Problem solve Get help with specific problems with your technologies, process and projects.

Using PPTP or IPsec VPN tunnels for WLAN security/gateway

I'd like to use PPTP or IPsec VPN tunnels for WLAN security/gateway, as suggested by this piece: http://www.steinkuehler.de/wavelan_security.htm - see Figure 1.

I'd like end-users wishing to access their corporate VPNs to be able to use the WLAN, which would imply nested VPN tunnels from PC clients to my VPN server/gateway. I would anticipate establishing the outer tunnel - i.e., the one that terminates at my VPN server/gateway through a standard MS PPTP or L2TP VPN client.

Can this be done (a) using Third Party VPN clients like Checkpoint SecuRemote/SecureClient associated with use of the MS VPN client, and (b) with nested use of MS VPN clients?

You want to allow user VPN tunnels to pass through your WLAN VPN gateway in order to reach their own distant VPN gateway, while still protecting your own WLAN with VPN tunnels.

To support nested tunnels, the outer tunnel must:

  1. Allow inner tunnel control messages to any destination. PPTP control uses TCP/1723, while IPsec control (IKE) typically uses UDP/500.

  2. Allow inner tunnel encapsulated data to any destination. PPTP uses GRE (protocol 47), while IPsec typically uses ESP (protocol 50).

Many IPsec products can be configured to do (1), but (2) is a bigger challenge. After consulting with a few colleagues, I have concluded that, while some VPN clients may officially support nested tunnels, most do not. Moreover, nesting is quite unlikely to work in a multi-vendor environment where you have a mixture of Microsoft and third-party clients hitting your WLAN VPN gateway. In other words, even if you can get this to work for one client like SecuRemote, you'll have a hard time getting it to work in general.

A better answer may be to support VPN pass-through for stations that need to reach distant VPN gateways. Firewalls and VPN gateways that support "VPN pass through" can permit outbound tunneled traffic to pass through NAT. Local VPN tunnels can still be terminated by your WLAN VPN gateway for your own users. To learn more about VPN pass-through and IPsec NAT traversal, see http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-04.txt. In this configuration, you won't have nested tunnels - you'll have side-by-side tunnels, where each station is permitted to tunnel either to your local WLAN gateway OR to a distant VPN gateway.

This was last published in March 2004

Dig Deeper on Wireless LAN (WLAN)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.