I'd like end-users wishing to access their corporate VPNs to be able to use the WLAN, which would imply nested VPN tunnels from PC clients to my VPN server/gateway. I would anticipate establishing the outer tunnel - i.e., the one that terminates at my VPN server/gateway through a standard MS PPTP or L2TP VPN client.
Can this be done (a) using Third Party VPN clients like Checkpoint SecuRemote/SecureClient associated with use of the MS VPN client, and (b) with nested use of MS VPN clients?
To support nested tunnels, the outer tunnel must:
- Allow inner tunnel control messages to any destination. PPTP control uses TCP/1723, while IPsec control (IKE) typically uses UDP/500.
- Allow inner tunnel encapsulated data to any destination. PPTP uses GRE (protocol 47), while IPsec typically uses ESP (protocol 50).
Many IPsec products can be configured to do (1), but (2) is a bigger challenge. After consulting with a few colleagues, I have concluded that, while some VPN clients may officially support nested tunnels, most do not. Moreover, nesting is quite unlikely to work in a multi-vendor environment where you have a mixture of Microsoft and third-party clients hitting your WLAN VPN gateway. In other words, even if you can get this to work for one client like SecuRemote, you'll have a hard time getting it to work in general.
A better answer may be to support VPN pass-through for stations that need to reach distant VPN gateways. Firewalls and VPN gateways that support "VPN pass through" can permit outbound tunneled traffic to pass through NAT. Local VPN tunnels can still be terminated by your WLAN VPN gateway for your own users. To learn more about VPN pass-through and IPsec NAT traversal, see http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt. In this configuration, you won't have nested tunnels - you'll have side-by-side tunnels, where each station is permitted to tunnel either to your local WLAN gateway OR to a distant VPN gateway.
This was first published in March 2004