[lug] vpn and traceroute
Brian Stiff
bstiff929 at yahoo.com
Wed May 25 08:43:53 MDT 2011
> Date: Mon, 23 May 2011 12:14:31 -0600
> From: Jason Schaefer <js at jasonschaefer.com>
>
> You will need to set your default gateway to route out the
> vpn tunnel.
> Type "route print" and you will see your current route
> table. It
> probably just has the remote subnet(s) set to route over
> the vpn and
> the default gateway set to your local gateway.
>
This probably shouldn't work, depending on the VPN implementation. The tunnel policy (i.e., the hosts/subnets that defined as reachable through the VPN) should be the *only* subnets reachable through the tunnel. Thus, if your VPN policy is configured for split tunnel, such that you can reach all 10-net addresses through the tunnel, but all other subnets will follow your host's local routing configuration, the VPN head-end *should* drop any traffic that came from your host that is going to a non-10-net destination.
This is a critical aspect of VPN security policy; if, for example, a contractor is allowed to access a specific group of hosts or subnet, but must be denied access to other hosts/subnets, their access should be controllable solely by the vpn tunnel policy.
Regards,
Brian
More information about the LUG
mailing list