WinXP x64 route path to VPN through VMware-> linux

LandRover · 09-26-2007, 03:50 PM

Hey,

This one is a little complicated and I've been cracking my head over it for a while. Right about now I'm crying out for help.

This is the deal, I got cisco vpn to connect to the office but unfortunately I got XP x64 and cisco cant seem to provide a proper client for x64 OS' so far. I don't want to reinstall my computer therefore I found a creative solution.

I decided to install VMware server(which is free now! woohoo) and setup up a light weight ubu-server to run 'VPNC' client to connect to the VPN. So far, so good.
It kinda works, I can access the VPN from the VMware guest hosted ubu, I can ping the local VPN addresses.

The main idea of this solution is to keep the VMware host with the guest ubu minimized, connected to the VPN permanently and route all the traffic from the VPN directly to the host machine.

The VMware GUEST (ubu-server) set with 2 NiCs:

VMnet0 - Bridged connection
- IP: 10.0.0.13 / 255.0.0.0
- Gateway: 10.0.0.138
VMnet1 - Host only
- IP: 192.168.0.2 / 255.255.255.0
- Gateway: -
VPN TUNNEL-00
- IP: 172.21.32.39 / 255.255.255.255 (auto assigned by the CISCO PIX)
- Gateway: -

The VMware HOST (Winxp x64) network settings:

Local Area Connection #1
- IP: 10.0.0.1 / 255.0.0.0
- Gateway: 10.0.0.138
VMnet1 - Host only
- IP: 192.168.0.1 / 255.255.255.0
- Gateway: -

The IP I'm trying to access over the VPN is: 172.31.110.244.
From the GUEST machine it works at this point.

On the XP I did a route command to flow all the related traffic through the guest's ip.

route add 172.31.0.0 MASK 255.255.0.0 10.0.0.13 METRIC 1
route add 172.31.0.0 MASK 255.255.0.0 192.168.0.2 METRIC 1

Tried these two one by one but it didn't come up well.
ping timed out and tracert failed to complete a single hop.

I decided to try bridging the interfaces on the guest, between the gateway associated and the host only.
The script I used to bridge with:

Code:

    brctl addbr br0;
    brctl stp br0 on;
    brctl addif br0 eth0;
    brctl addif br0 eth1;
    (ifdown eth0 1>/dev/null 2>&1;);
    (ifdown eth1 1>/dev/null 2>&1;);
    ifconfig eth0 0.0.0.0 up;
    ifconfig eth1 0.0.0.0 up;
    ifconfig br0 10.0.0.50 broadcast 10.255.255.255 netmask 255.0.0.0 up
    route add default gw 10.0.0.138;
    for file in br0 eth0 eth1;
    do
      echo "1" > /proc/sys/net/ipv4/conf/${file}/proxy_arp;
      echo "1" > /proc/sys/net/ipv4/conf/${file}/forwarding;
    done;
    echo "1" > /proc/sys/net/ipv4/ip_forward;

The br0 interface ip I got: 10.0.0.50.

ifconfig:

Code:

ubu-vpnc:/var/log# ifconfig
br0       Link encap:Ethernet  HWaddr 00:0C:29:7F:5A:E7
          inet addr:10.0.0.50  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::20c:29ff:fe7f:5ae7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3455 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:499156 (487.4 KiB)  TX bytes:462418 (451.5 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:7F:5A:E7
          inet6 addr: fe80::20c:29ff:fe7f:5ae7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:20330050 (19.3 MiB)  TX bytes:789264 (770.7 KiB)
          Base address:0x1070 Memory:ec820000-ec840000

eth1      Link encap:Ethernet  HWaddr 00:0C:29:7F:5A:F1
          inet6 addr: fe80::20c:29ff:fe7f:5af1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5102 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8546 (8.3 KiB)  TX bytes:297839 (290.8 KiB)
          Base address:0x1078 Memory:ec840000-ec860000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:20 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1688 (1.6 KiB)  TX bytes:1688 (1.6 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.21.32.39  P-t-P:172.21.32.39  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1390  Metric:1
          RX packets:279 errors:0 dropped:0 overruns:0 frame:0
          TX packets:505 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:285272 (278.5 KiB)  TX bytes:38941 (38.0 KiB)

ubu-vpnc:/var/log#

I've also added some iptables rules to monitor the logs and accept forwarding:

