98 may be set up for multiple remote LAN or single PC connections to this tunnel. The Dynamic IP tables are configured like this: • Range name : Sales Tunnel. • Range description : Regional Sales Office Tunnels. • First IP : 1.196.5.1. • Total tunnels : The total number of tunnels for this tunnel group is set to one. There is a range of two dynamic IP addresses. The LAN 1 tunnel server assigns a virtual IP address to itself and the other LANs tunnel server in the LAN-to-LAN tunnel connection. • NetMask : 255.255.255.252 for the two IP virtual networks. Authentication table The group username is LAN 2. The password is WHOthere. These two parameters have been extracted into an ETA file called lan2.eta and distributed via secure FTP session to the tunnel server on LAN 2. The key file has been created by the tunnel server on LAN 1 and is specific to this tunnel group. The key file has also been extracted and distributed via secure FTP session to the tunnel server on LAN 2. By default this key file is named lan2.key. LAN 2 controls the outbound tunnel session, and is acting as a tunnel client for its local network. The tunnel connection itself has a single virtual IP address 1.196.5.2, assigned by the tunnel server on LAN 1. The tunnel server on LAN 2 routes all tunnel traffic from its local network to that virtual IP address. The outbound tunnel has been set up to connect in automatic mode, meaning that whenever the tunnel server is up, so is the tunnel connection. The ETA and key files from LAN 1 have been installed, and the outbound tunnel session is configured as below: Tunnel name The name for this tunnel is Sales, as from LAN 1 earlier. Tunnel description This is also the same as the LAN 1 tunnel description: Regional Sales Office Tunnels. Network addresses This outbound tunnel is set up as a static route tunnel, because the virtual IP address assigned to the tunnel comes from the tunnel server on LAN 1. The local IP address for LAN 2s pseudo-adapter is 1.196.5.2. The remote IP address for LAN 1s pseudo- adapter is 1.196.5.1. Routing tables On the LAN 2 end, the tunnel server must route traffic from its local hosts to the tunnels virtual IP address. This is set up as a default route coming from the network 2.15.1., with a netmask of 255.255.255.0. 99 Hostname The remote hosts physical IP address is 1.195.6.2 and the default tunnel traffic port is 3265. First firewall This is defined according to the view from LAN 2, the outbound direction of the tunnel. The firewall on LAN 2 is the first encountered by tunnel traffic, so this field is set to 2.15.1.1, with a default tunnel traffic port of 3265. Second firewall This is the LAN 1 firewall address on its Internet interface, 1.195.6.1. The default tunnel traffic port is, again, 3265. Server key ID The server key ID for this tunnel session is lan2.key. This key is part of the extracted key file from the tunnel server on LAN 1.

6.4.1.3 Firewall configuration

The firewall on each respective network is configured to route all traffic bound for the tunnel to the tunnel server on their network. With the inbound network LAN 1, this is all traffic received on the default tunnel port 3265. With the outbound network, any traffic received that is destined for the tunnel network is routed to the tunnel server. • LAN 1—This firewall is part of the inbound network, and relays all tunnel traffic to the LAN 1 tunnel server. Thus, incoming tunnel traffic received on port 3265 and destined for the network 1.196.5. is relayed to 1.195.6.2 the physical IP address of the tunnel server. • LAN 2—The LAN 2 firewall receives traffic for the tunnel from its local hosts, as they are default routed to 2.15.1.1. All traffic bound for the tunnel network 1.196.5. is relayed to the LAN 2 tunnel servers physical IP address: 2.15.1.2.

6.4.1.4 Host configuration

Each host on both networks is set up to default route all tunnel traffic to its respective firewall. As seen in the previous firewall configuration, this traffic, if bound for the tunnel, is routed from the firewall to the tunnel servers physical IP address. • LAN 1—The three hosts on this network Finance, Human Resources, and Research Development route traffic to the firewall first 1.195.6.1, which then relays tunnel traffic to the tunnel server. • LAN 2—The two host machines on LAN 2 have 2.15.1.1 as the default route for all network traffic. 100

6.4.1.5 Routing over the VPN

With the preceding configuration, traffic on the virtual private network progresses much like a leased line connection between two LANs. For instance, a host on LAN 2 wishes to open a tunnel session to the Finance server on LAN 1. The traffic bound for the tunnel network 1.196.5. is routed directly to the firewall 2.15.1.1, via a static route configured on the Host 1 machine. The firewall on LAN 2 relays all traffic for the tunnel network back to the tunnel server on LAN 2 2.15.1.2, using a default route. The tunnel server on LAN 2 routes all traffic bound for the tunnel onto its pseudo-adapter end of the tunnel 1.196.5.2 and across the Internet. This virtual IP address is its default interface for all tunnel traffic. LAN 1s firewall receives traffic at port 3265. All traffic to this port is relayed to the tunnel servers virtual IP on its local network 1.196.5.1 at port 3265. After the initial security verification process, the tunnel server regenerates a session key every 30 minutes and tunnel traffic commences, oblivious to this process. The traffic from the host on LAN 2 is then routed to the LAN 1 tunnel servers virtual IP to its physical IP, and on to the Finance server. The host machine on LAN 2 now functions as a node on LAN 1s network, and is able to access any files and services on the Finance server to which the user would normally have access.

6.4.2 Implementing Single Connections-to-LAN Tunnels

6.4.2.1 Sample configuration

Figure 6-2 sets up a typical PC tunnel connection to a remote network over the Internet. The PCs are Windows 95 machines connecting to the Internet via a 64-Kbps ISDN. They are running the AltaVista Tunnel Telecommuter Client. The corporate LAN connects to the Internet over a fractional T1 256 Kbps, and is running an AltaVista Tunnel Extranet server, which provides tunnel connections to two hosts Host 1 and 2. Though there are other hosts on the corporate LAN, these are the only ones available to the tunnel.