Many organizations use VPN concentrators to allow remote clients to access the office network from their house or on the road. This configuration typically requires the remote PC to establish an encrypted tunnel and the PC's side of the encrypted tunnel is assigned its own IP address. The tunnel address is usually on the office's subnet but there are many ways to assign the address.
The most common methods for assigning the address are
- by username, where the VPN administrator assigns each user ID a specific IP address. This method isn't scalable because you need an address for each user. For instance, if you have 500 users, you need 500 addresses, even if only 50 of them are ever logged on at a time. It's also a big pain to keep track of addresses.
- via a pool, where the VPN administrator sets a range of addresses (called a pool) and then the VPN device handles assigning them dynamically as users log in. This method works well for most organizations.
- via DHCP relay, where the VPN device obtains an IP address from a DHCP server. This is the most scalable and is the least difficult to configure and maintain. It will also be important when Dynamic DNS and similar protocols are used for IP Telephony connectivity.
Given these choices, many organizations choose the third option, but there is a tiny problem: the most common reason system administrators log into the office network is to fix network problems. If there is a problem on the internal
A better way to configure IP address assignment is to configure the DHCP relay option, but to give your administrators static IP addresses. Keep in mind that in most VPN devices, these three methods aren't exclusive, but you can't have pools and DHCP using overlapping addresses. In this case, the statically assigned administrator IP would take precedence over the DHCP address, which would permit the VPN tunnel connection.
If you have a group of administrators, consider creating two groups: a user group and an administrator group. Assign the DHCP method to the user group, and a non-overlapping pool to the administrator group.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in July 2002