See comments in-line ... > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Mike Burden > Sent: 25 October 2001 15:58 > To: GNAT Box Users Group (E-mail) > Subject: Mobile VPN to segmented PRO network > > I haven't seen anything go by on this list, but GTA > was able to help me with a problem that seems like > someone else must have run into. I thought I would > share the solution that I got from them in case > someone else is still banging their head on the wall > like I was! > > I have a Customer that has a segmented PRO network, > similar to: > > Internet > | > | > GNAT Box > | > | > PRO1 (A.B.C.X) > | > | > Router > | > | > PRO2 (D.E.F.X) > > > I set up each Mobile VPN Client with two VPNs, one to > reach PRO1 and one to reach PRO2. The two VPNs were > identical for each Mobile VPN Client, except the > "Subnet" under "Remote Party Identity and Addressing". > > The problem that the Customer had was that they could > access hosts on PRO1 or access hosts on PRO2, but they > could not access hosts on either subnet within a few > minutes of accessing hosts on the other subnet.
- There is another work-around: when you have finished with hosts on PR01 get the VPN client to "disconnect all" - then when you try to communicate with a host on PR02 the VPN negotiates the new connection immediately. The delay is only a few seconds while the new connection is set up. > It turns out that the problem is in the way the VPN > uniquely identifies a VPN connection. Since the VPN > connection is identified by its gateways, and not by > the destination subnets, it was necessary to add an > alias to the GNAT Box EXT interface, and use different > gateway addresses for the two VPNs. - Mike's solution works where you require simultaneous access to both PR01 and PR02. You have to configure the VPN client with a "connection" for each PRO network - and note that each connection must have the same identity otherwise the Firewall thinks the connections are being invoked by more than one VPN client and tells you the license is exceeded. Even then, if you use the same identity the Firewall shows a warning message. We tried setting up two workstations on different networks, but with identical VPN client configurations. Either one will connect correctly; but once one is connected the other is refused by the licensing limit in the Firewall. We concluded from this that the IP address of the VPN client workstation is also used by the Firewall in validating the VPN connection - this is fair comment. -- Graham Jones > The solution works, but I can see where it might be > an issue for a company that has more subnets than > available EXT addresses (this company does, in fact, > but since they don't need access to all of the subnets > by VPN it isn't an issue [yet]). > > GTA tells me that they are working with SafeNet to see > if there is a way to work around the problem in the > future without breaking standards.
