LAN Access when Guest Connected with Cisco VPN

[sle118]

Hello,

I am using a Cisco VPN to connect to the office on my guest OS. I am currently using Microsoft Virtual PC to run a guest XP machine, which allows me to access my LAN and which does not route the traffic through the VPN.

I am trying to migrate to VirtualBox, but I am having trouble setting up the network to do the same. If I use NAT as my guest network interface, all the traffic goes through the VPN. Using a bridge connection on my main network card, a valid LAN IP address is correctly received from my LAN DCHP. However, no address (local or external) is reachable from the Virtual Box (not even the DHCP Server).

I want my host OS to run the VPN and the virtual Box to access the LAN directly.

Is there a way to get this to work? Please help.

[vbox4me2]

Use both (2 VM network adapters) nat and bridge.

[sle118]

Use both (2 VM network adapters) nat and bridge.

Why use 2 adapters and how should they be configured?

I have some technical knowledge of Linux, virtual machines and networking in general, but this topology is new to me.

thank you

[sle118]

Anyone?

Any help would be appreciated... a link to a wiki, or an explanation...

thank you!

[Martin]

Do you have a firewall active on your Windows host? Some firewalls block bridged connections.

[sle118]

Do you have a firewall active on your Windows host? Some firewalls block bridged connections.

There is no software firewall except the basic one in Vista.

The bridged connection works as long as the Host Cisco VPN is not connected. As soon as I connect to the remote Cisco VPN server, the virtual box can no longer communicate through the bridge.

The funny thing is that the guest Linux seems to be able to retrieve an IP address from the router.

[jorgensen]

Normally you cannot share a VPN connection of security reason.
If the guest VPN cannot go through the Virtualbox NAT connection you must use Virtualbox Bridge Networking and make sure any firewall or similar is not blocking.
If you install the VPN on the host it might block the VirtualBox Bridge Networking, which also could happen on the guest if the VPN is very restrictive.
There are reasons why a VPN is considered a secure connection.

[sle118]

Normally you cannot share a VPN connection of security reason.
If the guest VPN cannot go through the Virtualbox NAT connection you must use Virtualbox Bridge Networking and make sure any firewall or similar is not blocking.
If you install the VPN on the host it might block the VirtualBox Bridge Networking, which also could happen on the guest if the VPN is very restrictive.
There are reasons why a VPN is considered a secure connection.

I am simply trying to replicate on Virtualbox what I am already doing with Virtual PC 2007.

Use a Virtual BOX to access LAN/Internet ISOLATED from VPN.

A picture is worth a thousand words.



I tried the bridge adapter, which I thought would do the trick, but I can't access any network resource when the Cisco VPN is connected.

[sle118]

I was expecting a smart and quick response to this... I guess it's a complicated question after all?

Too bad I have to stick with Virtual PC 2007 for now, which does exactly that when bridging the network adapter...

[boogybren]

Are you using the IPSEC or SSL client?

Also, do you have a full or split tunnel?

I have a full tunnel with the ssl client. My host OS is Ubuntu 10.04 and my guest OS is Win7x64. If I NAT, I am forced through my VPN tunnel. If I bridge and bind it to my active host interface (currently wlan0), it bypasses my host vpn interface and routes me directly to the cloud, despite having a full tunnel.

HTH.

Brenden

[sle118]

My host OS is Ubuntu 10.04 and my guest OS is Win7x64.

I am in the opposite situation, where the Host is Vista 32 and the guest is Ubuntu. Running the VPN on the Host and trying to have the guest go directly to the cloud.

[boogybren]

If I bridge and bind it to my active host interface (currently wlan0), it bypasses my host vpn interface and routes me directly to the cloud, despite having a full tunnel.

Make sure your Ubuntu guest's network adapter is in bridge mode and bound to your actual ethernet adapter and not your VPN adapter.

Connect your host to the VPN and start your guest. See if that works.

Brenden

[bqbauer]

The IPSec client has a built-in firewall on Windows platforms prior to Vista and the VPN admins can push a policy to it that is effective only when connected via VPN. Doesn't sound like your problem since you're having success with VPC.

If you're running VPN on the host, Cisco VPN will break the access of the guests using bridged networking, but NAT networking will actually let the guests access the VPN. I do it, it works.

If you want to use VPN on the guest, it doesn't matter which VPN client nor the network type (NAT or bridged).

For the host and guest to talk with VPN running, you need to enable the "Local LAN Access" feature. With the AnyConnect SSL client, open it and click the gears icon next to the hostname for the VPN system. Check the box for "Enable Local LAN Access", close that window, then connect. All settings can be reset by those in control of the VPN, however. This setting will not let your bridged guest past the host when VPN is on.

<edit>

I misread your first post. However, if you're using VPN on the guest the above config change still applies. As I stated, NAT or bridged won't matter on the guest. You don't need two interfaces configured.

[sle118]

If I bridge and bind it to my active host interface (currently wlan0), it bypasses my host vpn interface and routes me directly to the cloud, despite having a full tunnel.

Make sure your Ubuntu guest's network adapter is in bridge mode and bound to your actual ethernet adapter and not your VPN adapter.

Connect your host to the VPN and start your guest. See if that works.

Brenden

It's been a while since I attempted this. I took the latest Virtual Box package today and this prompted me to try again.

The guest interface gets an IP address

Code: Select all

eth1      Link encap:Ethernet  HWaddr 08:00:27:13:87:dc  
          inet addr:192.168.0.115  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe13:87dc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2736 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1333 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:454259 (454.2 KB)  TX bytes:194766 (194.7 KB)
          Interrupt:10 Base address:0xd020 

It can also connect to the internet when the VPN is not active on the host.

As soon as the VPN is connected on the host, it is no longer possible to access any network resource from the guest.

Code: Select all

MyUser@Ubuntu-Virtual:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
18 packets transmitted, 0 received, 100% packet loss, time 17135ms

note that the interface is capable of reaching the DHCP server... possibly because broadcasts are used in this case?