Managing VPN Client IP Addresses

Prerequisites: See Getting Started With IPsec VPNs

There are two different methods to define the IP addresses VPN clients use in the internal network. You must always configure one or the other when you want to create a client-to-gateway VPN for the VPN to be valid. The methods are as follows:

1.    You can use NAT to translate the IP addresses in communications, which gives the VPN Clients an ‘internal’ IP address in the internal network without the need for a DHCP server. This is called a NAT Pool.

2.    (Recommended for Stonesoft IPsec VPN Clients) You can use a DHCP server to assign the VPN clients a second, virtual IP address that is used in communications through the VPN tunnel. The IP address is attached to a Virtual Adapter. Using this method provides the following benefits over the NAT Pool:

The Virtual Adapter is required when there is a need to open connections from the internal network to the VPN client. Activating both the NAT Pool and the Virtual Adapter is technically possible, but the NAT Pool address translation is applied to all VPN client traffic when activated, including connections from hosts that use a Virtual Adapter.

        Configuring NAT Pool for VPN Clients

        Configuring Virtual IP Addressing for VPN Clients