<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: Routing Issues</TITLE>
 <LINK HREF="ipsec-dhcp-howto-6.html" REL=next>
 <LINK HREF="ipsec-dhcp-howto-4.html" REL=previous>
 <LINK HREF="ipsec-dhcp-howto.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="ipsec-dhcp-howto-6.html">Next</A>
<A HREF="ipsec-dhcp-howto-4.html">Previous</A>
<A HREF="ipsec-dhcp-howto.html#toc5">Contents</A>
<HR>
<H2><A NAME="s5">5. Routing Issues</A></H2>

<H2><A NAME="ss5.1">5.1 Using a Proxy ARP</A>
</H2>

<P>If you have to use exactly the same subnet for the vpn-clients and the
lan-clients, the vpn-gw must also work as an arp proxy. Therefore you 
have to enable arp proxy support in the kernel configuration and activate 
it with: 
<HR>
<PRE>
echo 1 > /proc/sys/net/ipv4/conf/ethX/proxy_arp
</PRE>
<HR>

For further details see the 
<A HREF="http://lartc.org/howto/lartc.bridging.html">Linux Advanced Routing and Traffic Control HOWTO</A><P>
<H2><A NAME="ss5.2">5.2 Using a different Subnet for the VPN-Clients</A>
</H2>

<P>If you have to distinguish between vpn-clients and lan-clients in some
cases, split your network (virtually) in two parts:
<UL>
<LI>use 192.168.0.0/23 for the whole lan</LI>
<LI>use 192.168.0.0/24 for the vpn-clients</LI>
<LI>use 192.168.1.0/24 for the lan-clients</LI>
<LI>if the vpn-gw is not your default gw, add a rule to the default gw
which forwards all 192.168.0.0/24 traffic to the vpn-gw.</LI>
<LI>use 192.168.0.0/23 for access restrictions where both lan- and
vpn-clients are accepted</LI>
<LI>use 192.168.0.0/24 for access restrictions where only the vpn-clients
are accepted</LI>
<LI>use 192.168.1.0/24 for access restrictions where only the lan-clients
are accepted</LI>
</UL>
<P>
<HR>
<A HREF="ipsec-dhcp-howto-6.html">Next</A>
<A HREF="ipsec-dhcp-howto-4.html">Previous</A>
<A HREF="ipsec-dhcp-howto.html#toc5">Contents</A>
</BODY>
</HTML>