Question about VPN & Dual Network Connections

[Clocker]

Hey guys...hopefully one or more of you can give me some guidance on this....

I have this VPN software I got from my work. I use it to connect to the network at work through my SMC cable/dsl router which has VPN pass-through. I can access the intranet, use my Notes, map network drives etc. It's pretty cool. I can even login to my Unix workstation with an X-session (Exceed) and use it from home, which is coming in very handy these days.

The only problem I have is that, when I have the VPN connection going, I can't access the rest my local network which is also connected to the cable/dsl router. I guess since I am connected to the Virtual Private Network, I am no longer a part of my home network. This is kind of inconvenient if I want to administer any of my other home machines (downstairs) from my main machine(upstairs) or if I just want to transfer some files to/from my 80GB file server downstairs. I can't always just stop the VPN connection to connect to the local network because, sometimes, I have some large computationally intensive jobs running on my UNIX box which don't allow me to logoff for up to several hours (unless I were to use nohup, I think).

Anyway, since my cable/dsl router still has one port available for me to plug into, could I put a second NIC into the machine that uses the VPN so I can access my local network through it while still remaining connected to (and accessing) the VPN? Any help would be appreciated...

Thanks,
Clocker

 

[P5-133XL]

You will most likely need at least a second NIC and you will need to configure routing on your local computer OS.

When you are on the VPN your computer's IP address will be different than your home IP addr unless you've assigned your local IP addresses and subnets to match your office and that would not be normal SOP. If you wish to use the office ip addressing scheme on your home network then you'll need to ask permission of your office network administrator to get compatible IP addresses. They need to assign the addresses to prevent you from duplicating addresses. If you can't get compatible IP addresses (most likely - It's a hard sell to the network administrator), then you will need 2 network cards one for the VPN and one for the home network.

Beyond that you will need routing between the Local and office IP addresses. You can deal with that via (XP, W2k, NT4) OS's which can deal with the routing when configured correctly.

 

[Clocker]

P5-

Thanks for taking the time to respond....especially so late in the evening.

Asking permission of my office network administrator to get compatible IP addresses is definitely not going to happen. Can you give me any more details about routing between the local and office IP addresses and how I would configure that in Win2K/XP?

Also, if the additional information helps...I notice that when I start the VPN client, a Nortel IPSec miniport thingy loads up. Also, the VPN program requires that WinXP's IPSec service be disabled/shut down.

Thanks,
C

 

[P5-133XL]

First disabling the Windows ipsec service would be normal for an external VPN client. It is so that your computer does not try to authenticate with the direct connection (which it can't). The Nortel IPSEC is used so that your computer authenticates within the VPN tunnel rather than outside the tunnel that Microsoft's ipsec service would do.

Routing within XP is signifigently limited compared to W2k and much simpler to setup. With XP the only protoclol supported is rip v1 or v2. Which will be fine if your office is using one of those routing protocols. To route using XP simply add the rip listening service as a component of network services from add and remove programs.

With W2k routing is rather complex to setup properly. So I will start out with the hope you are using XP with RIP rather than trying to step you through W2k routing

 

[James]

VPN tunnels and your NIC should appear as seperate connections under Network Connections. Theoretically you should actually be able to route between them (right click on one, select "Bridge Coinnections"). You should then be able to connect to both your local network and your office network at once, assuming the VPN advertises its routes correctly and your local IP address range doesn't overlap with anything reachable through the VPN connection.

However, this bridging may or may not be a good idea. If your employer is anything like mine the very instant you plug even a modem into the network you have created a security risk. If you provide a bridge through your PC from your home network (and potentially the Internet) to your office network you open up all sorts of potential security holes.

So make sure you know what you're doing.

One other thing. If you have the ability to compile on your work Unix boxes, do yourself a favour and install "Screen." That way you can disconnect from a Telnet session but it keeps all your process going. You can even Telnet in from home, set something going, detach, and reattach to the same session once you get into work.

 

[James]

"Bridge Connections" even.

 

[Mercutio]

*I* was just about to mention screen, but I see James beat me to it. <sniff> Your X session, though, should run whether or not you're there.

