Re: Contivity vpn connections
From: Greg Dore (wondrous_at_nortelnetworks.com)
Date: Tue, 20 Apr 2004 15:11:37 -0500
In the previous message, Helio Perez wrote:
> As I understand the Contivity 1010 support up to 30 multiple
> simultaneous vpn..
5 by default, with an add-on option to get up to 30 tunnels.
> So does this mean I would be able to get access to a Contivity
> 1700 and 2700 at the same time.
The contivity units support multiple tunnels, but your question
seems to be from the point of a client node (Unix, Mac, PC)
If you want to be able to have multiple tunnels from the same
client to different contivity units, you have to find out if
any of the following apply:
a) Can you run multiple instances of the client's vpn
software at the same time? (one for each tunnel)?
b) Can the client's vpn software support multiple
c) If not using vpn software, does the client have or
need separate network interfaces for connectivity
to each contivity unit?
> And one could be running a 10.x.x.x ip scheme and the other
> a 192.x.x.x, and split tunneling could be turn on both 1700
> and 2700, I should still be able to access my 47.x.x.x
> local ip addresses correct?
Aha, so you are talking about having multiple VPN tunnels from
the same local (client) machine while still maintaining "normal"
access to the 47.x network.
> If split tunneling is turned off, then I would have to have to
> use the extra NIC card on my PC to still have access to my 47.
> network correct?
After taking points a & b above into account, you may face another
problem if split tunneling is turned off by either contivity unit.
Whichever unit says no to split tunneling demands all IP traffic
from your client. Unless that unit then knows how to route traffic
to the other unit and to CORWAN, you've just lost access to those
subnets. There may be a way to work around this by setting up some
static routes on the client, but that is *way* beyond my ability
to even make an uninformed guess.
> What if both 1700 and 2700 are running the same ip addressing
> scheme? then I would have problems accessing equipment on the
> other side of these Contivity boxes correct?
If you can figure out some magic that will allow the client to
figure out *which* of the multiple machines with the same
IP addresses each packet is destined for, can I have an
autographed picture of you?
-- Greg Dore ____ Dis claim, er, ... opinion, yeah, opinion, is mine.