100

6.4.1.5 Routing over the VPN

With the preceding configuration, traffic on the virtual private network progresses much like a leased line connection between two LANs. For instance, a host on LAN 2 wishes to open a tunnel session to the Finance server on LAN 1. The traffic bound for the tunnel network 1.196.5. is routed directly to the firewall 2.15.1.1, via a static route configured on the Host 1 machine. The firewall on LAN 2 relays all traffic for the tunnel network back to the tunnel server on LAN 2 2.15.1.2, using a default route. The tunnel server on LAN 2 routes all traffic bound for the tunnel onto its pseudo-adapter end of the tunnel 1.196.5.2 and across the Internet. This virtual IP address is its default interface for all tunnel traffic. LAN 1s firewall receives traffic at port 3265. All traffic to this port is relayed to the tunnel servers virtual IP on its local network 1.196.5.1 at port 3265. After the initial security verification process, the tunnel server regenerates a session key every 30 minutes and tunnel traffic commences, oblivious to this process. The traffic from the host on LAN 2 is then routed to the LAN 1 tunnel servers virtual IP to its physical IP, and on to the Finance server. The host machine on LAN 2 now functions as a node on LAN 1s network, and is able to access any files and services on the Finance server to which the user would normally have access.

6.4.2 Implementing Single Connections-to-LAN Tunnels

6.4.2.1 Sample configuration

Figure 6-2 sets up a typical PC tunnel connection to a remote network over the Internet. The PCs are Windows 95 machines connecting to the Internet via a 64-Kbps ISDN. They are running the AltaVista Tunnel Telecommuter Client. The corporate LAN connects to the Internet over a fractional T1 256 Kbps, and is running an AltaVista Tunnel Extranet server, which provides tunnel connections to two hosts Host 1 and 2. Though there are other hosts on the corporate LAN, these are the only ones available to the tunnel. 101 Figure 6-2. A typical PC-to-LAN tunnel configuration

6.4.2.2 Tunnel server configuration

Routing table The routing table is set up to route all tunnel sessions to the local LANs physical network: 1.195.6.. All dynamic IP addresses are routed to this network for tunnel traffic. • SubNet : 1.195.6. • NetMask : 255.255.255.0 • Description : Local Hosts Dynamic IP table The dynamic IP range starts at 1.196.5.1 and comprises a Class C network 255 addresses. The tunnel server on the corporate LAN is set up to connect multiple single PC tunnel connections, and routes all tunnel traffic to its physical network from the routing parameters above. • Range name : Sales Tunnel. • Range description : Remote Tunnel Clients. • First IP : 1.196.5.1. • Total tunnels : The total number of tunnels for this tunnel group is set to 128. As each tunnel session is assigned two IP addresses, this makes the total IP address range equal to 256 IP addresses. • NetMask : 255.255.255.0 for the 256 IP virtual network.