Code:

iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -I FORWARD -j ACCEPT
iptables -I FORWARD -j LOG

I've also updated the route command at the XP to this following:

route add 172.31.0.0 MASK 255.255.0.0 10.0.0.50 METRIC 1

at this point it looked much better, I tried to ping the destination ip on the host ip and could see the trace log of the iptables which means the traffic from the host goes trough the guest.

also the tracert made a single hop:

Code:

C:\>tracert 172.31.110.244
Tracing route to 172.31.110.244 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.0.0.50
  2     *        *        *     Request timed out.
  .....
  30    *        *        *     Request timed out.

syslog at the same point of the trace on the guest machine:

Code:

Sep 26 23:57:11 ubu-vpnc kernel: IN=br0 OUT=tun0 PHYSIN=eth0 SRC=10.0.0.1 DST=172.31.110.244 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=16734 PROTO=UDP SPT=137 DPT=137 LEN=58
Sep 26 23:57:12 ubu-vpnc kernel: IN=br0 OUT=tun0 PHYSIN=eth0 SRC=10.0.0.1 DST=172.31.110.244 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=16735 PROTO=UDP SPT=137 DPT=137 LEN=58
Sep 26 23:57:14 ubu-vpnc kernel: IN=br0 OUT=tun0 PHYSIN=eth0 SRC=10.0.0.1 DST=172.31.110.244 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=16736 PROTO=UDP SPT=137 DPT=137 LEN=58
Sep 26 23:57:23 ubu-vpnc kernel: IN=br0 OUT=tun0 PHYSIN=eth0 SRC=10.0.0.1 DST=172.31.110.244 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=16746 PROTO=UDP SPT=137 DPT=137 LEN=58
Sep 26 23:57:24 ubu-vpnc kernel: IN=br0 OUT=tun0 PHYSIN=eth0 SRC=10.0.0.1 DST=172.31.110.244 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=16747 PROTO=UDP SPT=137 DPT=137 LEN=58
Sep 26 23:57:26 ubu-vpnc kernel: IN=br0 OUT=tun0 PHYSIN=eth0 SRC=10.0.0.1 DST=172.31.110.244 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=16748 PROTO=UDP SPT=137 DPT=137 LEN=58

Sigh! At this point, I don't have any more ideas how to fix the routes to make it work properly.
Any ideas are welcome (not ideas to drop the solution but how to make the route thing work, I also would like to learn from this something

)

Regards,
Oleg G.

Dumfrey · 09-27-2007, 08:34 AM

how people approach problems...for example, using a VM to act as a gateway for your x64 box is a good idea, but I am not sure I would have chosen any of the buntu flavors as the VM, I would have used smoothwall, ipcop etc...distros designed for routing and vpn use, in essence, creating a new "gateway" for the x64 box to use, and the gateway is just providing the vpn link to the other network, cisco split tunnelling can then allow internet access while connected to the vpn. Which particular gateway distro to use...i cant really say, I tend to use smoothwall, but I have heard very good stuff about monowall, and its on my to test list 9its bsd based instead of linux, but thats really a plus in a gateway imo).

LandRover · 09-28-2007, 03:25 AM

yey
I kinda got the feeling no one would reply

I've tried ipcop before, it has alot of issues with ipsec and xauth (connecting to pix 501).
with the ubu/debian (I'm debian fan

) I've already set the link to the vpn through vpnc and its working.

Anyhow, I suspect few issues but not sure for the current settings:

Why do I need to bridge the interfaces eth0(bridged VM) + eth1(Host-only VM) ? (without this the x64 wont pass even the first hop, I think its something to do with the host-only which allows that by I might have done something wrong)
How are the iptables FORWARD settings?
Is the route on the x64 ok?

