1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Initiating Simulatenous VPN Tunnels via 1 Public IP Address

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Eganopperman, Jul 11, 2006.

  1. Eganopperman

    Eganopperman LI Guru Member

    Hello, I'm new to configuring VPN connections. What I want to accomplish is this. I would like to place a BEFVP41 router at home with a computer behind the router acting as the "backend" of a Microsoft Access database server (i.e. this is where the database tables reside for purpose of centralizing the data). The front end of the database application (i.e, the database forms and modules) reside on each of our three computers at the office. The trick is to have the database applicatation "attach" to the database tables on the computer behind the VPN router at home. To accomplish this, the drive letter of the back end computer behind the VPN router has to be mapped as a network resource of the front end computers. We have limitations at the office suite. There are a number of tenants having separate networks behind a router without VPN capabliities. As far as I know, the router has only one public IP address, and I don't think its practical for us to get a separate internet connection in the office. That is why I'm looking to a VPN Client software solution. The problem is that I have tested this configuration at home where I have two internet connections with two public IP addresses. I attached the BEFVP41 to my static DSL connection and then through the other connection (a dynamic address) I made separate VPN tunnels to the backend computer from two laptops. However, I would get disk errors when the laptops accessed the database. This is not a database issue because when I have the laptops access the backend from separate IP addresses they worked fine. I had a chat with a Linksys support person who thought that because of the nature of VPN traffic when you have two computers on a LAN using VPN client software behind a non-VPN router the non-VPN router has to forward packets coming from ports 50, 500, 1723 and also include GRE(?) 47. Now at the office I have successfully established (one at a time) a VPN connection back to the machines (which are assigned private IP addresses through DHCP) without any port forwarding. Intuitively, I would think that if the office router sends out packet traffic from a LAN computer the router could figure out how to route the return traffic from the BEFVP41 to the originating LAN computer (unless I guess the return traffic is encapsulated and the information and the unencrypted traffic the routing information is coming through ports 50, 500, etc.) As I said, I'm new to all this and a little IT knowledge is dangerous. Putting a VPN router in the office suite is probably not doable, so we are left with using VPN client software. I will be testing for simultaneous VPN connections from the office soon. Does anyone have any suggestions.
     
  2. Toxic

    Toxic Administrator Staff Member

    just a quick question, could you tell me why you cannot have the database at the office?
     
  3. Eganopperman

    Eganopperman LI Guru Member

    Simon, good question. The answer is because multiple persons are inputing data into the database, and if the data is not on one server you have the change that the changes won't be synchronized. Also, we want to access the database at different remote locations and the router in the office suite does not have VPN capabilities. To pull this off, the front end computer needs to map locally the remote computer's drive resource. This is how the frontend of the database (having the forms and modules) attaches to the backend (where the data tables are located). There are other tenants in the office suite with networks and we don't want to do anything to disrupt their network systems. The suite uses an outside IT person who has told me he is not knowledgeable concerning VPNs. So establishing VPN connections using VPN client software on our office computers seems, at least to me, to be a practical solution. This, of course, is premised on the proposition that the simulatenous VPN traffic from the local VPN clients behind the non-VPN router and to the remote BEFVP41 do not create network errors. I'm pretty sure this is not a database problem because Microsoft Access can act as a server even if its running on a plain XP machine rather than a Windows Server machine. Egan. Also, as I stated in my original post I have made simultaneous VPN connections from separate public IP addresses and accessed the backend database without network errors. I now use my ISP as 3rd party who provides at their site an Outlook Exchange server for my email, calendar, contacts, and notes. I believe this is done through a VPN tunnel. One way around my problem would be to place the backend of the database on a 3rd party internet company's server and then us a VPN client application to establish a VPN connection to a dedicated server operated and managed by a professional IT staff. This assumes that we would be able to map locally the 3rd party server as a drive resource. Then you have the issue of off loading sensitive information on a 3rd party server which made not be secure. Is such a service available, and if so can it be purchased at a reasonable price? I'm guessing a lot of companies not wanting the headaches of managing remote and local VPN machines would be willing to use a 3rd party provider. Egan.
     
  4. sufrano63

    sufrano63 Network Guru Member

    what type of VPN are you trying to establish...PPTP, IPSec or SSL?

    ...Also, we want to access the database at different remote locations and the router in the office suite does not have VPN capabilities.

    If the office router doesn't have VPN capability, how do you expect to establish a VPN connection to your office?
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    At first glance, your request doesn't seem too difficult, it's just getting past the sticky parts :) Just make sure you have "PPTP" and "IPSEC" passthru enabled and that will take care of translating return traffic.

    As an example, your BEVP41's pass thru settings will depend on the vpn client you choose. You can use Greenbow VPN or SSH Sentinel with the BEFVP41 because it supports IPSEC (UDP 500), which is probably a good choice, therefore meaning your BEFVP41 needs to have "IPSEC passthru" enabled. Instructions to configure greenbow can be found here:

    http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=6853

    Instructions for configuring SSH Sentinel can be found here:

    http://pages.infinit.net/flogator/VPN_Instruction2.pdf#search='ssh%20sentinel%20%20flogator'

    What is the opeating system of the computer that's hosting the Access Database (XP Home, Professional, or Server)? If you're running one of these, and provided your router allows GRE (Protocol 47) through, you could forward port 1723 to the ip address of the computer running the device (it would need to be configured as a vpn server), thus allowing you to use the Microsoft vpn client on the remote workstations requiring access. This means your BEFVP41 needs to have "PPTP Passthru" enabled.

    Here's a link to configure an XP computer as a vpn server:

    http://www.onecomputerguy.com/networking/xp_vpn_server.htm

    I can't remembe exactly what the maximum number of simultaneouls connections an xp pro machine allows off the top of my head at the moment, but a quick search on the internet should give you the answers you need for that :)

    The one thing on my mind right now is how many simultaneous connections will be allowed "out" from the router where your remote clients will be connecting from; this has been a major show stopper for some people. Ideally, a vpn enpoint enable router would be good, thus allowing you to establish a "tunnel" from one side to the BEFVP41 (which supports IPSEC tunnels) killing the need for separate clients for each machine and allowing you to get around the "simultaneous out" connection problem some routers have. Arrgh, but you already said that wasn't a choice...

    If the WRV200 were a little more stable, that would be a good option because you could actually set it up "behind" your current internet connected router (as long as it's WAN ip address was on the same subnet as the internet connected router) and establish a NAT-T enabled tunnel directly from the WRV200, through your local primary router and directly to your BEFVP41 via a "site-to-site" tunnel configuration (I've made this work with my WRV200 from behind my CISCO PIX 501 and connected to a CISCO PIX 501 on the other side). Sadly, a firmware fix is need for the WRV200 (it reboots crazily when you enable IPSEC VPN).

    A final solution I could suggest is "OpenVPN:

    http://openvpn.net/

    This solution is FREE, totally script-based, and is a secure proven solution. The bitch part is that it's "hella scripting" to be done, but there are some examples to show you how to get started. I personally never had the patience to get this to work, but it does, and quite well, I've been told. You load the client script on your office machines and the server script on your machine at home; providing you've got the configs right, there's your vpn!

    Pardon the shotgun effect, but I wanted to through out as many ideas as possible...

    Doc
     
  6. sufrano63

    sufrano63 Network Guru Member


    I have OpenVPN running on my WRT54G router and connecting from my office to my home network and route all traffic including web browsing and its great. OpenVPN using SSL VPN and it's secure and easy to use giving that you have the server and client config correctly... :D
     
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Surfrano,

    would you care to make sample "client" and "server" script available to the peops when you get a moment? SoonerAl has one also, but it's interesting to see what variants people use :)

    Doc
     
  8. DocLarge

    DocLarge Super Moderator Staff Member Member

    Surfrano,

    would you care to make sample "client" and "server" script available to the peops when you get a moment? SoonerAl has one also, but it's interesting to see what variants people use :)

    Doc
     
  9. sufrano63

    sufrano63 Network Guru Member

    Here is my server config:

    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    echo "
    -----BEGIN CERTIFICATE-----
    ...INSERT YOUR OWN CONTENT HERE...
    -----END CERTIFICATE-----
    " > /tmp/ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    ...INSERT YOUR OWN CONTENT HERE...
    -----END RSA PRIVATE KEY-----
    " > /tmp/server.key
    chmod 600 /tmp/server.key
    echo "
    -----BEGIN CERTIFICATE-----
    ...INSERT YOUR OWN CONTENT HERE...
    -----END CERTIFICATE-----
    " > /tmp/server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    ...INSERT YOUR OWN CONTENT HERE...
    -----END DH PARAMETERS-----
    " > /tmp/dh1024.pem
    ln -s /usr/sbin/openvpn /tmp/myvpn
    sleep 5
    /tmp/myvpn --dev tap0 --tls-server --ca /tmp/ca.crt --cert /tmp/server.crt --key /tmp/server.key --dh /tmp/dh1024.pem --comp-lzo --port 443 --proto tcp-server --mode server --client-to-client --keepalive 15 60 --verb 3 --daemon

