Netvanta 3120 vpn allows mobile clients to connect when the dhcp range handed to the mobile client is outside the subnet of the lan interface the vpn is connecting to.
application we are trying to run wants to appear to be on the same subnet as the server it is connecting to. ie. bridge
Crypto debug reports that ip is owned by the corporate lan
thanks for your assistance
Hi telepdx:
I don't think the use of LAN-range IP addresses is supported for IKE mode configuration. Check out the explanation in step 9, page 21 of Configuring NetVanta Secure VPN Client:
9. Configure the dynamic host configuration protocol (DHCP) pool (this is a client configuration pool) that will be used only for VPN peers. This IP address range must be unique and not currently reside elsewhere on the network. DNS server and Windows Internet Name Service (WINS) server need not be unique and can reside on a current network. Select Next to continue.
Best regards,
Chris
Have you tried creating a 'crypto ike client configuration pool' with an ip-range within the same subnet as the LAN?
You could also exclude this ip range from the dhcp pool, so that only remotely connecting hosts use it.
--
Regards,
Mick
step 4 of the vpn setup is assigning address space. It will let you assign addressing within the lan dhcp range but the debug shows the error. I tried using addresses from within the same subnet but in the dhcp excluded range and got the same error
Can you please post the log error? Obfuscate IP addresses as necessary to protect privacy.
--
Regards,
Mick
Hi telepdx:
I don't think the use of LAN-range IP addresses is supported for IKE mode configuration. Check out the explanation in step 9, page 21 of Configuring NetVanta Secure VPN Client:
9. Configure the dynamic host configuration protocol (DHCP) pool (this is a client configuration pool) that will be used only for VPN peers. This IP address range must be unique and not currently reside elsewhere on the network. DNS server and Windows Internet Name Service (WINS) server need not be unique and can reside on a current network. Select Next to continue.
Best regards,
Chris
Hi cj!,
I am not reading the paragraph you refer to in the same way. This sentence:
"This IP address range must be unique and not currently reside elsewhere on the network."
in my mind the "network" is the local subnet of the mobile client machine. This makes sense, because otherwise the mobile client PC would not know where to route packets for an IP address within the same subnet as its local LAN; through the VPN tunnel, or unencrypted through its local LAN switch?
There is no problem specifying on the Netvanta a Mode Config IP address range within the Netvanta's LAN. I tried this just now and it was accepted by the device. To avoid IP address clashes between the mobile client and other hosts within the Netvanta's LAN, I suggested that the Mode-Config IP address range is excluded from the Netvanta's DHCP pool.
I may have misunderstood what telepdx is asking though. I assumed that the application he mentioned is running on the mobile client and the server is behind the Netvanta.
--
Regards,
Mick
in a very general sense I think a vpn should allow my device to connect with the home network and appear as if it were local. In this case the app lives on a laptop that is mobile. the vendor of the app has stated that it will only work if it appears that the client and the server are on the same ip subnet. I would have to agree with Chris in reading the statement that the dhcp range must be unique for vpn peers.
I wish I had a more authoritative answer. So far, I think the document referenced above and our collective experience seem to indicate that the IKE mode config pool must be unique in order for mobile VPN to function. I understand that this causes a problem for your application. Could another VPN solution work in this setting? My experience with Windows-based PPTP VPN, for example, is that LAN IP addresses can be obtained by remote clients.
If there's a way to make an AOS firewall work the way you're describing, I'd love to know. Anyone in the Support Community have a clearer answer?
Chris