Nortel Networks 608(WL), 620 manual AutoProxyARP When do I need ProxyARP

AutoProxyARP

When do I need ProxyARP

Chapter 4

Configuration via the Command Line Interface

The automatic addition of ProxyARP entries in VPN client/server scenarios can be enabled or disabled. By default this setting is enabled. When disabled, the ProxyARP entries have to be entered manually.

In a VPN scenario, you need ProxyARP at both sides when the local and remote private network address ranges are overlapping. Because the SpeedTouch™ is basically a router, you need to emulate some bridging functions if the address ranges at both ends of the VPN tunnel overlap. The main issue is that ARP messages are not propagated across a router. If a host at one side of the tunnel wants to reach a host at the remote side, it sends an ARP message because the destination address lies in the local address range. The Security Gateway has to answer to the ARP request as a proxy. In order to do so, a ProxyARP entry is needed in the ARP table.

The SpeedTouch™ supports ProxyARP. This technique allows two networks with overlapping IP ranges to be connected using an IPsec tunnel. The SpeedTouch™, acting as a Security Gateway, will reply to arp-who-has requests for IP addresses belonging to the remote network. The IPsec policies will take care that packets destined for the remote network will indeed be forwarded through the IPsec tunnel. When the IKE ModeConfig mechanism is used to establish the tunnel (client/server scenario), the ProxyARP entries will automatically be added to the ProxyARP table of the SpeedTouch™. In all other cases the user has to add the ProxyARP entries manually. At the time of writing the SpeedTouch™ can reliably forward every packet type through the IPsec tunnel except limited broadcasts [ip.dst = 255.255.255.255].