The Downside to VPNs

The primary concern for wireless users when a VPN is in place is roaming between APs. Any solution that relies on higher level encryption has the potential to break when users roam across APs. For example, IPSec (Layer 3) will break if a user roams to a new AP and is assigned a new IP address. While there are some third-party solutions for this problem, another recommendation (if physically possible) is to use a single subnet and connect all of the APs to a single switch or hub.

By centralizing the DHCP function (as opposed to each AP independently handing out IP addresses), you will ensure IP address consistency when you roam from one AP to another. Clearly, there are scalability issues with this solution, but it may be appropriate for some environments.