IP address of theenterprise VPN gateway

Figure 7 shows an example of policy rules beingmaintained at an AAA server from which the VPNgateway can download them before sending them tothe VPN client. Rules are listed for each NAI; theyare to be applied in the order in which they appearin the table for that particular NAI. For NAIofficer@company, the policy rule specifies that allpackets should be sent to a VPN endpoint with IP address 135.180.144.254, which is the IP address of theenterprise VPN gateway. For NAI staff@company, thepolicy rule specifies that all packets should be sent toa VPN endpoint with IP address 135.180.244.150, which is the IP address of the IPSS. For executive@company, the first policy rule specifies that if thepacket is destined to an IP address within the enterprise subnet 192.168.5.0/24 and the TCP port iseither 25 or 80 (i.e., e-mail or the Web), it should besent to the enterprise VPN gateway. Because the rulesare parsed in order, the second rule specifies that allpackets that do not match the first rule should besent to the IPSS. Thus, the encapsulating (outer) IPheader will contain either the IP address of the enterprise VPN gateway or that of the IPSS as the destination address. There could be another set of rulesfor packets that do not have to be sent over eitherone of the VPN sessions and can be sent directly tothe Internet, but no such rules are shown in thefigure. gure.Note that when network-based VPN packets arereceived at the IPSS and decrypted, the IPSS mustdecide either to send them through an IPSec tunnel tothe enterprise VPN gateway or to send them out unsecured on the public network. In general, this decision is made based on the destination IP address andthe TCP port number. For example, if the IPSS provides Internet off-loading as a value-added service,all packets to TCP port 80 that are not destined to theenterprise can be sent in the clear to the appropriatedestination IP address. Policy rules for making thisdecision can be maintained by the AAA server, wherethey can be looked up by the IPSS.