splitting/routing VPN traffic

Discussion in 'NZ Computing' started by john, Aug 8, 2007.

  1. john

    john Guest

    Hello,

    I need to setup a Xp machine that sends only certain traffic across a VPN
    link and other traffic across the normal link. Is this possible?

    Thanks in advance for any help
    john, Aug 8, 2007
    #1
    1. Advertising

  2. john

    RL Guest

    john wrote:
    > Hello,
    >
    > I need to setup a Xp machine that sends only certain traffic across a VPN
    > link and other traffic across the normal link. Is this possible?
    >
    > Thanks in advance for any help


    Can you be more specific? Will you be routing by remote IP address,
    local IP address, by port, or other criteria?

    If it is simply by IP address at the remote end, then this can be done
    by setting routes, otherwise you will probably need a software solution.

    - RL
    RL, Aug 8, 2007
    #2
    1. Advertising

  3. In message <46b9516c$>, john wrote:

    > I need to setup a Xp machine that sends only certain traffic across a VPN
    > link and other traffic across the normal link. Is this possible?


    Pass the traffic through a Linux box, and set up iptables rules on that to
    forward it on appropriately.
    Lawrence D'Oliveiro, Aug 8, 2007
    #3
  4. john

    Alan Guest

    Hi John,

    That is called 'Split Tunnelling' and it can be a major security risk
    to the LAN that you are connecting to via the VPN.

    This article is ISA specific, but the general risk is also outlined
    and it is quite well written to explain in more detail:

    http://www.isaserver.org/tutorials/2004fixipsectunnel.html?printversion

    HTH,
    --

    Alan.

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb




    "john" <> wrote in message news:46b9516c$...
    > Hello,
    >
    > I need to setup a Xp machine that sends only certain traffic across
    > a VPN
    > link and other traffic across the normal link. Is this possible?
    >
    > Thanks in advance for any help
    >
    >
    Alan, Aug 8, 2007
    #4
  5. john

    EMB Guest

    Lawrence D'Oliveiro wrote:
    > In message <46b9516c$>, john wrote:
    >
    >> I need to setup a Xp machine that sends only certain traffic across a VPN
    >> link and other traffic across the normal link. Is this possible?

    >
    > Pass the traffic through a Linux box, and set up iptables rules on that to
    > forward it on appropriately.


    Use a dedicated firewall box to do it. Linux/iptables would be ideal, or
    with a bit of judicious setup you could probably manage the whole thing
    from the GUI in Smoothwall or IPCop.
    EMB, Aug 8, 2007
    #5
  6. john

    bok Guest

    EMB wrote:
    > Lawrence D'Oliveiro wrote:
    >> In message <46b9516c$>, john wrote:
    >>
    >>> I need to setup a Xp machine that sends only certain traffic across a
    >>> VPN
    >>> link and other traffic across the normal link. Is this possible?

    >>
    >> Pass the traffic through a Linux box, and set up iptables rules on
    >> that to
    >> forward it on appropriately.

    >
    > Use a dedicated firewall box to do it. Linux/iptables would be ideal,

    As long as it's compatible with the corporate side VPN solution. I ran
    an IPSEC FreeS/Wan VPN on linux from home for about four years
    (Netfilter/Iptables was neccessary but not sufficient to implement a
    VPN). That was possible because I was using the same software as the
    corporate side IPSEC gateway servers.

    Since then we have switched to using OpenVPN, which is based on SSL/TLS
    rather than IPSEC.

    Split tunneling is supported by configuring the required routes on the
    client using server side scripts.

    > or with a bit of judicious setup you could probably manage the whole thing
    > from the GUI in Smoothwall or IPCop.


    Yes as long as you use compatible software and configurations at each
    endpoint. I tried a release of IPcop once and found I had to manually
    edit the ipsec.conf file and install the required X.509 certs and
    ipsec.secrets files.
    bok, Aug 8, 2007
    #6
  7. john

    EMB Guest

    bok wrote:

    >> Use a dedicated firewall box to do it. Linux/iptables would be ideal,

    > As long as it's compatible with the corporate side VPN solution. I ran
    > an IPSEC FreeS/Wan VPN on linux from home for about four years
    > (Netfilter/Iptables was neccessary but not sufficient to implement a
    > VPN). That was possible because I was using the same software as the
    > corporate side IPSEC gateway servers.
    >
    > Since then we have switched to using OpenVPN, which is based on SSL/TLS
    > rather than IPSEC.


    The OpenVPN solution (Zerina on IPCop) I'm running for remote access to
    work has server side config to determine whether the client sends all,
    or only local network traffic via the VPN tunnel.
    EMB, Aug 8, 2007
    #7
  8. john

    bok Guest

    EMB wrote:
    > bok wrote:
    >
    >>> Use a dedicated firewall box to do it. Linux/iptables would be ideal,

    >> As long as it's compatible with the corporate side VPN solution. I ran
    >> an IPSEC FreeS/Wan VPN on linux from home for about four years
    >> (Netfilter/Iptables was neccessary but not sufficient to implement a
    >> VPN). That was possible because I was using the same software as the
    >> corporate side IPSEC gateway servers.
    >>
    >> Since then we have switched to using OpenVPN, which is based on
    >> SSL/TLS rather than IPSEC.

    >
    > The OpenVPN solution (Zerina on IPCop) I'm running for remote access to
    > work has server side config to determine whether the client sends all,
    > or only local network traffic via the VPN tunnel.


    The VPN solution we are using goes by the name 'OpenVPN'
    http://openvpn.net/ . It has similar server side configuration to split
    traffic.

    I am currently running the windows OpenVPN client with only traffic to
    corporate hosts routed through the VPN tunnel, everything else is routed
    through the default interface. I don't manage the server side config but
    I can see the 'ADD ROUTE ' commands that get pushed down to achieve this
    in the client log.

    [I replaced my linux firewall gateway with a hardware router/firewall
    after the company moved away from the IPSEC solution. I still have a
    couple of linux servers on our home network for other purposes though.
    bok, Aug 8, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Fortea
    Replies:
    2
    Views:
    961
  2. Ben Van Cauwenberghe

    VPN traffic routing

    Ben Van Cauwenberghe, Jun 22, 2005, in forum: Cisco
    Replies:
    1
    Views:
    513
    Walter Roberson
    Jun 22, 2005
  3. Evolution
    Replies:
    1
    Views:
    805
    Walter Roberson
    Feb 27, 2007
  4. Replies:
    0
    Views:
    342
  5. Personne
    Replies:
    1
    Views:
    655
    Uli Link
    Sep 30, 2009
Loading...

Share This Page