Firewall or Router for VPN

Similar Messages

• Hub router for VPN

  We're replacing a third party router with a Cisco 1721. This location is the hub of multi-location (3 remote sites) VPN.
  The 3 remote sites are all on fixed public IPs.
  I've seen examples of both no assupmtion/restriction of remote IPs (crypto isakmp key [key] address 0.0.0.0 0.0.0.0); as well as setting a key per remote (crypto isakmp key [key1]address [remote ip1]
  crypto isakmp key [key2] address [remote ip2]
  crypto isakmp key [key3] address [remote ip3]
  Is there a disadvantage/security concern to using the quad-0 approach?

  There are no advantages or disadvantages other than what should be obvious.
  Single key.
  Advantage: Simple administration, common config on all routers.
  Disadvantage: Potentially allows anyone to connect to the router from the Internet if not forbidden by another policy on the router.
  Multiple keys.
  Advantage: ISAKMP can not be negotiated if not specifically configured on the router for that remote IP address. Conceptually more secure.
  Disadvantage: More administrative overhead.
  With 3 sites, the specific key per site is fairly easy to do. If you had 200 sites, that method would be much less doable. You could do a quick estimate. (N * 5) + (N ^ 2) minutes to do your entire network, or something in that line.
  It's much easier if you have a system that manages this for larger installs. I believe this is the one of the purposes of Cisco's GET VPN.
  Rob

• Check router for VPN Throughput - L2TP VPN

  I am working on setting up a VPN for our office.   I have the PPTP version working but am unable to get L2TP to function.  Through various testing methods (setting up our Mac Yosemite server as a VPN and testing it in and out of the office), I am leaning towards an issue with the router not allowing some of the protocols required by an L2TP through.  The reason being I am able to create a L2TP VPN connection with my Mac server when using the internal IP address, but not when using the outside IP address (which to me means the signal is being blocked at the router.)
  The server is receiving the SCCRQ from the client and trying to send the SCCRP which the client is not receiving when trying to connect from outside the office.
  I have checked all the ports required and they are open (show ip ports), but can not figure out how to check for ESP Protocol 50?  Does anyone know how to check this protocol?  And if this isn't the solution, does any have other methods I can use to find the issue?
  Thank you,
  Chris

  I think 2811 can handle this task
  2811 supports up to 1500 VPN tunnels with the AIM-EPII-PLUS Module
  http://www.cisco.com/en/US/products/ps5881/index.html
  So no problem with 165 VPNs...
  If you speaking about huge traffic volume - you should focus on speed of Internet connectivity in head office - If you have 10 Mbit line for head office you get only 60Kbit per tunnel (10Mbit/165)
  M.
  Hope that helps rate if it does

• Turning off Firewall's allows for VPN, iCal and other services to work.

  Hello All,
  Today I decided to spend the day playing around with our new Mac Leopard Server on the bench. Here is what I found today and I was hoping someone might have some insight. We setup our MacPro with one NIC to ISP via static IP and the other to our switch running the LAN. Our DNS is setup so that apple.ourdomain.com points to the static NIC. And on the inside it's running the standard 192.168.1.1/24 for the LAN. Well all services seem to be running and setup fine today but after setting up one test MacBook Pro and then connecting to dialup outside our LAN/WAN we could not gain access to iCal (kept telling us network connection failed) or to VPN. But after about an hour of playing with the Standard config I found that if I disable the firewall in server admin and server prefs then I can VPN in via PPTP and L2TP as well as connect to iCal and to the Wiki/Webservices.
  I had been trying for an hour and watching the logs for all services to find a failure as to why this remote workstation could not gain access to services inside but now I know for sure it's the built in firewall. Has anyone else seen this and do any of you regulars have any suggestions? I can put a Cisco PIX in front of the MacPro but the built in IP Chains firewall that I have disabled to give me remote services should be more than suffice to protect my calendar. I mean it's not like I am hiding the cure for cancer here...
  DM

