how to set up VPN tunnell on multihomed PC

Hi,

* a PC is outside our firewall and has VPN connection to another
network.
* I installed a 2nd network card in order include this machine into our
network.
* My final goal is to reach that VPN destination from inside our
network

Questions:

Is it safe? Am I creating a backdoor to our network this way? Can I
limit the outside NIC to flow traffic ONLY for VPN connection? Would
that eliminate most of the risk?

In XP when I bridge both connections the bridge connection just obtains
internal network IP and acts as a computer on a network. (uses internal
gateway, dns, etc) But I can't ping VPN destination that I previously
could from outside IP. How do I make it recognize, both VPN network and
internal network?

Do I need to add some IP forwarding routing?

Any docs on how to setup vpn-internet-internal network connections
would be nice.

Thank you. Sergey

No it won't work.
1. The PC must be on the LAN behind the firewall.
2. The PC needs to be running the Server OS and RRAS and must
be configured to operate as a VPN Router. There are competing
products that can be used instead of RRAS. Many "hardware
firewalls" can also do this on thier own.
3. Then you need something similar on the opposite end. Then
establish a Site-to-Site vpn between the RRAS box and the
opposite VPN Device. A Site-to-Site VPN and a Remote Access
VPN are two different things and do not work the same way.
4. The "gateway" to the other remote LAN will be the RRAS box's
LAN Nic.
5. The remote LAN would use their VPN Device as the "gateway"
to your LAN.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
>
> * a PC is outside our firewall and has VPN connection to another
> network.
> * I installed a 2nd network card in order include this machine into our
> network.
> * My final goal is to reach that VPN destination from inside our
> network
>
> Questions:
>
> Is it safe? Am I creating a backdoor to our network this way? Can I
> limit the outside NIC to flow traffic ONLY for VPN connection? Would
> that eliminate most of the risk?
>
> In XP when I bridge both connections the bridge connection just obtains
> internal network IP and acts as a computer on a network. (uses internal
> gateway, dns, etc) But I can't ping VPN destination that I previously
> could from outside IP. How do I make it recognize, both VPN network and
> internal network?
>
> Do I need to add some IP forwarding routing?
>
> Any docs on how to setup vpn-internet-internal network connections
> would be nice.
>
> Thank you. Sergey
>

(E-Mail Removed) wrote:
> Hi,
>
> * a PC is outside our firewall and has VPN connection to another
> network.
> * I installed a 2nd network card in order include this machine into
> our network.
> * My final goal is to reach that VPN destination from inside our
> network
>
> Questions:
>
> Is it safe? Am I creating a backdoor to our network this way? Can I
> limit the outside NIC to flow traffic ONLY for VPN connection? Would
> that eliminate most of the risk?
>
No, it is not safe. You have bypassed the firewall and exposed your LAN
to the Internet.

> In XP when I bridge both connections the bridge connection just
> obtains internal network IP and acts as a computer on a network.
> (uses internal gateway, dns, etc) But I can't ping VPN destination
> that I previously could from outside IP. How do I make it recognize,
> both VPN network and internal network?
>
You cannot bridge connections which are in different IP subnets.
That requires routing.

> Do I need to add some IP forwarding routing?

What you are trying to do probably wouldn't work, even with IP routing
enabled. You cannot just "share" a VPN connection to other clients. The VPN
server will only route traffic to the VPN client, not to other machines on
the LAN.

> Any docs on how to setup vpn-internet-internal network connections
> would be nice.

What you need is a routed VPN connection from your firewall to the
remote server. The key words are LAN to LAN or router to router VPN
connections.
>
> Thank you. Sergey

Problem is our firewall is not supported by the vendors's VPN gateway
(Freeswan) and we are having a problem with the VPN tunnell ( it drops
connection). So the vendor suggested creating a VPN IPsec tunnell from
Win XP machine (they will support that), but this machine can not be
behind firewall. So what can we do?

Can't we replicate something that's described in this link?
http://www.windowsnetworking.com/j_helmig/routeset.htm

Can't we limit all traffic on outside NIC to allow only encrypted VPN
traffic, this preventing any access from internet?




