[ale] multiple vpn's at the same time?

Michael H. Warfield mhw at WittsEnd.com
Wed Oct 10 13:08:23 EDT 2012


On Wed, 2012-10-10 at 11:27 -0400, JD wrote:
> It depends.

> Which VPN?  There are different types before you add in proprietary versions.

> Do the VPN servers allow split tunnels?

> Does the company policy have any bearing on this?
> Could you be fired for having multiple connections?

That's something to consider.  Generally, if it's something for a
specific purpose, you can get a manager to wave off on an exemption if
they even care.

> Then there is the router issue. Not every home router will support multiple VPN
> connections. I don't know the specifics, but it seems that using more than 1
> IPSec VPN or more than 1 PPTP or L2TP or whatever-VPN might not be possible.

Actually, more than one IPsec tunnel is allowed.  If it's a NATing
router then you either have to be using IPsec NAT-T (which is IPsec over
UDP), which all of the Linux IPsec packages and vpnc all auto detect, or
the NAT router has to properly handle IP protocols 50/51 (AH/ESP) in its
state tables and a large number of them do.  You do have to initiate all
the VPN sessions from inside the NAT perimeter unless you map the public
address on the NAT to that machine.  I'm not aware of any that support
STUN.

If it's a true router (no NAT) or a statefull firewall, you will have NO
problem with multiple IPsec tunnels, unless it happens to be a
CheckPoint firewall (which for some reason cronically mishandles IP
protocols 50/51 passing through them and not terminating on them) you
may have to "force" IPsec NAT-T (even without no NAT involved) in that
case which will definitely then work.

PPTP, the old GRE based PPTP, is a total crap shoot (in addition to
being total crap to begin with) but I wouldn't use it anyways.  It's not
considered secure.

L2TP is sort of a hybrid between IPsec and PPTP and should work as well
as IPsec.  It will run over UDP using ESP-IN-UDP encapsulation (IPsec
NAT-T) and the firewalls will not know the difference or care.  Just a
different keying daemon.

> OTOH, if the "VPN" is just an ssh tunnel, you can have hundreds of those.

But it's crappy VPN as a VPN as are all TCP based VPNs but that's
another tub to thump another day.  Yeah, that will work too.

Regards,
Mike

> On 10/10/2012 09:40 AM, Michael Campbell wrote:
> > All,
> > 
> > I'm pretty network-challenged, but I wondered if it was possible to
> > run 2 VPNs at the same time from on an Ubuntu based box (Mint,
> > actually).
> > 
> > I already run one through the network manager, but I want to run
> > another (to work boxes in europe), and be able to use that as a proxy
> > server so I don't have to keep going in and out of the VPN on my
> > normal work machine (a windows box).
> > 
> > So what I want to do is set up another VPN on my home Linux box, then
> > on my windows box, point my work domains (in /etc/hosts) to the Ubuntu
> > box which is VPN'd to europe, so URLs I hit on my windows box go
> > through my Linux box, through the VPN to europe.
> > 
> > But, as I said, I'm already using another VPN on the Linux box for
> > another reason.
> > 
> > Is this even possible?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20121010/63852d02/attachment-0001.bin 


More information about the Ale mailing list