VPN gateway and theenterprise VPN

A tunnel, normally referred to as a LAN-to-LANtunnel, between the network VPN gateway and theenterprise VPN gateway carries packets destined tosubnet IP address 192.168.3.0/24. Note that in theexample shown in Figure 10, the hosts behind tunnelB at the IPSec client are specified as subnets192.168.3.0/24 and 192.168.1.0/24, while the hostsbehind tunnel C at the network VPN gateway arespecified only as subnet 192.168.3.0/24. This meansthat, although packets destined to both subnets aresent by the client through the network tunnel, onlypackets destined to subnet 192.168.3.0/24 are sent bythe network VPN gateway through the LAN-to-LANtunnel. Packets destined to subnet 192.168.1.0/24 arerouted directly over other routes.The front-end graphical user interface (GUI) forthe Lucent IPSec client has not been changed, but theback-end processing when a user initiates an IPSectunnel has been modified as follows. The user nowmust configure only the IP address of the enterprisetunnel. When the user initiates an IPSec tunnel tothe enterprise gateway at IP address 135.180.144.254(see Figure 10), an enterprise tunnel will be established as described earlier, but when policy information (e.g., local presence IP addresses and IP addressesof hosts behind the enterprise tunnel) is downloaded,the IP address of the network VPN gateway and the IPaddresses of the hosts behind the network tunnel aredownloaded as well. The SA database is then populated with this information. The IPSec tunnel to thenetwork VPN gateway at IP address 135.180.244.150is then initiated automatically. Thus, an enterprise hasthe flexibility to determine the policy information fora network tunnel even before the tunnel is initiated.Any policy information that may subsequently beprovided by the network gateway during IKE negotiation is ignored, so there is no backdoor mechanismthat makes it possible to override the policy set by theenterprise for the network tunnel. Furthermore, theenterprise tunnel is also used to download preconfigured keys for use by the network tunnel during IKEphase 1 negotiations. Therefore, the user need onlyconfigure the pre-configured keys for the enterprisetunnel. This is also the case if preconfigured certifi-cates are used instead of preconfigured keys.