VPN Client - more
We had significant challenges getting the VPN Client to work. We tried numerous different configurations in multiple network locations and configurations before we could get the VPN Client to successfully connect to the DFL-CPG310. Once we got it working, we undid the working configuration and re-tried some of the failed configurations to better understand what worked. The confusing result was that the previously failed options then worked! To add to the frustration, working configurations were not repeatable on other machines in later tests.
We suspect that once the VPN Client makes a successful connection, it learns aspects of the network configuration that enable future connections. For example, the VPN Client software learns the subnet of the DFL's LAN after the first connection. This enables the Client to launch automatically if a user starts an application that attempts to connect to the DFL's LAN subnet.
In our test case, the DFL's LAN subnet is 192.168.10.0 /24. Pinging 192.168.10.1 from the remote PC with the VPN Client software automatically launches the connection screen shown in Figure 13 with a message saying, "Your computer is trying to establish communication with your site. Please connect."
Figure 13: Automatic launch of the VPN client software on access attempt
Understanding and managing DFL-CPG310 VPN Clients involves understanding the DFL-CPG310 "OfficeMode" configuration. OfficeMode, shown below in Figure 14, is a separate virtual LAN that assigns IP addresses from a unique subnet (192.168.254.0 /24; Figure 14 below) to VPN Clients as they connect. This unique subnet is then routed by the CPG310 so that remote clients tunneling in are treated as though they were on the local LAN.
As with the Wireless network, the separate subnet is a good security feature. Servers and storage devices will likely be on the wired LAN subnet, and having separate subnets for the Wireless and VPN clients enables building access control lists based on originating subnets into the Firewall.
Figure 14: OfficeMode configuration, showing separate VLAN subnet for VPN clients
However, from a configuration standpoint, it is a challenge to understand how the DFL-CPG310 VPN Server and OfficeMode's NAT options work together.
The VPN Server has a configuration option to "Bypass NAT," (see previous Figure 11) which the manual states will tell the router to "not perform Network Address Translation (NAT) to the internal network for authenticated remote users." That makes sense. If you're connecting via the VPN Client, you will have an IP from the OfficeMode subnet, and your traffic does not need NAT.
OfficeMode then has the further option to Enable or Disable "Hide NAT." The manual explains Hide NAT "enables you to share a single public Internet IP address among several computers, by 'hiding' the private IP addresses of the internal computers behind the NetDefend firewall’s single Internet IP address." Why D-Link calls it "Hide NAT," I don't know. It would be easier if they simply called it "NAT."
The VPN Client worked with Bypass NAT checked and Disable Hide NAT selected. It seems like this can be simplified with a single option to Enable or Disable NAT, instead of creating so many double negatives. The end result is the various NAT options for VPN Client connections are poorly documented and confusing.