8
C H A P T E R
IP Routing
In a typical installation, the VPN Concentrator is connected to the public network through an external
router, which routes data traffic between networks, and it may also be connected to the private network
through a router.
The VPN Concentrator itself includes an IP routing subsystem with static routing, RIP (Routing
Information Protocol), and OSPF (Open Shortest Path First) functions. RIP and OSPF are routing
protocols that routers use for messages to other routers within an internal or private network, to
determine network connectivity, status, and optimum paths for sending data traffic.
Once the IP routing subsystem establishes the data paths, the routing itself occurs at wire speed. The
subsystem looks at the destination IP address in all packets coming through the VPN Concentrator, even
tunneled ones, to determine where to send them. If the packets are encrypted, it sends them to the
appropriate tunneling protocol subsystem (PPTP, L2TP, IPSec) for processing and subsequent routing.
If the packets are not encrypted, it routes them according to the configured IP routing parameters.
To route packets, the subsystem uses learned routes first (learned from RIP and OSPF), then static routes,
then uses the default gateway. If you don't configure the default gateway, the subsystem drops packets
that it can't otherwise route. The VPN Concentrator also provides a tunnel default gateway, which is a
separate default gateway for tunneled traffic only.
You configure static routes, the default gateways, and system-wide OSPF parameters in this section. This
section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) parameters. You
configure RIP and interface-specific OSPF parameters on the network interfaces; see Configuration |
Interfaces
.
This section of the Manager also lets you configure VPN Concentrator redundancy using VRRP (Virtual
Router Redundancy Protocol). This feature applies to installations of two or more VPN Concentrators
in a parallel, redundant configuration. It provides automatic switchover to a backup system in case the
primary system is out of service, thus assuring user access to the VPN. This feature supports user access
via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP
client connections.
VPN 3000 Concentrator Series User Guide
8-1