cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
telepdx
New Contributor

Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

Netvanta 3120 vpn allows mobile clients to connect when the dhcp range handed to the mobile client is outside the subnet of the lan interface the vpn is connecting to.

application we are trying to run wants to appear to be on the same subnet as the server it is connecting to. ie. bridge

Crypto debug reports that ip is owned by the corporate lan

thanks for your assistance

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

Hi telepdx:

I don't think the use of LAN-range IP addresses is supported for IKE mode configuration.  Check out the explanation in step 9, page 21 of Configuring NetVanta Secure VPN Client‌:


9. Configure the dynamic host configuration protocol (DHCP) pool (this is a client configuration pool) that will be used only for VPN peers. This IP address range must be unique and not currently reside elsewhere on the network. DNS server and Windows Internet Name Service (WINS) server need not be unique and can reside on a current network. Select Next to continue.


Best regards,

Chris

View solution in original post

0 Kudos
7 Replies

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

Have you tried creating a 'crypto ike client configuration pool' with an ip-range within the same subnet as the LAN?

You could also exclude this ip range from the dhcp pool, so that only remotely connecting hosts use it.

--

Regards,

Mick

telepdx
New Contributor

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

step 4 of the vpn setup is assigning address space.  It will let you assign addressing within the lan dhcp range but the debug shows the error. I tried using addresses from within the same subnet but in the dhcp excluded range and got the same error

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

Can you please post the log error?  Obfuscate IP addresses as necessary to protect privacy.

--

Regards,

Mick

Anonymous
Not applicable

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

Hi telepdx:

I don't think the use of LAN-range IP addresses is supported for IKE mode configuration.  Check out the explanation in step 9, page 21 of Configuring NetVanta Secure VPN Client‌:


9. Configure the dynamic host configuration protocol (DHCP) pool (this is a client configuration pool) that will be used only for VPN peers. This IP address range must be unique and not currently reside elsewhere on the network. DNS server and Windows Internet Name Service (WINS) server need not be unique and can reside on a current network. Select Next to continue.


Best regards,

Chris

0 Kudos

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

Hi cj!,

I am not reading the paragraph you refer to in the same way.  This sentence:

"This IP address range must be unique and not currently reside elsewhere on the network."

in my mind the "network" is the local subnet of the mobile client machine.  This makes sense, because otherwise the mobile client PC would not know where to route packets for an IP address within the same subnet as its local LAN;  through the VPN tunnel, or unencrypted through its local LAN switch?

There is no problem specifying on the Netvanta a Mode Config IP address range within the Netvanta's LAN.  I tried this just now and it was accepted by the device.  To avoid IP address clashes between the mobile client and other hosts within the Netvanta's LAN, I suggested that the Mode-Config IP address range is excluded from the Netvanta's DHCP pool.

I may have misunderstood what telepdx is asking though.  I assumed that the application he mentioned is running on the mobile client and the server is behind the Netvanta.

--

Regards,

Mick

telepdx
New Contributor

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

in a very general sense I think a vpn should allow my device to connect with the home network and appear as if it were local.  In this case the app lives on a laptop that is mobile. the vendor of the app has stated that it will only work if it appears that the client and the server are on the same ip subnet.  I would have to agree with Chris in reading the statement that the dhcp range must be unique for vpn peers.

Anonymous
Not applicable

Re: Is the netvanta 3120 mobile vpn client allowed to bridge?

Jump to solution

I wish I had a more authoritative answer.  So far, I think the document referenced above and our collective experience seem to indicate that the IKE mode config pool must be unique in order for mobile VPN to function.  I understand that this causes a problem for your application.  Could another VPN solution work in this setting?  My experience with Windows-based PPTP VPN, for example, is that LAN IP addresses can be obtained by remote clients.

If there's a way to make an AOS firewall work the way you're describing, I'd love to know.  Anyone in the Support Community have a clearer answer?

Chris