Switch User Manual
8-1
VPN 3000 Concentrator Series User Guide
CHAPTER
8
IP Routing
In a typical installation, the VPN Concentrator is connected to the public network through an external 
router, which routes data traffic between networks, and it may also be connected to the private network 
through a router. 
The VPN Concentrator itself includes an IP routing subsystem with static routing, RIP (Routing 
Information Protocol), and OSPF (Open Shortest Path First) functions. RIP and OSPF are routing 
protocols that routers use for messages to other routers within an internal or private network, to 
determine network connectivity, status, and optimum paths for sending data traffic.
Once the IP routing subsystem establishes the data paths, the routing itself occurs at wire speed. The 
subsystem looks at the destination IP address in all packets coming through the VPN Concentrator, even 
tunneled ones, to determine where to send them. If the packets are encrypted, it sends them to the 
appropriate tunneling protocol subsystem (PPTP, L2TP, IPSec) for processing and subsequent routing. 
If the packets are not encrypted, it routes them according to the configured IP routing parameters.
To route packets, the subsystem uses learned routes first (learned from RIP and OSPF), then static routes, 
then uses the default gateway. If you don’t configure the default gateway, the subsystem drops packets 
that it can’t otherwise route. The VPN Concentrator also provides a tunnel default gateway, which is a 
separate default gateway for tunneled traffic only.
You configure static routes, the default gateways, and system-wide OSPF parameters in this section. This 
section also includes the system-wide DHCP (Dynamic Host Configuration Protocol) parameters. You 
configure RIP and interface-specific OSPF parameters on the network interfaces; see 
Configuration | 
Interfaces
.
This section of the Manager also lets you configure VPN Concentrator redundancy using VRRP (Virtual 
Router Redundancy Protocol). This feature applies to installations of two or more VPN Concentrators 
in a parallel, redundant configuration. It provides automatic switchover to a backup system in case the 
primary system is out of service, thus assuring user access to the VPN. This feature supports user access 
via IPSec LAN-to-LAN connections, IPSec client (single-user remote-access) connections, and PPTP 
client connections.










