Ask the Expert

Can you have two VPN connections to the same machine simultaneously?

Can you have two VPN connections to the same machine simultaneously? I have one machine that ties into a VPN Concentrator. If I added a second NIC card, could I log in remotely to that same machine via remote software when it is connected to the VPN Concentrator? I use Cisco VPN Client software version 4.1.

    Requires Free Membership to View

First, it's generally not possible to run two different VPN Client programs on the same host simultaneously. Conceptually this is possible, but in practice, different vendor's VPN Clients tend to step on each other.

But it's often possible to configure a single VPN Client with a policy that permits more than one destination to be reached. This is known as split-tunneling. For example, the VPN policy might say all traffic sent to 192.168.0.0/24 goes over LAN #1 in the clear (no VPN), and all other traffic goes over the VPN tunnel to Concentrator XYZ. Or it could say all traffic sent to 192.168.0.0/24 goes to Concentrator XYZ, all traffic sent to 10.0.0.0/24 goes to Concentrator ABC.

To accomplish this, you'll face two challenges: one technical, one political.

The technical challenge is whether you can come up with a VPN Client policy definition that reflects what you want to do. Are the IP addresses of the two private destinations you want to use non-overlapping and static? For example, if the remote host that connects to your machine has a dynamic address, configuring a policy could be tough.

The political challenge is whether whoever owns the VPN Concentrator will let you configure a VPN Client policy with split-tunneling. Split-tunneling is a security no-no for this very reason -- the configuration you want opens a back-door because (theoretically) traffic originating in network #1 could enter through tunnel A, route through your machine, then ride tunnel B into network #2. You could prevent this host routing through careful machine and VPN policy configuration, but the fact remains that some will consider this too risky.

One last point: I'm unclear about how you want to connect from a remote host to your machine. Your machine now runs a VPN Client to reach a VPN Concentrator. Your machine could use the same VPN Client to reach another VPN Concentrator, but that wouldn't let a remote host initiate an incoming connection to your machine. Or you could use a different client/server protocol to accept incoming connections to your machine -- for example, remote desktop access or a telnet server. In that case, you'll only have one VPN tunnel, not two. However, your VPN Client policy will still need to "have a hole" to exclude the client/server protocol from VPN tunneling.

This was first published in March 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: