Unix Programming - routing into a Windows VPN

Author

routing into a Windows VPN

Henry Townsend

2006-06-12, 1:25 pm

I've got a problem I suspect is common among us Unix geeks. I keep a
Solaris box at home along with a Mac and a Windows PC. My employer
offers VPN access but only through a tool called "AT&T Network Client"
(not ssh), and of course it runs only on Windows. The net result is
that, although Windows is utterly superfluous to my situation because
I'm doing Unix-based stuff at both work and home, I have connectivity to
work from the Windows box but not from the others.

I'm no networking expert but I'm wondering if there's a way I can set up
a static route on the Unix boxes to send all "work" packets to the PC to
be routed onward. I.e. I've tried something like (from memory)

route add 10.0.0.0 192.168.0.12 255.0.0.0

Assuming work uses the 10.* block and my home PC is 192.168.0.12. But
this hasn't worked. Am I missing something? Is there a way? All I really
want is to be able to telnet or VNC into work while sitting at one of
the Unix systems.

Some corporate VPNs isolate the PC completely from the rest of the home
network but this one is more generous; I have no problem communicating
between the home systems when the VPN is established. I just need to get
the 10.* packets routed to it.

Thanks,
HT

Dan Cave

2006-06-12, 1:25 pm

Hi henry,

> I've got a problem I suspect is common among us Unix geeks. I keep a
> Solaris box at home along with a Mac and a Windows PC. My employer
> offers VPN access but only through a tool called "AT&T Network Client"
> (not ssh), and of course it runs only on Windows. The net result is
> that, although Windows is utterly superfluous to my situation because
> I'm doing Unix-based stuff at both work and home, I have connectivity to
> work from the Windows box but not from the others.
>

how do you know that you're vpn gw is a windows box?

> I'm no networking expert but I'm wondering if there's a way I can set up
> a static route on the Unix boxes to send all "work" packets to the PC to
> be routed onward. I.e. I've tried something like (from memory)
>
> route add 10.0.0.0 192.168.0.12 255.0.0.0
>
> Assuming work uses the 10.* block and my home PC is 192.168.0.12. But
> this hasn't worked. Am I missing something? Is there a way? All I really
> want is to be able to telnet or VNC into work while sitting at one of
> the Unix systems.
>

have you got internet connection sharing turned on the windows box that
has your at&t vpn client? this would forward all packets from the
192.168.0/24 network via 192.168.0.12 ===> <the ip address that the VPN
server gives your PC>

this sounds like the problem to me...

Alternatively you could configure a *nix box with another interface to
do this job for you (I'd use an osX mac and use the VPN client they
provide which does ms pptp and do it that way).

> Some corporate VPNs isolate the PC completely from the rest of the home
> network but this one is more generous; I have no problem communicating
> between the home systems when the VPN is established. I just need to get
> the 10.* packets routed to it.

that's handy...

hth.. let me know if it works!

You should be able to traceroute to your vpn server from your
mac/solaris box by hostname & ip address if it's a packet forwarding
issue on the windows box.

dan

Dan Cave

2006-06-12, 1:25 pm

what I eluded to is that you need to activate the IP-Forwarding
features on the windows box... In win2k/2k3 this is done via the NIC-IP
binding in networking under advanced (iirc)

i h8 windows anyhow.. *nix any day.

Dan

Henry Townsend wrote:
> I've got a problem I suspect is common among us Unix geeks. I keep a
> Solaris box at home along with a Mac and a Windows PC. My employer
> offers VPN access but only through a tool called "AT&T Network Client"
> (not ssh), and of course it runs only on Windows. The net result is
> that, although Windows is utterly superfluous to my situation because
> I'm doing Unix-based stuff at both work and home, I have connectivity to
> work from the Windows box but not from the others.
>
> I'm no networking expert but I'm wondering if there's a way I can set up
> a static route on the Unix boxes to send all "work" packets to the PC to
> be routed onward. I.e. I've tried something like (from memory)
>
> route add 10.0.0.0 192.168.0.12 255.0.0.0
>
> Assuming work uses the 10.* block and my home PC is 192.168.0.12. But
> this hasn't worked. Am I missing something? Is there a way? All I really
> want is to be able to telnet or VNC into work while sitting at one of
> the Unix systems.
>
> Some corporate VPNs isolate the PC completely from the rest of the home
> network but this one is more generous; I have no problem communicating
> between the home systems when the VPN is established. I just need to get
> the 10.* packets routed to it.
>
> Thanks,
> HT

Richard B. Gilbert

2006-06-12, 1:25 pm

Henry Townsend wrote:

> I've got a problem I suspect is common among us Unix geeks. I keep a
> Solaris box at home along with a Mac and a Windows PC. My employer
> offers VPN access but only through a tool called "AT&T Network Client"
> (not ssh), and of course it runs only on Windows. The net result is
> that, although Windows is utterly superfluous to my situation because
> I'm doing Unix-based stuff at both work and home, I have connectivity to
> work from the Windows box but not from the others.
>
> I'm no networking expert but I'm wondering if there's a way I can set up
> a static route on the Unix boxes to send all "work" packets to the PC to
> be routed onward. I.e. I've tried something like (from memory)
>
> route add 10.0.0.0 192.168.0.12 255.0.0.0
>
> Assuming work uses the 10.* block and my home PC is 192.168.0.12. But
> this hasn't worked. Am I missing something? Is there a way? All I really
> want is to be able to telnet or VNC into work while sitting at one of
> the Unix systems.
>
> Some corporate VPNs isolate the PC completely from the rest of the home
> network but this one is more generous; I have no problem communicating
> between the home systems when the VPN is established. I just need to get
> the 10.* packets routed to it.
>
> Thanks,
> HT

10.* is not routable!!! It's reserved for RFC-1918 Private networks
and must operate behind a router that is NAT capable. All traffic is
directed to the address of the router's external port. The router then
directs the connection to an internal system in the 10.* address space.
The internal address you get depends on the destination "port" that
you specified. Generally you can only telnet to one system inside the
private network unless you know the router's port mapping scheme.

If you were just using the 10.* address space as an example, you might
be able to do what you want but you are really asking the wrong group;
you have a Windows problem and you need to ask a Windows related group
for help.

Still better might be to ask your employer's networking people. Some
Cisco Routers have VPN capability and if you bought a cisco Model 831 or
a Model 91, that might solve your problem. Ask your networking people
before you spend any money!!!!

Henry Townsend

2006-06-12, 1:25 pm

Richard B. Gilbert wrote:
> 10.* is not routable!!!

Sorry, I just didn't want to give out my employer's netblock so I used
10.x.x.x as an example.

> If you were just using the 10.* address space as an example, you might
> be able to do what you want but you are really asking the wrong group;
> you have a Windows problem and you need to ask a Windows related group
> for help.

It isn't/wasn't clear to me that the problem is on the Windows side.
ISTM I have to tell the Unix machine to route the "10.x.x.x" packets to
the Windows machine, at which point there may be a Windows issue as Dan
Cave referred to. But what I'm asking for help with here is the Unix
side. Was my route add command correct?

Not to mention, of course, the sad fact that far more Unix users are
forced to deal with Windows than vise versa and thus the people that
have dealt with this before are more likely to be on this side. But if I
can establish that the packets are being routed to the Windows side I'll
happily[*] take further problems to a Windows forum.

[*] Though I prefer not to use "happy" and "Windows" in the same
sentence :-)

HT

Dan Cave

2006-06-12, 1:25 pm

Henry
sorry that I didn't answer your original post completly.

the route command which you could have used is something like.
(using your original example of ip-adreses)

route -net 10.0.0.0/8 192.168.0.12

or man route is usually a good place to start, along with the "route
get" command.

if you want to know which interface is going to be used to reach a
particular host.

Rgds
dan

Henry Townsend

2006-06-12, 1:25 pm

Dan Cave wrote:
> Henry
> sorry that I didn't answer your original post completly.
>
> the route command which you could have used is something like.
> (using your original example of ip-adreses)
>
> route -net 10.0.0.0/8 192.168.0.12
>
> or man route is usually a good place to start, along with the "route
> get" command.
>
> if you want to know which interface is going to be used to reach a
> particular host.

Dan,

Thanks. I'll let this thread drop because it's definitely moved beyond
the Unix route command. But for the archives: the route add was correct
and packets were being sent to the Windows host. Windows "internet
connection sharing" was right where Dan said it would be, but the VPN SW
was smarter than that; it warned me that if I turned sharing on, it
would block all connections from the PC to other LAN hosts.

I did find a workaround; a Java program called nettool (www.nettool.org)
which is intended as a web debugger (and a nice one) but as a useful
side effect will relay packets on any port to any other port on any
other system. So I can run it on the Windows machine and tell it to
relay port 5901 (VNC) from (say) Mac to my Solaris box at work and it
works, though with a little more latency than I'd prefer. So that's good
enough for me, though if anyone knows of a similar packet-relayer which
might be faster I'd be happy to hear of it.

HW