EXPERT RESPONSE
You want to allow user VPN tunnels to pass through your WLAN VPN gateway in order to reach their own distant VPN gateway, while still protecting your own WLAN with VPN tunnels.
To support nested tunnels, the outer tunnel must:
- Allow inner tunnel control messages to any destination. PPTP control uses TCP/1723, while IPsec control (IKE) typically uses UDP/500.
- Allow inner tunnel encapsulated data to any destination. PPTP uses GRE (protocol 47), while IPsec typically uses ESP (protocol 50).
Many IPsec products can be configured to do (1), but (2) is a bigger challenge. After consulting with a few colleagues, I have concluded that, while some VPN clients may officially support nested tunnels, most do not. Moreover, nesting is quite unlikely to work in a multi-vendor environment where you have a mixture of Microsoft and third-party clients hitting your WLAN VPN gateway. In other words, even if you can get this to work for one client like SecuRemote, you'll have a hard time getting it to work in general.
A better answer may be to support VPN pass-through for stations that need to reach distant VPN gateways. Firewalls and VPN gateways that support "VPN pass through" can permit outbound tunneled traffic to pass through NAT. Local VPN tunnels can still be terminated by your WLAN VPN gateway for your own users. To learn more about VPN pass-through and IPsec NAT traversal, see http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt. In this configuration, you won't have nested tunnels - you'll have side-by-side tunnels, where each station is permitted to tunnel either to your local WLAN gateway OR to a distant VPN gateway.
|