  Here is the current output.
  00001 allow udp from any 626 to any dst-port 626
  00010 divert 8668 ip from any to any via en0
  01000 allow ip from any to any via lo0
  01010 deny ip from any to 127.0.0.0/8
  01020 deny ip from 224.0.0.0/4 to any in
  01030 deny tcp from any to 224.0.0.0/4 in
  12300 allow tcp from any to any established
  12301 allow tcp from any to any out
  12302 allow tcp from any to any dst-port 22
  12302 allow udp from any to any dst-port 22
  12303 allow udp from any to any out keep-state
  12304 allow tcp from any to any dst-port 53 out keep-state
  12304 allow udp from any to any dst-port 53 out keep-state
  12305 allow udp from any to any in frag
  12306 allow tcp from any to any dst-port 311
  12307 allow tcp from any to any dst-port 625
  12308 allow udp from any to any dst-port 626
  12309 allow icmp from any to any icmptypes 8
  12310 allow icmp from any to any icmptypes 0
  12311 allow igmp from any to any
  12312 allow udp from any to any dst-port 1701
  12313 allow tcp from any to any dst-port 1723
  12314 allow tcp from any to any dst-port 113
  12315 allow udp from any to any dst-port 500
  12316 allow tcp from any to any dst-port 5190
  12316 allow udp from any to any dst-port 5190
  12317 allow tcp from any to any dst-port 5222
  12318 allow tcp from any to any dst-port 5223
  12319 allow tcp from any to any dst-port 5269
  12320 allow udp from any to any dst-port 5297,5678
  12321 allow tcp from any to any dst-port 5298
  12321 allow udp from any to any dst-port 5298
  12322 allow gre from any to any
  12323 allow ip from 192.168.1.0/24 to any via en1 keep-state
  12324 allow udp from any 68 to any dst-port 67 via en1
  65534 deny ip from any to any
  65535 allow ip from any to any
  Devin

• Dynamic Routing for Failover L2L VPN

  Hi,
  Can someone offer me some guidance with this issue please?
  I've attached a simple diagram of our WAN for reference.
  Overview
  Firewall is ASA 5510 running 8.4(9)
  Core network at Head Office uses OSPF
  Static routes on ASA are redistributed into OSPF
  Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
  Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
  Branch Office WAN uses BGP - Routes are redistributed into OSPF
  The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
  Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
  Backup BO router (.253) only contains a default route to internet
  Under normal operation, traffic to/from BO uses Local Branch Office WAN
  If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
  I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
  I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
  I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
  I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
  Thanks,
  Paul

  Hi Paul,
  your ASA keeps the tunnel alive only because that route exists on ASA.  Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
  Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
  This config will go on ASA,
  route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
  (assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
  route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
  (value 254 is higher cost of the route to go via IPSec tunnel and x =  to default-gateway of ISP)
  sla monitor 99
  type echo protocol ipIcmpEcho 10.10.10.254 interface inside
  num-packets 3
  frequency 10
  sla monitor schedule 99 life forever start-time now
  track 10 rtr 99 reachability
  Let me know, if this helps.
  thanks
  Rizwan Rafeek

• Remote VPN When Firewall behind Router

  Hi All,
  I want to create IPsec Remote VPN on ASA, but ASA have local ip on it's outside interface & that local IP has been natted with one free public ip in the router. I have already created one site to site VPN on the ASA & it's working fine. but my Remote VPN is not woking.
  Is there any configuration required on the router for remote VPN
  Thanks

  Hi Shuai, the likely problem is, the devices you're trying to access have a firewall or domain blocking access. When you have a VPN connection, a domain controller see the VPN as a public connection. Additionally, things such as Windows firewalls do not accept inbound connections from different subnets. Lastly, UNIX boxes, would require the ip routing exceptions in the firewalls.
  -Tom
  Please rate helpful posts

• SonicWall SourceNAT VPN setup as default route for all traffic!