Bill Grant wrote:
> (E-Mail Removed) wrote:
> > Hi,
> >
> > * a PC is outside our firewall and has VPN connection to another
> > network.
> > * I installed a 2nd network card in order include this machine into
> > our network.
> > * My final goal is to reach that VPN destination from inside our
> > network
> >
> > Questions:
> >
> > Is it safe? Am I creating a backdoor to our network this way? Can I
> > limit the outside NIC to flow traffic ONLY for VPN connection? Would
> > that eliminate most of the risk?
> >
> No, it is not safe. You have bypassed the firewall and exposed your LAN
> to the Internet.
>
> > In XP when I bridge both connections the bridge connection just
> > obtains internal network IP and acts as a computer on a network.
> > (uses internal gateway, dns, etc) But I can't ping VPN destination
> > that I previously could from outside IP. How do I make it recognize,
> > both VPN network and internal network?
> >
> You cannot bridge connections which are in different IP subnets.
> That requires routing.
>
> > Do I need to add some IP forwarding routing?
>
> What you are trying to do probably wouldn't work, even with IP routing
> enabled. You cannot just "share" a VPN connection to other clients. The VPN
> server will only route traffic to the VPN client, not to other machines on
> the LAN.
>
> > Any docs on how to setup vpn-internet-internal network connections
> > would be nice.
>
> What you need is a routed VPN connection from your firewall to the
> remote server. The key words are LAN to LAN or router to router VPN
> connections.
> >
> > Thank you. Sergey

Why can't you install the VPN machine behind the firewall? Is that also
caused by a limitation of your firewall?

(E-Mail Removed) wrote:
> Problem is our firewall is not supported by the vendors's VPN gateway
> (Freeswan) and we are having a problem with the VPN tunnell ( it drops
> connection). So the vendor suggested creating a VPN IPsec tunnell from
> Win XP machine (they will support that), but this machine can not be
> behind firewall. So what can we do?
>
> Can't we replicate something that's described in this link?
> http://www.windowsnetworking.com/j_helmig/routeset.htm
>
> Can't we limit all traffic on outside NIC to allow only encrypted VPN
> traffic, this preventing any access from internet?
>
>
>
>
> Bill Grant wrote:
>> (E-Mail Removed) wrote:
>>> Hi,
>>>
>>> * a PC is outside our firewall and has VPN connection to another
>>> network.
>>> * I installed a 2nd network card in order include this machine into
>>> our network.
>>> * My final goal is to reach that VPN destination from inside our
>>> network
>>>
>>> Questions:
>>>
>>> Is it safe? Am I creating a backdoor to our network this way? Can I
>>> limit the outside NIC to flow traffic ONLY for VPN connection? Would
>>> that eliminate most of the risk?
>>>
>> No, it is not safe. You have bypassed the firewall and exposed
>> your LAN to the Internet.
>>
>>> In XP when I bridge both connections the bridge connection just
>>> obtains internal network IP and acts as a computer on a network.
>>> (uses internal gateway, dns, etc) But I can't ping VPN destination
>>> that I previously could from outside IP. How do I make it recognize,
>>> both VPN network and internal network?
>>>
>> You cannot bridge connections which are in different IP
>> subnets. That requires routing.
>>
>>> Do I need to add some IP forwarding routing?
>>
>> What you are trying to do probably wouldn't work, even with IP
>> routing enabled. You cannot just "share" a VPN connection to other
>> clients. The VPN server will only route traffic to the VPN client,
>> not to other machines on the LAN.
>>
>>> Any docs on how to setup vpn-internet-internal network connections
>>> would be nice.
>>
>> What you need is a routed VPN connection from your firewall to
>> the remote server. The key words are LAN to LAN or router to router
>> VPN connections.
>>>
>> > Thank you. Sergey

Bill, vendor told us it can't be a translated IP (i.e internal
ip->external ip). It might have something to do with their Freeswan VPN
software, but I'm not sure. So the IP has to be NIC's IP, not
translated. Which leaves us having to put it on outside.

I have tried enabling IP Forwarding in WinXP thru registry
http://support.microsoft.com/?kbid=315236 and creating brige using two
nics. and then implementing route add on another machine as a gateway.
however I still can't ping yahoo from machine1 through WinXP (2NICs).
tracert gets to the 2nd NIC ip, but dies after.