Meanwhile, I found an x64 client for windows vista by NCP but unfortunately it drops right after the ip assigment but that's a different story. I really want to make the route solution to work.
anyhow, I need the solution for x64 XP!

So if anyone got a clue..

Regards,
Oleg G.

LandRover · 09-28-2007, 03:03 PM

Yey! I've solved it.
got working gateway from winxp x64 to a cisco vpn (pix 501) via VMware guest running ubu/debian.

Code:

C:\>tracert 172.31.110.244

Tracing route to APP-SAFE [172.31.110.244]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.2.2
  2    50 ms    53 ms    55 ms  APP-SAFE [172.31.110.244]

Trace complete.

If anyone comes across something like this in the future the light could be found here: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/

google4life

Dumfrey · 10-01-2007, 07:33 AM

In how you set up your vpn connection in Debian. I gave a half-hearted attempt one afternoon while home with a fever, but after 35 m9in I fell asleep and havent really got back to it. We also have Pix 501's and it would be nice to be able to use my Ubuntu box to get in to the vpn, as it stands, I have 1 windows xp box left for games and vpn for work left, if I could regulate it to just games...its one step closer.

LandRover · 10-02-2007, 02:16 AM

Era:~# apt-cache search vpnc
vpnc - Cisco-compatible VPN client

configure the client and connect

Dumfrey · 10-03-2007, 07:36 AM

use the same terminology as the cisco vpn server/client set up? I guess if its even close I should be able to figure it out. Thanks for the info, and now that I look back, you did mention vpnc several times =) I will try this out tonight when I get home.

BuddyLove · 02-16-2008, 12:01 PM

Quote:

Originally Posted by LandRover

Yey! I've solved it.
got working gateway from winxp x64 to a cisco vpn (pix 501) via VMware guest running ubu/debian.

Code:

C:\>tracert 172.31.110.244

Tracing route to APP-SAFE [172.31.110.244]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.2.2
  2    50 ms    53 ms    55 ms  APP-SAFE [172.31.110.244]

Trace complete.

If anyone comes across something like this in the future the light could be found here: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/

google4life

Can you please share what you did to finally get this to work?

I'm trying to create the same setup
vista x64 -> [vmware:guest ubuntu-server] -> cisco vpn client -> network

Thanks

lars49 · 02-22-2008, 12:40 PM

Is the implication here that the Linux is a 64 bit OS or is it a 32 bit OS?

I am trying to solve a similar problem

BuddyLove · 02-22-2008, 02:31 PM

Quote:

Originally Posted by lars49

Is the implication here that the Linux is a 64 bit OS or is it a 32 bit OS?

I am trying to solve a similar problem

In my case it doesn't matter because the cisco vpn client works on 32 and 64 linux. The issue is that the cisco vpn client does not work on windows x64, so thats why I'm trying to create this setup

WorkinDude · 01-29-2009, 09:36 AM

I'm fairly new to linux, so I'm amazed to say that I managed to get this working pretty well. Once I have a few minutes I'll post the details of my solution here, so others may benefit.
Briefly, I installed VMWare server, created an Ubuntu 8.10 server virtual machine with vpnc installed, as LandRover describes earlier. I also used the IP-Masquerade-HOWTO link provided earlier in this thread.
The IP-Masquerade document is incredibly long and detailed, but bare in mind that much of it is explanations for how to set up masq for various kernel builds, how to get it working for various clients (e.g. win95, netware!?! etc), the details of non-routable ip subnets, most of which you can safely skip. I'll let you know what parts you actually need.
I had to disable vista's firewall on the vm connection and create a couple of routes through the tunnel, again just as LandRover described.
Once all this was done I was able to run visual studio, connect to the TFS server at work, and synch up without a problem.
I'll post soon with more details.
Thanks for this thread, it really helped a lot!