  Hi,OK hope someone can help with this mess.....Our customer has been taken over by a US company who have said all outgoing internet traffic must go via their data centre. They want us to create an IPSEC vpn from our SonicWALL TZ215 to them then route all traffic locally via this VPN.In principle this didn't sound too bad. Then there were some more options:Our local subnet 172.x.x.x has to be NAT'd to a single /32 address. 192.x.x.131They also require our destination network to be set as 0.0.0.0. as they wont specify the range at the datacenter.I have managed to get the VPN up but using the the NAT address as my local subnet and using the option on the SonicWALL "Use this VPN Tunnel as default route for all Internet traffic" on the remote network. Phase 1 and Phase 2 work ok. The problem i now have is i need to route all LAN traffic...
  This topic first appeared in the Spiceworks Community

  Hi Norbert,
  I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
  http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• I am using my iPhone 4s personal hotspot as the internet router for my notebook. However, I am gtting the WEB SITE IS BLOCKED BY NETGEAR FIREWALL. I've deleted some other wifi connections I had before, had system restores, clear cahes and cookie. FAILED.

  I am using my iPhone 4s personal hotspot as the internet router for my notebook. However, I am gtting the WEB SITE IS BLOCKED BY NETGEAR FIREWALL. I've deleted some other wifi connections I had before, had system restores, clear caches and cookie. Still, I failed. Whenever I tried to access FACEBOOK, it's still blocked so I still had to use https:// or tl-gp. please help asap.

  Well, aren't you all that and a bag of chips!!!!
  Oh what a relief!  What a RELIEF!  
  That just cleaned up my life.  And Cranky Boy is actually smiling!!!
  Houston, we've got dots AND BARS!!!
  P.S.  All my firware and software are always current.  If I spent as much time looking for a reset button as I spend checking for software updates, I mighta not needed to work at this!!!!
  P.P.S.  Airport Utility shows Cranky Boy's iPad as the Airport Express' Wireless Client!!!   Who knew?
  Thank you so much, m'Lord.  I am in your debt.  What would you have me do?
  Patti in Tucson AZ

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• How do I change firewall settings modified by VPN server?

  (This actually happened while I was running Lion, but seems to be the same problem under Mountain Lion)
  I installed Check Point Software Technologies Ltd. Endpoint Security VPN for Mac E75 VPN client on my iMac to access my employer's network.  It worked, but after I logged onto my employer's network, I lost contact to both my Time Capsule and Airport Express (Airport Utility stops "seeing" them, even though I am still connected over wi-fi to the internet through the airport router in the Time Capsule), and iTunes stopped "seeing" my iPad and iPhone.
  I looked on Check Point's support pages and saw this "Known Limitation":
  Issue ID:  00885275
  After Endpoint Security VPN is installed and a client is connected to the gateway, automatic sync with Time Capsule and iPhone Wi-Fi sync might not work correctly.
  This can happen because of a restrictive Desktop Policy.
  To resolve this issue, allow these services in the "Inbound rules" of the Desktop Policy:
  SSDP: UDP, port 1900.
  mDns: UDP, port 5353.
  Further research in the Endpoint Security VPN for Mac E75 Administration Guide told me this about "Desktop Policy":
  The Desktop Firewall
  Endpoint Security VPN enforces a Desktop Security Policy on remote clients. You define the Desktop Security Policy in a Rule Base. Rules can be assigned to specific user groups, to customize a policy for different needs.
  Important - Before you begin to create a Desktop Security Policy, you must enable the Policy Server feature on the gateway.
  Endpoint Security VPN downloads the first policy from the gateway. It looks for and downloads new policies every time it connects or on re-authentication.
  When Endpoint Security VPN makes a VPN connection, it connects to the gateway and downloads its policy. Endpoint Security VPN enforces the policy: accepts, encrypts, or drops connections, depending on their source, destination, and service.
  So (I think) what happened is when I logged on to my employer's network, it re-configured my firewall to limit my network connections resulting in the above-described problems.
  Logging out did not change anything.  Uninstalling the VPN client did not change anything. It looks like the changes "enforced" by the VPN client are persistent, and can only be changed "manually."
  I doubt I will be able to prevail upon my employer to change its desktop policy.  So I'm ready to bail on using the VPN client, but how do I reverse the changes my employer's "desktop policy" made?
  The System Preferences Firewall options seem kind of high level.  I would note that iTunes looks like it is open to all connections.
  Thoughts?  HELP.