Bill Grant wrote:
> Why can't you install the VPN machine behind the firewall? Is that also
> caused by a limitation of your firewall?
>
> (E-Mail Removed) wrote:
> > Problem is our firewall is not supported by the vendors's VPN gateway
> > (Freeswan) and we are having a problem with the VPN tunnell ( it drops
> > connection). So the vendor suggested creating a VPN IPsec tunnell from
> > Win XP machine (they will support that), but this machine can not be
> > behind firewall. So what can we do?
> >
> > Can't we replicate something that's described in this link?
> > http://www.windowsnetworking.com/j_helmig/routeset.htm
> >
> > Can't we limit all traffic on outside NIC to allow only encrypted VPN
> > traffic, this preventing any access from internet?
> >
> >
> >
> >
> > Bill Grant wrote:
> >> (E-Mail Removed) wrote:
> >>> Hi,
> >>>
> >>> * a PC is outside our firewall and has VPN connection to another
> >>> network.
> >>> * I installed a 2nd network card in order include this machine into
> >>> our network.
> >>> * My final goal is to reach that VPN destination from inside our
> >>> network
> >>>
> >>> Questions:
> >>>
> >>> Is it safe? Am I creating a backdoor to our network this way? Can I
> >>> limit the outside NIC to flow traffic ONLY for VPN connection? Would
> >>> that eliminate most of the risk?
> >>>
> >> No, it is not safe. You have bypassed the firewall and exposed
> >> your LAN to the Internet.
> >>
> >>> In XP when I bridge both connections the bridge connection just
> >>> obtains internal network IP and acts as a computer on a network.
> >>> (uses internal gateway, dns, etc) But I can't ping VPN destination
> >>> that I previously could from outside IP. How do I make it recognize,
> >>> both VPN network and internal network?
> >>>
> >> You cannot bridge connections which are in different IP
> >> subnets. That requires routing.
> >>
> >>> Do I need to add some IP forwarding routing?
> >>
> >> What you are trying to do probably wouldn't work, even with IP
> >> routing enabled. You cannot just "share" a VPN connection to other
> >> clients. The VPN server will only route traffic to the VPN client,
> >> not to other machines on the LAN.
> >>
> >>> Any docs on how to setup vpn-internet-internal network connections
> >>> would be nice.
> >>
> >> What you need is a routed VPN connection from your firewall to
> >> the remote server. The key words are LAN to LAN or router to router
> >> VPN connections.
> >>>
> >> > Thank you. Sergey

Phillip, here is a thread you answered someone with similar question. I
believe I am trying to do same think + VPN. However if we subtrack VPN
complication and substitute Domain 2 with public Internet, can it be
done? Or do we need to alter routing table in our gateway ATT router
(which we don't have access to) and that is where our problem lies?

http://groups.google.com/group/micro...230066521d9c87



Phillip Windell wrote:
> No it won't work.
> 1. The PC must be on the LAN behind the firewall.
> 2. The PC needs to be running the Server OS and RRAS and must
> be configured to operate as a VPN Router. There are competing
> products that can be used instead of RRAS. Many "hardware
> firewalls" can also do this on thier own.
> 3. Then you need something similar on the opposite end. Then
> establish a Site-to-Site vpn between the RRAS box and the
> opposite VPN Device. A Site-to-Site VPN and a Remote Access
> VPN are two different things and do not work the same way.
> 4. The "gateway" to the other remote LAN will be the RRAS box's
> LAN Nic.
> 5. The remote LAN would use their VPN Device as the "gateway"
> to your LAN.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> > Hi,
> >
> > * a PC is outside our firewall and has VPN connection to another
> > network.
> > * I installed a 2nd network card in order include this machine into our
> > network.
> > * My final goal is to reach that VPN destination from inside our
> > network
> >
> > Questions:
> >
> > Is it safe? Am I creating a backdoor to our network this way? Can I
> > limit the outside NIC to flow traffic ONLY for VPN connection? Would
> > that eliminate most of the risk?
> >
> > In XP when I bridge both connections the bridge connection just obtains
> > internal network IP and acts as a computer on a network. (uses internal
> > gateway, dns, etc) But I can't ping VPN destination that I previously
> > could from outside IP. How do I make it recognize, both VPN network and
> > internal network?
> >
> > Do I need to add some IP forwarding routing?
> >
> > Any docs on how to setup vpn-internet-internal network connections
> > would be nice.
> >
> > Thank you. Sergey
> >

Here is summary of what I am trying to accomplish:

NETWORK:
IP Address 10.0.0.50
Subnet Mask 255.255.255.0
Gateway 10.0.0.30

------------------------------------------------------------------------------------

Multihomed WinXP (with IP forward enabled)

NIC 1
IP Address 10.0.0.30
Subnet Mask 255.255.255.0
Gateway None

NIC 2
IP Address 12.124.50.100 (public IP)
Subnet Mask 255.255.255.192
Gateway 12.124.50.111 (public IP gateway)
------------------------------------------------------------------------------------------------------------------------
Client on Domain 2
IP Address yahoo.com
Subnet Mask ???
Gateway ???

Our goal is to be able to ping yahoo.com from 10.0.0.50. So far our
tracert to yahoo.com from 10.0.0.50 halts at 12.124.50.100. What are
we missing?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Bill, vendor told us it can't be a translated IP (i.e internal
> ip->external ip). It might have something to do with their Freeswan VPN
> software, but I'm not sure. So the IP has to be NIC's IP, not
> translated. Which leaves us having to put it on outside.

If it is behind the Firewall it *will* have an external IP#,...it will show
as comming from the Firewall's IP#,...which is external. The Vendor's
system can't tell the difference.

I'll re-visit your other posts when I get back on Monday, if someone else
hasn't solved it by then.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

One thing I've been thinking is that perhaps I need to tell my ISP to
add a route into gateway router. Right now it routes everything to my
firewall. If I add a WinXP gateway outside for VPN purposes I prob need
to add a route to that XP machine to forward to this new gateway all
VPN traffic.