XPost: comp.dcom.sys.cisco   
   From: newspost@gmurray.org.uk   
      
   Martin Bodenstedt  writes:   
      
   > Suddenly all other PC's on your local network can access the   
   > customer's network and - which is worse - your customer's network has   
   > a rogue internet connection (thru your PC) bypassing that network's   
   > internet access policy.   
      
   How is that going to happen without some serious reconfiguration both   
   on your system and its local network? To take some (hypothetical)   
   numbers. Your PC has IP address 192.168.0.2 on the local network. When   
   you establish the VPN connection to the remote network this allocates   
   you IP address 10.0.0.3 on that network.   
      
   If your PC acted as a 'simple' router then any packets it received   
   with destination addresses in 10.0.0.0/8 it would send over the VPN   
   but with a source address in 192.168.0.0/24 which the remote network   
   would not like and will probably be rejected by the firewall in the   
   VPN endpoint. Add to that, the other systems (or at least the system   
   which is the default route) on the local LAN would have to be setup   
   with a static route for 10.0.0.0/8 via your PC.   
      
   For other systems to access the remote network via your PC, not only   
   would the static routes have to be set in the local network but your   
   PC would have to act as a NATting router and set the source address of   
   all packets to 10.0.0.3 before sending over the VPN.   
      
   For your PC to 'leak' the external internet to the remote VPN would   
   require even more complex configuration.   
      
   None of these things could happen accidentally. So if you are not   
   trusted enough to not deliberately subvert the remote system's   
   security then neither should you be trusted enough to have the VPN   
   connection to the remote network.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)