beating VPN with a VM

I'd like to use a VM (VMWare) to serve out webpages while its host
goes in and out of VPN mode. Going into VPN mode blocks the regular
Net from services on the host. Has anyone tried this sort of thing?

To be more specific, it's a Nortel/Apani client on an old RedHat.
And we have a Belkin wireless router in front of everything.
I already use iptables, though no forwarding rules yet. I'm just
at a loss as to who gets an incoming packet first. Playing around
some with it, if I use "bridged" mode on the guest VM, i can now
get to the webserver from another machine on our local net, but still
not from the outside. Oh, and i know how to forward packets to a
particular host from the router.

If someone's played with this before, and its even possible:
1) Do i really have to direct incoming packets to the host OS
itself and redirect/forward to the guest?
2) Or does a VPN usually interfere with iptables even seeing the
packets first?
3) If i'm in bridged mode (not NAT mode) should I be able to direct
incoming packets directly to the guest VM IP?

Thanks for any clues that might prevent hours of hacking just to lead
nowhere!

Time Waster <(E-Mail Removed)> wrote:
> I'd like to use a VM (VMWare) to serve out webpages while its host
> goes in and out of VPN mode. Going into VPN mode blocks the regular
> Net from services on the host. Has anyone tried this sort of thing?

> To be more specific, it's a Nortel/Apani client on an old RedHat.

I can only suggest general pointers as I'm not familiar with your
Nortel/Apani VPN client.

If I were to use the CISCO provided VPN client, it too would take over
the entire network routing (given server side configuration requesting
this). It appears to have a kernel module that does this, so it's
completely outside your control.

In my case, I stopped using the CISCO client and switched to vpnc
instead. This allows me to define which routes go where and I'm happy
again.

Have you considered serving web pages from the host, and running the
VPN from a guest?

Chris

In article <(E-Mail Removed)>,
Chris Davies <(E-Mail Removed)> wrote:
>
>
>Time Waster <(E-Mail Removed)> wrote:
>> I'd like to use a VM (VMWare) to serve out webpages while its host
>> goes in and out of VPN mode. Going into VPN mode blocks the regular
>> Net from services on the host. Has anyone tried this sort of thing?
>
>> To be more specific, it's a Nortel/Apani client on an old RedHat.
>
>I can only suggest general pointers as I'm not familiar with your
>Nortel/Apani VPN client.
>
>If I were to use the CISCO provided VPN client, it too would take over
>the entire network routing (given server side configuration requesting
>this). It appears to have a kernel module that does this, so it's
>completely outside your control.
>
>In my case, I stopped using the CISCO client and switched to vpnc
>instead. This allows me to define which routes go where and I'm happy
>again.
>
>Have you considered serving web pages from the host, and running the
>VPN from a guest?

Thanks for the advice -- i'm not surprised that it doesn't sound
doable -- at least without hacking up the VPN client. The Apani
client also customizes the kernel. I'll look at vpnc, but since
I don't control the other end, i'm suspecting that's a long shot.

I realize it might be easier to run the VPN from a guest, but it would
far less usable as I typically have many windows for logins to work -- the
assumption is that when i'm *at* the machine, it will be 90% dedicated
to work.

-bc

Time Waster <(E-Mail Removed)> wrote:
> Thanks for the advice -- i'm not surprised that it doesn't sound
> doable -- at least without hacking up the VPN client. The Apani
> client also customizes the kernel. I'll look at vpnc, but since
> I don't control the other end, i'm suspecting that's a long shot.

Google search for "nortel apani ipsec vpnc". The top few hits discuss
replacement of the Nortel/Apani client with vpnc.

FWIW, I don't control the CISCO server side, but vpnc talks happily to
it. (Even with a dynamic PIN generator thingy.)

Chris