VPN Passthru Support sure would be nice!

Discussion in 'Virtual PC' started by Tarpanet, Mar 12, 2006.

  1. Tarpanet

    Tarpanet Guest

    I've been an IT professional since before IBM came out with a PC. The first
    time I ever hooked up to the Net from a hotel was 2 days ago. I verified the
    hotel's connection method before I left home. Wireless! Cool... Okay, so I
    arrive at the hotel, get setup and see the hotel's 4 access points. I join
    the network (no encryption or MAC filtering). Then, before I could actually
    do anything useful, I had to bring up my browser and accept the "terms of
    use" of the company providing access (Guest-Tek). Once I accepted, I was
    good to go (somewhat). Ultimately, I configured my Virtual PCs Guest settings
    for Shared NAT. I brought up the two Guest VMs that I normally use for work.
    They both have connection to the Net. So far, so good. I startup my Cisco
    VPN Client on one of the Guests and try to connect to Dallas. No
    connection... Try LAX. No connection. Hmmmmm. Longer story short, here's the
    rub... For any single piece of hardware (or more accurately stated, for any
    given MAC address) you are allowed only ONE IP address. Which would be fine
    IF Virtual PC 2004 supported "VPN Passthru" for its Shared NAT configuration.
    I did come up with a workaround however. Just because it works, I have
    Hamachi installed on my Home PC, as well as my laptop. Hamachi is a p2p, UDP
    transport, Highly Secure VPN which is extremely easy to setup and there's no
    need to poke holes in any filewalls to make it work, because the way you
    connect to another PC is via a mediation server (much like AOL/Yahoo/MSN IM
    users connect to each other). Anyway, from the moment I logged into my Host
    O/S, my Hamachi client had established a secure tunnel to my home PC. So, I
    then used TightVNC (remote access app) to see my home PC's screen. At that
    point, I brought up Virtual PC on my home system, got my work VM w/VPN up and
    away I went. At this point, I have both my work VMs running. One locally on
    my laptop, and one running on my home system. It's not elegent, but it
    worked without any problems. Unless Microsoft fixes this before my next trip
    (a month away), I have devised a plan that should work just fine. I have a
    spare Netgear wireless router and a D-Link DWL-2100AP. I can configure the
    D-Link to act as a Client. Run a data cable between the D-Link and the
    Netgear. The Netgear will receive a DHCP IP assignment on its WAN port.
    Then, I can configure the LAN side of the Netgear for say, 192.168.0.x, and
    have its DHCP assign however many IPs my laptop needs. It sure would make
    things easier if Microsoft would just add VPN passthru though. :)
     
    Tarpanet, Mar 12, 2006
    #1
    1. Advertisements

  2. Hi,

    The biggest issue with the concept of 'VPN Passthru' is that this would
    violate the concept that VPN allows you to authenticate all the remote
    computers that are connecting to your corporate network.
    --
    Cheers,
    Benjamin Armstrong
    ===============================
    Virtual machine Program Manager

    This posting is provided "AS IS" with no warranties, and confers no rights.
    You assume all risk for your use.
     
    Ben Armstrong [MSFT], Mar 14, 2006
    #2
    1. Advertisements

  3. Tarpanet

    Tarpanet Guest

    Hi Ben,

    I'm not following you. I fail to grasp how adding "VPN Passthru" to
    Virtual PC 2004 would in any way violate any concept or security for VPN
    member nodes. Let's assume that VPN Passthru is already a feature. Unless
    I'm mistaken, this simply means that while Guest VM's which are configured to
    use "Shared Networking (NAT)" would be able to pass VPN wrapped packets in &
    out. Can you be more specific as to why you believe VPN Passthru is an issue
    for Virtual PC?

    Thanks,

    - Dan -
     
    Tarpanet, Mar 16, 2006
    #3
  4. The main premise of VPN is to in some way authenticate the remote
    computer such that you can trust it. If Virtual PC tunneled over VPN
    you would be connecting an unauthenticated computer to the network.

    While I understand in your scenario you can say that the virtual machine
    is trusted - that is not a blanket statement.

    The best way to do this is to VPN in from the virtual machine and the
    physical machine separately.
    --
    Cheers,
    Benjamin Armstrong
    ===============================
    Virtual machine Program Manager

    This posting is provided "AS IS" with no warranties, and confers no rights.
    You assume all risk for your use.
     
    Ben Armstrong [MSFT], Mar 16, 2006
    #4
  5. Tarpanet

    Tarpanet Guest

    Ben,

    I get the feeling we're looking at this thing from totally different angles?
    :) For authentication to the VPN server, I use an RSA Secure ID device.
    However, I'm not even getting the chance to authenticate, because the VPN
    server is not responding to my VPN client's access requests (or, perhaps the
    client's requests are never getting to the VPN server?). I don't want or
    need to VPN from my Host. I only need VPN connection on one VM, which has all
    my work tools installed. Now, understand that everything works great (say,
    at home) when my VM Network connections are bound to my wi-fi card instead of
    VPC's NAT, and I'm able to be assigned as many IP addresses as I need. In
    this case, I'm using a h/w NAT router w/VPN Passthru.
    This works flawlessly. I still need VPC to do VPN Passthru. I will persue
    through other channels.

    Thanks!

    - Dan -
     
    Tarpanet, Mar 17, 2006
    #5
  6. Indeed - my bad, I see what you are asking for now. AFAIK - this should
    work - and it sounds like you are hitting a bug. You may want to try
    this approach:

    http://blogs.msdn.com/virtual_pc_guy/archive/2005/10/04/477195.aspx

    --
    Cheers,
    Benjamin Armstrong
    ===============================
    Virtual machine Program Manager

    This posting is provided "AS IS" with no warranties, and confers no rights.
    You assume all risk for your use.
     
    Ben Armstrong [MSFT], Mar 17, 2006
    #6
  7. Tarpanet

    Tarpanet Guest

    Hi Ben,

    IT WORKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    I just spent over 7 hours on the phone with MS Support. They were doing
    everything they could to figure this out. They had setup a couuple of
    testbeds to try and duplicate my configuration. Anyway, long story short, at
    the end of the call one of the engineers said, "I'm going to send you some
    info that you might want to try. It has to do with installing a Loopback
    adapter... It might be a workaround for you?". Just after we hung up, I
    read your last replay. Tried it, and BOOM! In like flint! Thanks so much
    for this fix! My world can go back to normal now... :)

    - Dan -
    Senior-MTS
    Computer Sciences Corporation
    Global Infrastructure Services
    Enterprise Messaging Administration
     
    Tarpanet, Mar 18, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.