[plug] vpn breaks home network

Jon L. Miller jlmiller at mmtnetworks.com.au
Wed Dec 12 13:19:21 WST 2007


I'm under the impression (please correct me if I'm wrong) that when the
client initiates a vpn tunnel to the remote server, the remote router
sends the information for the split tunnel to take affect (e.g giving
access to the local lan). The vpn is then the dgw thereby enabling routing
to the local lan. I guess you could put the 'policy' on the local router,
but then the tunnel would have to be up all the time... yes? From what I
understand this is a security risk and all the workstations would have to
be set to the VPN dgw ip address.

J

On Wed, December 12, 2007 09:34, Adrian Chadd wrote:
> On Wed, Dec 12, 2007, Jon L. Miller wrote:
>> What it appears that Rob needs to do to fix this is to have split
>> tunneling enable so it can send access to the local lan, but this has to
>> be done from the VPN server (main router).  He also needs to enable
>> access
>> to local lan on his vpn client.
>> I've run into this several times in the past when we ran a large vpn
>> network.
>
> It doesn't specifically have to be done from the VPN server. Its just
> how the software controlling the VPN at the client side gets its
> "policy".
>
> IPSEC is weird. Its sometimes used as a tunnel (ie, you have an interface
> which acts just like any other), sometimes it uses security policy with
> or without the tunnel (ie, it uses rules to say "match on X, Y; send
> to IPSEC peer X".) Thats part of the security association setup with
> IPSEC.
>
> (I hate IPSEC in the SA mode; I much prefer it in tunnels. The world
> doesn't agree however.)
>
>
>
> Adrian
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>


--------------------------------
Jon L. Miller, MCNE CNS CCNA
MMT Networks Pty Ltd
East Perth, WA 6004
WA, Australia
+61 89227 0892
-------------------------------------------------




More information about the plug mailing list