[CentOS] VPN inside VPN?

Wed Feb 9 20:01:56 UTC 2011
Nataraj <incoming-centos at rjl.com>

On 02/09/2011 09:35 AM, Cameron Kerr wrote:
> On 10/02/11 02:52, Giles Coochey wrote:
>> On 09/02/2011 15:46, nux at nux.ro wrote:
>>> Fajar Priyanto writes:
>>>
>>>> Hi all,
>>>> Just wondering if VPN inside VPN is possible?
>>>> I've created PPTP VPN in the office.
>>>> Then from home, first I need to use company's official AT&T VPN.
>>>> Then after connected, I fire up the PPTP VPN client.
>>>> Got connected, but cannot ping the PPTP gateway, and half minute later
>>>> the PPTP got disconnected.
>>>> No obvious error message in the PPTP log.
>>> How is this related to centos?
>> quite.... but at first glance this looks like a MTU problem.
> Except that not even a tiny ping packet can get through.
>
> VPN inside a VPN should certainly work, although its very inefficient.
>
> Sounds more like a routing issue, perhaps a return route is missing?
>
> Perhaps the OP should sniff his tunnel end-point to see what, if
> anything, is making its way back.
>
> The OP should also care to include the output of the ping command,
> rather than saying "cannot ping the PPTP gateway".
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
I would also look at routing.   When the second vpn comes up, it may be
configured to alter the routing table which would then try to route the
first vpn through the second and the second through the first. This is
often done intentionally since you don't want users connecting into a
secure network while simultaneously accessing a less secure resource. 
In fact when the client is connected, Internet traffic is often routed
through the VPN as well, so you know that everything they do is behind a
secure firewall.  You'd be amazed at the software I've seen users try to
install on their PC's and then connect to a secure network with.

Another problem is that pptp is udp only and cannot be tunneled through
a firewall easily like openvpn or ipsec, so if there is any kind of nat
going on when you connect through the first vpn, it won't work because
you won't get your packets back.  If you were able to use openvpn tcp or
IPSEC in a tcp tunneling configuration, it should work.

Nataraj