a simple routing question

Unanswered Question
Oct 3rd, 2007

I am using a VPN client to get into the inside network ( I understand the VPN switch will replace my public source address ( an adress on the subnet on the inbound packet. Why can't my source address be left intact and the downstream core switch will just use the default gateway to push the return packet back to the vpn switch?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Wed, 10/03/2007 - 22:53


The way remote access client vpn's generally work is that they allocate an address to your PC that is from your company range. So the switch does not replace the public IP with the private IP, rather your client sends a packet with the source IP address in the 172.16.x.x range. This packet is then encapsulated within another packet header which uses the public IP address of your PC as the source address.

All the switch does is strip the outer header and forward on the packet with the original source IP address of 172.16.x.x.

The whole idea of a remote access VPN is that a user appears to be on the corporate network.

Does this make sense ?


axfalk Thu, 10/04/2007 - 05:25

Jon, thanks for your response...


where's all this taking place? - on the vpn concentrator?

Thanks again...

Jon Marshall Thu, 10/04/2007 - 05:29

The 172.16.x.x address will be handed out by your concentrator or DHCP servers within your corporate LAN.

The encryption of the packet and the encapsultion of the packet with another packet header is done on the client PC.

The concentrator on receiving the packet will strip the outer header and decrypt, then send on to server etc. in corporate LAN.

When the return traffic is received from the server by the concentrator it encrypts the packet, adds the outer header with the public IP addressing and sends to client. Client then strips outer header, decrypts and processes traffic.



axfalk Thu, 10/04/2007 - 18:11

Jon, thanks for a very thorough response...just a quick follow-up question, please...where on the vpn concentrator does the tunnel terminate?

Thanks again...

Jon Marshall Thu, 10/04/2007 - 21:27

Glad to help.

The tunnel usually terminates on the outside interface of the concentrator.

Appreciate the rating



This Discussion