100
Network Parameters
Special Considerations Regarding VPN Support
The most common VPN protocol is IPSec. When a subscriber who has a private IP address (assigned via NAT)
attempts to create a VPN session, the AP-2500 performs a mapping between the subscriber’s private IP address and
the AP’s public IP address. This is also known as IPSec Traversal.
However, your subscribers may encounter a problem establishing VPN sessions when using private IP addresses.
Potential causes include:
•Customer uses an IPSec mode other than ESP: The AP-2500 supports only Encapsulating Security
Payload (ESP) tunnel mode. This is the most common mode of establishing IPSec tunnels. In the rare case
that a subscriber is using one of the other methods, then it would be necessary for this user to be given a
public IP address. Other IPSec methods are Authentication Header (AH) transport and tunnel mode and ESP
transport mode.
•Two or more subscribers attempt to connect to the same VPN server: In general, most VPN servers
support only a single IPSec session from a particular public IP address. However, when establishing a VPN
session, all subscribers connected to a particular AP will share the same originating IP address (that is, the
AP’s public IP address). When a VPN server sees multiple session requests from the same IP address it
typically drops all connections which originate from that address. Note that this is not a problem with the AP’s
NAT functionality; it is an issue with the VPN server that will not support multiple connections from the same IP
address. This behavior does not apply to all VPN servers. At of the release of this documentation, VPN
servers from Cisco and Lucent do not support more than one IPSec session from the same IP address but the
VPN server from Nortel Networks does support multiple sessions.
These problems should be addressed in the future as new VPN techniques are introduced. Recently, a method has
been developed and implemented by some VPN server manufacturers to use a UDP header to encapsulate the IPSec
packet. This technique allows multiple IPSec sessions to originate behind a NAT device and does not require the NAT
device to be aware of these IPSec sessions. (This method applies to both ESP tunneled mode and ESP transport
mode but not to either AH mode.) As the AP-2500 would be unaware of these IPSec sessions, it would not be
necessary to provide customers with public IP addresses.
However, until these methods become widely deployed, you will need to notify your hotspot subscribers of these
potential connectivity problems. If you have a pool of public IP address, you can use the IP Upsell feature to supply
public IP addresses (for a fee) to those customers who experience the problems outlined above. But, even if you do
not plan to offer public IP addresses, you should still inform your customers of these VPN limitations (for example, you
could have a link to a VPN statement on your Portal Page).