  It is not something I have played with.. but I would turn off the Mac's firewall and see if that fixed the problem.. the firewall of the Mac is helping your security.. but the main security is actually the NAT router in the TC. It is extremely difficult to break NAT routing.. It is effectively a firewall itself. So turning off the firewall in the Mac is not a biggie. The reason I want you to do that even if just for a few minutes.. and perhaps turn it off and reboot the computer to make sure the rules have stopped being applied.. is to see if the firewall is actually the culprit.
  What I am reading from what you have posted is the vpn client itself is the software blocking connections. And I doubt a third party software would change rules to the internal firewall.. but i am guessing.
  Once you have tested it.. if the firewall off fixes it.. then you will need to hunt around.. perhaps in a TM backup for the actual file that is altered that contains the rules.. I have not looked.. and don't use firewall on the end client anyway as I have a firewall rated router.
  If the firewall off does not fix the problem.. which is what I suspect. Did you use the uninstall software correctly and did it give any error messages??
  Go to the activity monitor and check all the running processes.. anything there that is named after the vpn.. try to quit. See if you can stop the process.. If the issue is major.. and the process won't quit see if the Checkpoint support can help or google their knowledge base for info on how to get back to normal operations.

• Port forwarding not working for VPN

  Hi there,
  I am at a loss as to what I am doing wrong with regards to setting up a VPN. I admit this is all completely new territory for me, and I am learning as I go along, so may have overlooked something very obvious.
  I have openned up the VPN ports on the router (500, 1701, 4500 - UDP; 1723 - TCP), and can confirm from the logs that they are letting traffic in ok.
  So that leaves the server itself - testing using an open port checking tool confirms all ports I have open in the router firewall, and active and accessible on the server, except the VPN ports and service, are indeed open and accessible.
  The VPN service is running, and I have ensured the services are available within the firewall service for 'all', and all services available for the 192.168.1.xxx range.
  I have indicated that the VPN should use the range - 10.0.0.1 to 200
  The DNS and DHCP services on the server are running. At the domain resgitsrar, I have indicated that the subdomain I am using to access the server and its services via the web should point to the static IP I have from the ISP.
  I should mention that if I use the local IP address of the server, I can connect ok, it is only when I use the static IP that I am unable to connect.
  Every other port opens up successfully - FTP (21), Web (80/443), etc - just not the ones for the VPN, so I assume there is some sort of conflict between or within the the VPN/DHCP/DNS services or with the VPN service itself.
  Any advice and potential solutions would be greatly appreciated, as I have spent quite a bit of time trying to figure this one out by myself.
  Thanks in advance, and I hope to hear from folk soon.
  Chris

  OK - here's how my router is configured:
  NAT (Type = Destination) Public IP address to VPN Server IP address (I had a problem when I didn't have the NAT Type set properly)
  I have a separate public IP address reserved for VPN traffic, but that's not necessary if you set up the order of the rules on your router properly. It's just easier to have a separate IP address.
  These are the ports I have open:
  UDP - 500
  UDP - 1701
  TCP - 1723
  TCP - 3283
  UDP - 3283
  UDP - 4500
  TCP - 5900
  TCP - 5988
  I have these ports open to accomodate remoting in via Apple Remote Desktop.
  However, since Mavericks, I can't use ARD anymore. But I can use Back to My Mac and Screen Sharing (go figure!) to get to my server and then from the server I can use ARD within the network.
  Don't know if that helps or not, but it works for me.

