(It works as if the Router's 2 WAN ports were connected by a single Ethernet Cable.)Ĭon: PC on Local LAN can only ping PC on remote LAN when they're connected to the Local Router, if they connect to a different network like the hotspot on their phone, they won't be able to ping the remote LAN. (It does this in a way that bypasses NAT and the firewall effect of NAT.) And their Local Router has a route to the remote LAN in it's routing table, so it forwards the traffic over the tunnel. A virtualTunnel Interface is created on each router (one that supports multicast/routing protocols)ĭHCP client 192.168.1.100 on Local LAN keeps their same IP, doesn't need any special software, configuration, or Virtual IP Address Pools, they just ping 192.168.2.100 on the Remote LAN. (One Physical Port points to the Core LAN Switch) (One Physical Port goes to the Internet Modem) You can have a Local and Remote Router each with 2 physical Routed Site-to-Site - GRE/IPSec/DMVPN/VTI Based VPN Technology:.The answer is that it depends entirely on the VPN Technology being used: How are VPN Clients given IP addresses when they connect to VPN Routers such as VyOS? (How do Virtual IP Address Pools fit in?) Maybe when a client connects to a VPN Server, the VPN server makes a virtual network interface on the VPN Server to give the client a Layer 2 presence on the remote network, and the VPN Server initiates DHCP DORA process by proxy on behalf of the remote client, and then the DHCP server on the remote network assigns an IP address with DNS info to a virtual network interface that exists on the VPN Server and this virtual network interface represents the remote client? (Not saying it works like that, just saying I'm trying to visualize how it might work.)īut if it's that simple then why does something called Virtual IP Address Pool exist? Or am I getting my concepts mixed up and VIPAPs have nothing to do with remote DHCP resolution? A VPN client would be coming into the network at layer 3, and not have a layer 2 presense on the remote network, and thus couldn't use DHCP which operates at layer 2. It gets DNS and subnet info from the O stage of DORA process.
Normally when I attach a new computer to my network, it gets an IP from DHCP's DORA process which occurs at layer 2.
How it gets that Virtual IP Address for the client is the part that's confusing me. Then whenever a remote client connects to the VPN Server, the VPN Server attaches a Virtual IP Address to it's Ethernet Port, which represents the client. And by default, the Server's Ethernet Port has a Private IP address 10.0.0.100, and a Virtual Network Adapter tunnel interface with an IP address in a 3rd subnet that's only used for routing through the virtual tunnel. My understanding is that by default port forwarding (or DMZ) sort of remaps the WAN IP to the Laptop's private IP so it's accessible from the internet when behind a Firewall/NAT'd Router. Let's pretend we have a 1 ethernet port computer acting as a StrongSWAN VPN Server. mentions something about a Virtual IP address pool. Now adays a mini OpenVPN Server exists on pfSense Firewalls, and a mini StrongSWAN VPN Server exists on VyOS Routers (and if you put these on the edge you don't need to forward ports.) Such as a OpenVPN Server or StrongSWAN VPN Server. I believe that in the past you used to have WAN -> Basic Firewall/Router and establish port forwarding of ports associated with VPN connections to a VPN server on the LAN. If "VIPAPs" have statically set ranges, should they perfectly overlap DHCP range or should they be part of a reserved space outside.Are "VIPAPs" dynamically generated based on the DHCP pool range?.Are "VIPAPs" separate from DHCP? (which also has a pool of reserved addresses).What exactly are "VIPAPs" why do they exist? What purpose do they serve?.In the past, I just assumed that VPN Servers built into Routers established a virtual tunnel exit point as a point of entry for remote clients to connect to a remote network, and pointed the remote clients to DHCP Servers that existed on the Remote LAN, but then I started noticing that Several VPN Solutions mention something called Virtual IP Address Pools ("VIPAPs"), which made me question if there's more going on then I'd previously thought. I'd like to know the nitty gritty details of how VPN Remote Clients are given Private IP Addresses on a Remote Network when they connect to the StrongSWAN or OpenVPN VPN Server that's embedded in VyOS Routers, as well as how Virtual IP Address Pools fit in the process.
0 kommentar(er)