    My client config:

    remote dyndns.homeip.net 443
    resolv-retry infinite
    proto tcp-client
    dev tap
    nobind

    ca "E:\\OpenVPNKey\\ca.crt"
    cert "E:\\OpenVPNKey\\client1.crt"
    key "E:\\OpenVPNKey\\client1.key"

    ns-cert-type server
    tls-client

    comp-lzo
    persist-key
    persist-tun

    verb 3
    ;mute 20
    mute-replay-warnings

    Remember I have this running on my WRT54G router using dd-wrt firmware instead of having it runs on a PC or laptop. I use the same config on their wiki with a few mods.

    http://www.dd-wrt.com/wiki/index.php/OpenVPN
     
  10. DocLarge

    DocLarge Super Moderator Staff Member Member

    Nice one, Surfano, thanks...

    Doc
     
  11. SoonerAl

    SoonerAl LI Guru Member

    XP supports one incoming VPN connection at a time...

    From the XP Resource Kit...

    http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/c25621675.mspx#EBE

    Incoming Connection Types

    By creating an incoming connection, a computer running Windows XP Professional can act as a remote access server. You can configure an incoming connection to accept the following connection types: dial-up (modem, ISDN, X.25), VPN (PPTP, L2TP), or direct cable connection as shown in Table 25-1. On a Windows XP Professional–based computer, an incoming connection can accept up to three incoming calls, up to one of each of these types. This can be an effective, low-cost option in a telecommuter’s home office or a remote office to which the corporate network occasionally needs to send data.
     
  12. Eganopperman

    Eganopperman LI Guru Member

    Further disussion re Simultaneous VPN connections

    sufrano63 & DocLarge, thanks for the responses.

    sufrano63 asks: “what type of VPN are you trying to establish...PPTP, IPSec or SSL?†Answer: Because I’m using the BEFVP41 I guess I’m stuck using IPSec protocol.

    sufrano63 asks: “If the office router doesn't have VPN capability, how do you expect to establish a VPN connection to your office?†Answer: From the BEFVP41 to machines running VPN client software. Currently, we’re testing out SSH Sentinel v.1.4 as the client.

    DocLarge states: “Just make sure you have "PPTP" and "IPSEC" passthru enabled and that will take care of translating return traffic. “ Response: Are you talking about settings on the BEFVP41 or the office router (which doesn’t have VPN support). In configuring the BEFVP41, I went to the VPN setup page, created a number of individual tunnels each with their own preshare keyes. In regard to VPNs, I didn’t make any further configurations chances to the BEFVP41 assuming the BEFVP41 automatically took care of all other issues such as IPsec passthru. As I stated, with the aforementioned configuration to the BEFVP41, and following the directions for setting up the Sentinel client on the computers behind the office suite router, I have been able to successfully make single VPN connections. The issue now is simultaneous VPN connections originating from a single public IP address and getting network disk errors on the machines initiating the VPN connections. Simultaneous VPN connections to the BEFVP41 from different public IP addresses seem to work properly.

    DocLarge asks: “What is the opeating system of the computer that's hosting the Access Database (XP Home, Professional, or Server)? †Answer: XP Home.

    DocLarge states: “ If you're running one of these, and provided your router allows GRE (Protocol 47) through, you could forward port 1723 to the ip address of the computer running the device (it would need to be configured as a vpn server), thus allowing you to use the Microsoft vpn client on the remote workstations requiring access. †Question: When you say the “computer running the device (it would need to be confiigured as a vpn server)†do you mean enabling the VPN capabilities of the BEFVP41? If so, yes I have done that.

    DocLarge states: “thus allowing you to use the Microsoft vpn client on the remote workstations requiring access. This means your BEFVP41 needs to have "PPTP Passthru" enabled. “ Response: When you say “use the Microsoft vpn client†are you speaking about using the buildin VPN capabilities of the Windows operating system in lieu of the Sentinel client application?


    DocLarge states: “I can't remembe exactly what the maximum number of simultaneouls connections an xp pro machine allows off the top of my head at the moment, but a quick search on the internet should give you the answers you need for that†Response: Its my understanding that at least with XP Home, it can only receive one VPN connection at a time.