• Cisco UC560 Not Clearing Static Routes When VPN Connections Drop

  We have a Cisco UC560 (UC560-FXO-K9) running "Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M),
  Version 15.1(2)T2, RELEASE SOFTWARE (fc1)"  The issue is when we have end users connecting with the Cisco VPN Client to this device sometimes we are unable to connect to any devices on our LAN or sometimes we can't connect to the LAN on the other end of our site-to-site VPN.  The one symptom I've observed when this happens is that old VPN sessions that have disconnected appear to leave static routes from the user's outside IP at their home to an IP on our LAN to a Virtual-Access interface.  When this starts to happen, I restart the firewall to clear out the stale static routes and the problem is fixed, for a while at least.  Below is the current state where we have the site-to-site VPN connected to our branch office and 2 user's connected with Cisco VPN clients.  Below that is the static route table which has 5 total Virtual-Access interface routes (one is an extra route for a user currently connected so that their outside IP is in the static route table with 2 inside IP's associated.)  Is there a way to fix the cleanup of VPN connections when they terminate?
  #sh crypto isakmp peers
  Peer: <branch office outside IP> Port: 500 Local: <firewall's outside IP>
  Phase1 id: <branch office outside IP>
  Peer: <users's outside IP #1> Port: 50420 Local: <firewall's outside IP>
  Phase1 id: EZVPN_GRP_437
  Peer: <user's outside IP #2> Port: 49345 Local: <firewall's outside IP>
  Phase1 id: EZVPN_GRP_437
  Bugsy#sh ip ro st
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
         + - replicated route, % - next hop override
  Gateway of last resort is <next hop of ISP for firewall> to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via <next hop of ISP for firewall>
        10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
  S        10.0.0.153/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
  S        10.0.0.155/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
  S        10.0.0.156/32 [1/0] via <user's outside IP #2>, Virtual-Access3
  S        10.0.0.158/32 [1/0] via <user's outside IP #1>, Virtual-Access3
  S        10.0.0.159/32 [1/0] via <user's outside IP #2 again>, Virtual-Access2
  S        10.1.10.1/32 is directly connected, Vlan90

  Hi Brian,
  This sounds like you are running into the following known issue:
    CSCtl03682 - EzVPN client: Several RRI routes  pointing to same virtual interface
  which is Dup'd to:
    CSCtf39056 - RRI routes not deleted
  This is fixed since 15.1(2)T4, so I would recommend upgrading to SWP 8.2 or higher.  The only other way to clean up the stuck routes is to reload the router.
  Thanks,
  Brandon

• Dynamic routing through VPN on ASA

  I have an environment with multiple remote offices connecting to the an ASA at the core. Currently we create seperate IPSec tunnels to each subnet that the remote office needs to connect to. We would like to enable dynamic routing to allow access to all the networks through one tunnel. The SOHO routers at the remote sites will support RIP V1 and V2. Can I enable RIP in my ASAs in a way that will propogate only the routes coming through the VPN tunnels? I can then redistribute them through EIGRP in my core routers.
  Thanks

  Erick,
  I guess I fall into the hairpinning catagory. Playing with different traceroutes and pings I am going back out the internet via the default route for the concentrator and ASA. If I traceroute from my client back to a system on the inside there are four hops and they make sense. If I traceroute from the client to say google then I have about 16 hops and it does complete. I am now trying to figure out why HTTP to say google does not work. I am thinking that may be somethign up with my cloud firewall provider. That is what started this whole thing in the first place.
  I was just wodering if there was a way to have the default route for just my Address pool point back towards the inside. I guess that would be a NAT to a new VLAN on the inside?
  Brent

