureclient/securemote creates a virtual adapter and then adds routing entries for that (based on the topology, i.e. userc.c in the case of SR/SC).
It is , as someone rightly said, not part of the IPSEC Protocol suite, which does not concern itself with IP-address allocation, but rather with verifiying the endpoint addresses.
regards dc
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.