    DocLarge states: “Ideally, a vpn enpoint enable router would be good, thus allowing you to establish a "tunnel" from one side to the BEFVP41 (which supports IPSEC tunnels) killing the need for separate clients for each machine and allowing you to get around the "simultaneous out" connection problem some routers have. Arrgh, but you already said that wasn't a choice... Response: I agree. From what I under VPN router to VPN router is the preferred method. However, we once tried putting a wireless router behind the suite’s router but it created a number of complications.

    DocLarge states: “A final solution I could suggest is "OpenVPN: This solution is FREE, totally script-based, and is a secure proven solution. ... “ Response: I believe in another posting SoonerAl suggested OpenVPN. I need to learn about OpenVPN. I assume its a software application that turns a computer into a VPN server. The theory would be that OpenVPN runs at both the remote and local locations creating an endpoint to endpoint connection??? The problem is that we would like to have remote connections to the backend computer out in the field. Can OPenVPN run on the local machine as a client similar to SSH Sentinent? Egan.
     
  13. TazUk

    TazUk Network Guru Member

    All I can say is it's going to be slooooooow :shock:
     
  14. SoonerAl

    SoonerAl LI Guru Member

    Re: Further disussion re Simultaneous VPN connections

    All of this is off the original topic, but to attempt to answer this question...

    Depending on how you have the OpenVPN server and client firewalls setup you can access/transfer files both ways through the OpenVPN tunnel once its established.

    For example on my laptop OpenVPN client I can configure the XP SP2 Windows Firewall to allow File & Print Sharing (FP&S) but limit the address scope to my two home XP Pro desktops (using their private LAN IP address in the custom scope settings).

    Once my laptop client connects to my home OpenVPN server (running on one of my XP Pro desktops) I can access any shares on either of my two desktops from the laptop or access a shared folder on my laptop from either desktop.

    Now to be clear, I did this only for testing to verify I could set this up and make sure it worked. In normal circumstances my laptop Windows Firewall is configured for No Exceptions.

    Normally I configure the XP SP2 Windows Firewall on each of my desktops to only allow FP&S to be accessed by specific IP addresses, ie. each desktop can access the others shares and the laptop can access shares on each desktop (either via the OpenVPN tunnel or over my home wireless LAN segment). If I need to get a file or files from one of my desktops to my laptop I initiate the transfer from the laptop.

    Note that I assign specific IP addresses to OpenVPN client PCs/laptops from the server based on the client name. In my case its easy since I only have two clients, ie. myself and my brother. In his case he can reach shares on my desktop PC but not my wifes' desktop PC while connected with OpenVPN. I, on the otherhand, can access any share on any of my our two desktops.
     
  15. Eganopperman

    Eganopperman LI Guru Member

    GRE and Non-VPN Router

    Surfano,DocLarge, and SoonerAl, again thanks for taking your time to respond to my inquiry. I spoke with the suite's IT person who told me that the suite's router had limited (and very poorly documented) VPN functionality. He further stated that the router had problems in regard to passing Generic Router Encapsulation Protocol (GRE) information back to the local LAN, particularly if there were multiple machines sending out VPN traffic. From what I understand, the only effective solution is to get our own public IP address and put our computers behind a vpn router and make vpn router to vpn router connnections. Egan.
     
  16. sufrano63

    sufrano63 Network Guru Member

    Re: GRE and Non-VPN Router

    If you decided to go that route. I suggested getting a router supported by dd-wrt firmware and you're all set. The dd-wrt supported both PPTP and OpenVPN. No need for a dedicated PC to run a VPN server. My $60 Linksys router WRT54Gv3.1 now a VPN server. Everything you need to know about dd-wrt. Very easy to use.

    http://www.dd-wrt.com/wiki/index.php/DD-WRT_Docu_(EN)

    http://www.dd-wrt.com/wiki/index.php/Installation#Supported_Devices

    I have both Linksys WRT54Gv3.1 and Buffalo WHR-G54S running dd-wrt SP1 final.

    Using PPTP:

    I supply my guess with ID and PW and guess can connect using XP built-in VPN client to connect to my VPN server (WRT54G)

    Using OpneVPN:

    This one I only used for myself 'cause it required an OpenVPN client install on the laptop or PC using virrtual adapter. Plus my office block all port except 443., which I bypass.... :thumbup:
     

Share This Page