Primary untrusted physical interface, Virtual ip mapping, Optional remote network – Nortel Networks 608(WL) User Manual

Chapter 3

Configuration via Local Pages

E-DOC-CTC-20051017-0169 v0.1

55

Primary Untrusted

Physical Interface

This field shows a list of your SpeedTouch™ interfaces. You select the preferred
Primary Untrusted Physical Interface. This interface is used as the primary carrier
for your VPN connection. In general, the primary untrusted interface is your DSL
connection to the public Internet.

In the SpeedTouch™ the routing engine determines which interface is used for the
VPN connection (your DSL connection to the Internet in most cases). So, what is the
relevance to select a physical interface?

In a VPN client the selection is relevant only when your SpeedTouch™ is equipped
with a backup physical interface, for example an ISDN backup interface. This field
determines the

preferred

interface for your VPN connection. This interface is used

whenever it is available. When this interface fails, the active VPN connections are
re-routed via the backup interface. When the primary interface becomes available
again, the VPN connections are re-routed to the primary interface. On the other
hand, when you select any as the Primary Untrusted Physical Interface and this
interface fails, the active VPN connections are also re-routed to the backup interface.
But when the DSL connection becomes available again, the VPN connections are
not re-routed as long as the backup connection is available.

Virtual IP mapping

Either dhcp or nat can be selected.



Selecting dhcp as virtual IP address mapping has the effect that the virtual IP
address attributed by the VPN server to the SpeedTouch™ VPN client is
effectively assigned to the terminal. The SpeedTouch™ creates a new IP
address pool, called a spoofing address pool. The SpeedTouch™will use this
pool to provide a new IP address to the terminal that starts the secure
connection. Simultaneous access to the VPN of multiple terminals in the LAN
is not possible. The VPN server attributes a single virtual IP address.



Selecting nat as virtual IP address mapping has the effect that the VPN server
attributes a virtual IP address to the SpeedTouch™ VPN client. This virtual IP
address is stored in the SpeedTouch™. The SpeedTouch™ will automatically
create a new NAT entry to map the virtual IP address to the IP addresses used
on the local network. Simultaneous access to the VPN of multiple terminals is
supported.

Optional Remote

network

These settings allow you to limit the accessible area on the remote network.

Normally the VPN server sets this parameter during the tunnel negotiations.

The

spoofing address pool

inherits the lease time for IP addresses

from the

originally used address pool.

In order to have a swift renewal

of IP addresses, it is recommended to set a conveniently low lease
time in the original dhcp address pool. A value of 60 seconds is
suggested.