<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9"> <TITLE>DHCPv4 Configuration of IPsec Tunnel Mode HOWTO: Routing Issues</TITLE> <LINK HREF="ipsec-dhcp-howto-6.html" REL=next> <LINK HREF="ipsec-dhcp-howto-4.html" REL=previous> <LINK HREF="ipsec-dhcp-howto.html#toc5" REL=contents> </HEAD> <BODY> <A HREF="ipsec-dhcp-howto-6.html">Next</A> <A HREF="ipsec-dhcp-howto-4.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc5">Contents</A> <HR> <H2><A NAME="s5">5. Routing Issues</A></H2> <H2><A NAME="ss5.1">5.1 Using a Proxy ARP</A> </H2> <P>If you have to use exactly the same subnet for the vpn-clients and the lan-clients, the vpn-gw must also work as an arp proxy. Therefore you have to enable arp proxy support in the kernel configuration and activate it with: <HR> <PRE> echo 1 > /proc/sys/net/ipv4/conf/ethX/proxy_arp </PRE> <HR> For further details see the <A HREF="http://lartc.org/howto/lartc.bridging.html">Linux Advanced Routing and Traffic Control HOWTO</A><P> <H2><A NAME="ss5.2">5.2 Using a different Subnet for the VPN-Clients</A> </H2> <P>If you have to distinguish between vpn-clients and lan-clients in some cases, split your network (virtually) in two parts: <UL> <LI>use 192.168.0.0/23 for the whole lan</LI> <LI>use 192.168.0.0/24 for the vpn-clients</LI> <LI>use 192.168.1.0/24 for the lan-clients</LI> <LI>if the vpn-gw is not your default gw, add a rule to the default gw which forwards all 192.168.0.0/24 traffic to the vpn-gw.</LI> <LI>use 192.168.0.0/23 for access restrictions where both lan- and vpn-clients are accepted</LI> <LI>use 192.168.0.0/24 for access restrictions where only the vpn-clients are accepted</LI> <LI>use 192.168.1.0/24 for access restrictions where only the lan-clients are accepted</LI> </UL> <P> <HR> <A HREF="ipsec-dhcp-howto-6.html">Next</A> <A HREF="ipsec-dhcp-howto-4.html">Previous</A> <A HREF="ipsec-dhcp-howto.html#toc5">Contents</A> </BODY> </HTML>