104 Figure 6-3. A generic PC-to-WAN tunnel connection

6.4.3.2 Tunnel server configuration

Routing table The tunnel server actually has two separate routing tables with which to direct traffic between the two subnets. Both routing tables are set as default routes for the dynamic tunnel IP addresses see Table 6-1 . Any traffic bound for the second support subnet is relayed to the WAN routers interface for routing. Table 6-1. Routing Tables for Figure 6-3 Routing Table 1 Routing Table 2 Subnet 1.195.6. 1.195.7. Netmask 255.255.255.0 255.255.255.0 Description Sales Subnet Support Subnet Dynamic IP table The dynamic IP range starts at 1.196.5.1 and comprises a Class C network 255 addresses. The tunnel server on the corporate LAN is set up to connect multiple single PC tunnel connections, and routes all tunnel traffic to its two physical subnets from the routing parameters. • Range name : Sales Tunnel. • Range description : Remote Tunnel Clients. • First IP : 1.196.5.1. 105 • Total tunnels : The total number of tunnels for this tunnel group is set to 128. As each tunnel session is assigned two IP addresses, this makes the total IP address range equal to 256 IP addresses. • NetMask : 255.255.255.0 for the 256 IP virtual network. Authentication table The group name for this tunnel is SalesSupport. The password in this case is WHOlistenen. These two parameters have been extracted into an ETA file called salsup.eta and distributed via floppy disk to the various tunnel clients. The key file has been created by the tunnel server on the corporate LAN and is specific to this tunnel group. The key file has also been extracted and distributed via floppy disk. By default, this key file is named salsup.key.

6.4.3.3 WAN router configuration

The WAN routers function in this scenario is to route network traffic between the two subnets Sales and Support. All hosts on the two subnets have default routes to the router, which routes traffic either between the two networks or out onto the Internet. The WAN router is likewise configured to route tunnel traffic from the virtual network 1.196.5. to the tunnel server at 1.195.6.2 on port 3265.

6.4.3.4 Firewall configuration

The local firewall is configured to relay all external tunnel traffic those reaching 1.195.6.1 on port 3265 to the WAN router at 1.195.6.5. The WAN router then routes the traffic to the tunnel server as in the previous WAN router section.

6.4.3.5 Network host configurations

All hosts on both the 1.195.6. subnet and the 1.195.7. subnet are configured with default routes pointing to the WAN router.

6.4.3.6 Remote client configurations

The remote PC clients are configured similarly to the methods presented earlier in Section 6.4.2 . The only differences are the names of the ETA and key files. In this case, each PC will have salsup.eta and salsup.key files installed for the SalesSupport tunnel user group.

6.4.3.7 Tracing the packets

The remote PC begins by opening a tunnel request to the tunnel server. The PC is connected to the Internet via an ISP and has initiated the tunnel connection with its AltaVista Tunnel Telecommuter client. The request passes through the end users ISP transparently, destined for the remote firewalls IP interface on the Internet 1.195.6.1 on the tunnel port of 3265. The remote firewall is set up to relay all traffic received on this port to the WAN routers interface for its subnet 1.195.6.5. The WAN router then routes this traffic to the tunnel servers physical IP address, at 1.195.6.2 on port 3265. The tunnel server checks the authentication information against its Authentication tables, and encrypts a reply using the remote clients private key. This reply is sent back to the remote client, which decrypts the reply with its private key. The two sides then exchange parts of the session key salsup.key,which is