[SOLVED] VPN over a VPN oddity

jjgurley

Distinguished
Jan 27, 2015
66
2
18,545
My desktop PC has a wired ethernet connection, and I also have several piggyback connections I use at times.
I have a paid VPN(1) for downloading torrents anonymously, and I have a Windows Built-In L2TP/Ipsec VPN(2) for getting to the office.
Everything would be fine as is, except my wife also uses the office VPN2 from her own computer, and L2TP apparently won't support multiple VPNs from the same subnet. So I turned on VPN1, and VPN2 claims it's connected, but despite having general internet connectivity, I can's access the office. Where should I look? VPN1 has a selection of protocols, and I've tried a few of them. I also played with metrics with no luck. Puzzled due to my lack of network expertise.

I control the office router, and it has no blacklist except for some especially aggreges brute force sources IPs.
 
Solution
If you are in control of the vpn on both ends maybe consider switching to openvpn. Even with the same source IP address they still come from different ports so you can run as many sessions as you like. Since openvpn is using the same encryption as SSL it is much more cpu intensive than IPSEC. I guess it all depends on what you do and how much bandwidth you need.
If you control the office router, I would simply get a vpn router at home and set up a full ipsec tunnel and be done with it--no more 'dialing in'--you're always in. You can limit the scope of the tunnel so other devices on your network can't access the office and can probably even set up a vlan for just your system to segment this further.
 
Part of the reason openvpn exists is because of all the difficulties with IPSEC and other older VPN technologies. Most vpn is not using TCP or UDP it uses another "protocol". NAT is only designed to handle these 2 protocols. A router need special "hacks" to make the vpn work. This is where you see the extra vpn pass-through features on a router. In some ways we are lucky they have these but they are limited which is what causes the restriction of only 1 device behind the router can connect to a remote IPSEC location.

The reason you can't run ipsec over the openvpn tunnel is that it is not supported. Even if it was because you are using a public vpn service where you share the remote IP you have the NAT issues again. The VPN provider would also have to have some kind of hack to make it work.

Now you can run openvpn over a IPSEC tunnel since it is using tcp/udp and can appears at https traffic if you work at it hard enough. This though does not help you.

There really is no true fix for this. It is a pretty well known restriction on ipsec.

As mentioned above you can get a router that can act as a VPN client for your work vpn. You would need to solve the problem of how to route only work traffic into the vpn but there are a couple ways to accomplish this. Note your company may prevent you from doing this depends on how the vpn client on your pc works. The risk is exactly what you are trying to do. You could if you wanted allow people on the internet to have remote access to your company internal network with your router. I know the company I used to work for really locked the client down when the vpn was open. You could not even print to local printers when the vpn was open.
 
Interesting to know about the fact that ipsec won't run over an openvpn tunnel.

I actually was talking about getting a vpn router to act as a vpn peer, not a vpn client. So it would also have a tunnel built in the hardware and then you use use routing and tunnel restrictions to limit local access through the tunnel. I actually use this type of a setup at home. :)
 

jjgurley

Distinguished
Jan 27, 2015
66
2
18,545
Lots to digest. Maybe I need a course in networking.

The suggestion of a VPN router would solve this situation, but it will crop up again when my wife and I are traveling together. She would be accessing the office to work and I'd be accessing the office to administer the network as issues come up. In this case, we'd probably both be on the same hotspot, with the same restiction.

To elaborate on the oddity, If I log into my office router from my cellphone, I can monitor active VPN connection. When I "connect" my desktop VPN2 while my VPN1 is connected, I actually get an active connection showing on my cellphone, but it won't weasel into internal work IPs (including the router). Not sure what that's telling me!
 
If you are in control of the vpn on both ends maybe consider switching to openvpn. Even with the same source IP address they still come from different ports so you can run as many sessions as you like. Since openvpn is using the same encryption as SSL it is much more cpu intensive than IPSEC. I guess it all depends on what you do and how much bandwidth you need.
 
Solution