Defining IP addresses for VPN clients

There are two different methods to define the IP addresses that VPN clients use in the internal network.

You must always configure one of the following methods for the mobile VPN to be valid:
  1. You can use NAT to translate the IP addresses in communications. Using NAT gives the VPN clients an ‘internal’ IP address in the internal network without the need for a DHCP server. This method is called a NAT Pool.
    • This method is not recommended for the Stonesoft VPN Client. It does not allow the clients to make queries to internal DNS servers without manual configuration.
    • NAT rules are not applied to communications from clients that receive their address through the NAT Pool feature. The NAT Pool translation is applied before the NAT rules.
    • The NAT Pool method does not require any other client-side features.
  2. (Recommended for the Stonesoft VPN Client) You can use a DHCP server to assign a virtual IP address that VPN clients use in communications through the VPN tunnel. The IP address is attached to a Virtual Adapter. Using this method provides the following benefits over the NAT Pool:
    • Centrally configure the DNS settings for VPN clients when connected (using the DHCP server).
    • Control how the IP address each VPN client is assigned (depending on the DHCP server).
    • Forward mobile VPN traffic to a site-to-site VPN or route the Internet traffic from the client computer through the gateway for inspection.
    • Open new connections from the internal network to the VPN client computers through the VPN.
To use the Virtual Adapter, the VPN client software must support this feature. Not all third-party VPN clients have a Virtual Adapter feature. The Virtual Adapter is required when there is a need to open connections from the internal network to the VPN client. Activating both the NAT Pool and the Virtual Adapter is technically possible. However, the NAT Pool address translation is applied to all VPN client traffic when activated, including connections from hosts that use a Virtual Adapter.
Note: For a detailed technical discussion on using a virtual IP address, see RFC 3456.