<div dir="ltr"><br><br><div class="gmail_quote">On Mon, Mar 21, 2011 at 10:02 AM, Shachar Shemesh <span dir="ltr"><<a href="mailto:shachar@shemesh.biz">shachar@shemesh.biz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 21/03/11 02:41, Etzion Bar-Noy wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It is common that the VPN provider policy *prevents* you from connecting to multiple networks (theirs and someone else's). The logic behind it is to prevent data leak, especially accidental, by combining somehow their network with someone else's.<br>
</blockquote></div>
You have to connect to some network in order to get the VPN packets out.</blockquote><div>Your home LAN, Internet Cafe, whatever. True. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
So - this poses no problem to be dealt with. The common problem is that your local home network overlaps one of the organization's networks. Some of the VPN clients place themselves in the network interface stack, so they hijack the packets to their correct destination(s). That is the common reason (except for time and effort) that Linux clients are more rare. This operation is somewhat more complicated there, and would require root access.<br>
</blockquote></div>
Hijacking the outgoing packets does not solve the routing conflict. When I send a packet to 172.27.245.17, you somehow need to know whether that is the 172.27.245.17 that is visible through the VPN, or the one visible locally. Hijacking ALL outgoing packets rarely makes sense.<br>
</blockquote><div>They avoid hijacking your default GW. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Hijacking the network interface does allow you to route the ENCRYPTED packet without going into routing loops, and is the reason this is done. Still, you are hiding parts of the network if there is a conflict.</blockquote>
<div>You do, of course. Usually, the VPN clients hide the local network where a conflict exists.</div><div><br></div><div>Ez </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5"><br>
<br>
Shachar<br>
<br>
-- <br>
Shachar Shemesh<br>
Lingnu Open Source Consulting Ltd.<br>
<a href="http://www.lingnu.com" target="_blank">http://www.lingnu.com</a><br>
<br>
</div></div></blockquote></div><br></div>