vpn through vpn

Question

The target VPN server I want to connect to allows connections only from one IP address.

When I am at my office (the network public IP is trusted on the VPN server) everything is OK, but I figured that when I am at home I could do the following:

1. Connect to office VPN (using built in windows VPN client)

   When I do it I have 2 active network interfaces:

   • home network
   • office network (VPN)

2. Connect to target VPN (using custom VPN client)

   If the VPN server sees my office IP, it should let me in.

Unfortunately, I get rejected. The strange thing is, I made it work this way:

1. I connect to VPN at my office

2. I start a bridged virtual machine

3. I connect to target VPN in the virtual machine

   and it works.

Probably, all virtual machine traffic is routed through the office VPN connection.

My question is, how can I make it work without the virtual machine?

system: Windows XP VPN client: Check Point VPN-1 Connection settings: IKE over TCP, Force UDP encapsulation

Answer 1

Since you're using Windows XP, we'll work with Windows commands.

From the Command Prompt on your workstation, type route print - you should get something like this:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...08 00 27 c3 52 ca ...... AMD PCNET Family PCI Ethernet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.89     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0     192.168.1.89     192.168.1.89     20
     192.168.1.89  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255     192.168.1.89     192.168.1.89     20
        224.0.0.0        240.0.0.0     192.168.1.89     192.168.1.89     20
  255.255.255.255  255.255.255.255     192.168.1.89     192.168.1.89      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

You can get additional documentation on the route command here:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true

What you can do is set a route for your connection to the VPN service. Let's say you are on the 192.168.1.0 network, and you have a gateway on your office network at 10.10.10.5 configured to access the VPN service on the 72.21.211.1/24 network. You would use "route add" like this:

route ADD 72.21.211.1 MASK 255.255.255.0 10.10.10.5

Your routing table should now reflect that change, and all traffic to the 72.21.211.0 range will now be sent over to the office gateway.

The route add change will only persist across reboots if you add it with the -p flag:

route -p ADD 72.21.211.1 MASK 255.255.255.0 10.10.10.5

Answer 2

It much depends on scripts on server & system etc. But the base of system would be something like:

192.168.1.0/24 dev eth0  proto kernel  scope link
parent.vpn.server via 192.168.1.1 dev eth0
10.0.0.0/24 dev ppp0  proto kernel  scope link
child.vpn.server via 10.0.0.1
10.0.1.0/24 dev ppp1  proto kernel  scope link  

where:

• eth0 is local interface with address from network 192.168.1.0 (192.168.1.1 gateway)
• ppp0 is point-to-point interface to parent (home) server and address from 10.0.0.0/24 network (10.0.0.1 gateway)
• ppp1 is point-to-point interface to child (work) server and address from 10.0.1.0/24 network (10.0.1.1 gateway)

Please note that:

• Network cannot overlap
• Routing table may need to be set 'manually' (by script etc.). I've gave iproute2 format of sample routing table.
• Interface names can vary.