On Wednesday, February 12, 2003, at 10:40 AM, David Wilburn wrote: With such ambiguous routing, is my understanding correct that the response traffic could potentially bypass the VPN concentrator altogether and travel to the destination unencrypted? I had exactly this problem - consider the situation where site a and site b are branches of the same company, each with its own internet gateway and site b has resources site a must (due to head office edict) use. Now consider vpn users of site a, who must use resources from site b. not only is it likely that replies go via the site b gateway, but it is impossible for them *not* to - to the extent that, as site b's firewall sensibly doesn't allow outbound packets to random destinations, no replies are ever received at all. The solution was fairly simple - inbound VPN users are transparently NATted to a block of addresses in the "site a" range, and therefore replies, looking as they do to be sourced from site a, are returned to
the firewall at site a for vpn encapsulation and dispatch.