Chapter 6 Configuring branch office tunnels 123Nortel VPN Router Configuration — Basic FeaturesPPTP nested tunnelsNested tunnels allow you to create a PPTP end user tunnel inside an IPSec branchoffice tunnel or an asynchronous branch office tunnel. You can have a nestedtunnel from within the private network or from the public side.A nested tunnel from within the private network allows an end user to originate aPPTP connection from a client PC located on the on the private network. Whenthe client connects, PPTP control packets for establishing the tunnel arrive at theNortel VPN Router where it enters the IPsec branch office tunnel. The NortelVPN Router at the entry point routes the control packets to the other end of thebranch office connection. The PPTP connection ends at the Nortel VPN Router atthe exit node of the branch office connection on the private interface. The controlpackets for the PPTP tunnel are processed and the Nortel VPN Router at the exitnode of the branch office creates a new PPTP tunnel inside the branch officetunnel.Even though the nested PPTP tunnel sessions are similar to a regular end usertunnels at the terminating Nortel VPN Router switch, they are listed separatelyunder the branch office as nested tunnels on the status page. This indicates that thenested tunnel cannot stay active after the branch office connection is terminated.The nested PPTP tunnel is created assuming the branch office connection asvirtual link. In cases where the branch office session is deleted or logged off, thenested PPTP sessions will be applied the same processing as loss of physical link.Nested tunnels from the public side allow remote users to connect from theInternet to a private network through the IPSec client to the Nortel VPN Router.After connecting the IPSec client, the end user can start a nested PPTP tunnel tothe other end of the established branch office.You can individually log off nested tunnel sessions from the Status > Sessions >Active Session window.