Anyway, I just thought I'd mention that a huge, gaping hole was found in Microsoft's PPTP over the weekend.

There isn't a fix yet from Microsoft.

This is the kind of thing that somewhat annoys me, since I've set up VPN systems for businesses before, usually only after explaining repeatedly that their data will be secure.

 

[Clocker]

So I don't need a 2nd NIC then? Would that be an easier config if my system isn't using RIP (I'll check it tonight). Some German sounding name is sticking in my head...not sure...

C

 

[ihsan]

Hope I'm not being intrusive.

Just curious, do you do AH or ESP on that VPN of yours and how does it interconnects performance-wise, with the public network outside. I did a local VPN in my home (2 networks each with a firewall and a VPN endpoint) and the performance is truly bad. Both gateways are handled by FreeBSD's IPsec and ipfw respectively. I tried transferring large files between the two but it's a huge dropoff from 600+ Mbps (ipfw) to around 220+ Mbps (VPN & ipfw). The ESP calculation is done in the host CPU. I expect a much lower performance with firewall and VPN rules turned on but I did not expect this low. Do I need to get a dedicated IPsec NICs just to improve upon this?

I read from the RFC that AH cannot be used whether in transport/tunnel mode so I'm doing it with ESP. What's the delta of performance from AH and ESP. Does all the encryption add much to the overhead as compared to AH? I'm using NAT on each gateway. My ISP does support VPN on its end but I hesitated on using it because of the disastrous results I'm getting on my local home network. And I'm pretty much left with ESP because they use NAT on their gateway machine.

 

[Clocker]

Here is some of the information that I have on my VPN Client. It is Contifiy Client by Nortel Networks.

I don't know what to make of this.... No new Network Connections 'appear' in the Network Connections panel when I connected to the VPN. No sure what connection I can 'Bridge' to...

 

[Mercutio]

ihsan, I suspect you'll see some serious performance loss in any case. Will the processor handling IPSec on, say, a 3Com NIC really do better than the processor handling parity calculations on a mid-range RAID controller? VPN = a lot of overhead.

That's kind of a cool experiment to do in any case.

 

[Clocker]

I'm still stuck. I have the 2nd NIC installed but I don't know WTF I am doing. I'm pretty sure my work is not using Rip1 or RIp2 based on the screenshot above so I guess I'm SOL???

I tried setting up a WinXP VPN connection to my work but it didn't seem to work.....the COntivity thing works OK though. But, I still can't access my local network with the VPN going (even with the 2nd NIC installed).


HeLP!?! :eekers:

C

 

[Mercutio]

Hey Kev, you know that if you look in the advanced properties for IP on 2000 or XP, you can assign multiple IPs to a single physical port, right?

You set up IP for your VPN. You set up IP locally. You don't really need to establish routing unless you want to be able to hit your work machines from one of the ones that's not doing the VPN. If that's the case, your answer is to set up ICS.

 

[Clocker]

I figured out how to fix my problem....

I installed a 2nd NIC and am using it with NETBUEI (which can't access the net) to access my shares. I guess that's kind of cool because it is completely separate from my net connection as well. NETBUEI is not officialy supported by XP so I had to manually install it from the XP CD.

I tried what you mentioned, Merc, but I don't think it would work with me. When I use the Contivity client it changes the IP assigned via DHCP from my NAT router to some number (from the Contivity server) which I can't predict. So, I did not know what IP to put in there.

This two NIC setup seems to be working great....does anybody have any ideas for other ways I could have done this? THe only problem seems to be that if I want to access the Net I have to do it through my work proxy server (while I'm connected via the VPN).

C

 

[Cliptin]

I tried what you mentioned, Merc, but I don't think it would work with me. When I use the Contivity client it changes the IP assigned via DHCP from my NAT router to some number (from the Contivity server) which I can't predict. So, I did not know what IP to put in there.

If you know what the DHCP range is that your router wants to hand out you could either put in something outside the range but still in the same subnet (only change the last octet) or put in something on the high side of the DHCP range(230-250). The point is to not conflict with an address that has been handed out dynamically.