• Server 2012 NPS NAP DHCP for VPN

  I have setup a server with DHCP and NPS and configured NAP DHCP.
  DHCP has 1 scope and the default scope options 003 router, 005 DNS server and 015 Domain Name (domain.com). 
  Further In DHCP i created a DHCP policy so it assigns a different 005 DNS server and 015 Domain Name (restricted.domain.com) to non-compliant clients. NPS/NAP DHCP is working (all is setup health, shv, gpo etc.. Health Validator is only checking if firewall
  is runnning) so when i connect a client with firewall i get a normal IP from the scopt with the scope options and domain suffix domain.com. When i disable the firewall i get an IP from the DHCP scope, no gateway, subnet 255.255.255.255 and domain suffix restricted.domain.com
  so all works well and as NAP DHCP should work.
  Now i have an seperate RRAS server configured as VPN server and configured my DHCP/NPS server as an Radius Authentication Provider. Also a DHCP relay agent is configured in RRAS
  On my DHCP/NPS server i configured my RRAS server as a Radius Client (nap-capable).
  My questions:
  Q1. can i use NAP DHCP for vpn clients, as VPN clients get IP address from my DHCP server? i know there is a NAP VPN option but i want to use NAP DHCP cause NAP DHCP and NAP VPN don;t work together and i want NAP DHCP for internal clients.
  My problem:
  P1. with setup above i cannot setup a VPN connection from an external client i get an error "Error 812:The connection was prevented because of a policy configured on your RAS/VPN server.specfically ,the authentication method used by the server to verify
  your usename and password may not match the auithentication method configured in your connection profile .Please contact the Administrator of the RAS server and notify them of this error"
  I can resolve my problem P1 by running "configure VPN for Dial-Up" with the option "Radius server for Dial-Up or VPN connections." This creates 1 Connection Request Policy and 1 Network Policy, in the policy i set authtorized to windows
  group domain admins
  But then I have an issue with NAP DHCP...
  When i have a non-domain joined external client, where i have enabled NAP client in services.msc and DHCP Enforcement in local policy i can setup a VPN connection but from the DHCP server i get an IP addres from the subnet/scope and domain suffix domain.com,
  so this is working OK. But when i disconnnect the VPN client and disable and stopthe firewall and connect the VPN again its not getting restricted running ipconfig /all shows its not restricted and also Netsh nap client show state > shows its not restricted
  BUT it SHOULD be restricted as the firewall is off.
  What could be wrong?

  Hi,
  After discussed with so many people, I think this will not work.
  First we need know how DHCP enforcement works.
  1. The DHCP client sends a DHCP request message to the DHCP server.
  If the DHCP client has an SoH, the DHCP request message includes it. The SoH contains information about the health of the client. The DHCP server passes the SoH to
  the NPS server. The NPS server communicates with the policy server to determine whether the SoH is valid.
  2. If the SoH is valid, the DHCP server assigns the DHCP client a complete IP address configuration. The DHCP client has unlimited access to the network, as defined
  by policy.
  3. If the SoH is not valid, the DHCP server limits the access of the DHCP client to the restricted network and assigns it a limited access subnet mask and static
  routes, as defined by policy.
  But VPN clients get IPs in a different way. It uses the IP Control Protocol (IPCP) as part of the Point-to-Point Protocol (PPP) connection setup. Everything is done
  in VPN tunnel.
  Hope this helps.

• Router for small business Internet connection

  One of our clients recently switched ISPs to Speakeasy who installed a Hatteras HN 407 bridge. We have had Internet connectivity problems using their SonicWall 3060 firewall, and we experienced similar problems when attempting to use a newer Sonicwall TZ180. We temporarily installed a Linksys W54GT router, which has been working perfectly; however, we would like to have a more robust router for their 25 user network - additional security options, performance, VPN, two WAN connections, etc. Can you recommend a small business router with 2 WAN connections? This customer has a business ethernet 3Mbps (up and down) Internet connection, uses an online medical scheduling program, normally has 10 - 20 uses using the Internet connection and will be installing a backup DSL line that we would like to use for load balancing.

  Our recommendation for Dual WAN would be RV082 This would be the prefect VPN router for small  Business and if you are looking for more ports on  the Ethernet, then we would recommend the RV016