Local address, Remote networks, Authentication – equinux VPN Tracker 6.4.6 User Manual

Local Address

The IP address the Mac running VPN Tracker uses in the remote network when
connected through VPN

1

. If left empty, the current IP address of the Mac's en0

network interface will be used.

In order to avoid two clients coming in through VPN using the same IP, always
set a unique local address for each client when you have multiple VPN users.

The IP address should be from a

→ private subnet, and must not be part of

the remote network(s) of the VPN connection.

Related Settings: Basic > Topology, Basic > Network Configuration

Availability: Not available when an automatic configuration method is being
used. When a Network to Network topology is used, the setting is called “Lo-
cal Networks” and describes the local network(s) to which the VPN tunnel
applies.

VPN Gateway Setting: Remote (IP) address, peer (IP) address, remote end-
point, remote network

Remote Networks

The network(s) the VPN connects to

2

. All traffic destined for these network(s)

will be tunneled over the VPN.

A network can be entered in CIDR notation (e.g. 192.168.42.0/24) or – for IPv4
connections – using the subnet mask (e.g. 192.168.42.0/255.255.255.0).

Always make sure you are using a correct network address. VPN Tracker will
try to help you with this, so if what you entered changes after pressing enter,
check that you have entered a correct network address, e.g. 192.168.42.0/24
and not 192.168.42.254/24.

Related Settings: “Establish a separate tunnel for each remote network”

Availability: Not available when EasyVPN or SonicWALL Simple Client Provi-
sioning are used. When a Host to Host topology is used, the setting is called
“Remote Address” and describes the single remote address the VPN tunnel
applies to. Connecting to multiple remote networks requires VPN Tracker
Professional or Player Edition.

VPN Gateway Setting: Local (IP) address, local endpoint, local network

Authentication

The authentication method VPN Tracker uses. Three methods are available:

Pre-Shared Key

The VPN client is authenticated using a shared password, the pre-shared key.
This authentication method is used most frequently.

It is possible to store the pre-shared key in the Mac OS X keychain, or be
prompted every time the VPN connections.

Certificate

The VPN client and the VPN gateway mutually authenticate using X.509 cer-
tificates (RSA signatures). This method is very secure, but requires a proper
infrastructure for creating and distributing certificates, and a VPN gateway
that supports it.

The client's certificate and private key (also called an "identity") need to be
present in the Mac OS X keychain. The VPN gateway's certificate can in most
cases be sent by the VPN gateway, but it is also possible to add it to the local
keychain and set that specific certificate in VPN Tracker.

Hybrid Mode

The VPN gateway authenticates itself with a certificate, and the user authenti-
cates themselves through Extended Authentication (XAUTH). This method is
supported by some vendors (e.g. Check Point) and considered more secure
than using an Aggressive Mode connection with just a pre-shared key.

49

1 In IPsec terms: the local endpoint of the IPsec Security Association (SA)

2 In IPsec terms: the remote endpoint of the IPsec Security Association (SA)