[VPN] A puzzle for you experts

Lonnie Borntreger vpn at borntreger.com
Sat Jan 31 03:44:41 EST 2004 

I'm looking for a solution.  I've gone through over 3000 of the 4000+
archived messages for this list, and haven't seen anything quite like my
situation...

I have the following set up.

------------                                   ------   --------
| multiple |  ------------   -----------       |SOHO|   |Office|
| Windows  |->| Internet |-->|Cable NAT|------>|NAT |-->|Linux |
| clients  |  ------------   ----------- cable ------   |Server|
------------       ^                      ISP           --------
                   |                                   /
                --------                              /
                |Public|                             /
                |Linux |<- - - - - - - - - - - - - -
                |Server|        ssh rstunnel
                --------

Basically, the SOHO is behind a self controlled NAT appliance (can do
pass-through), but it is also behind the cable network's NAT appliance
(can not control/setup pass-through).

I have access to a server on the Internet proper, and have an ssh based
tunnel set up between the internal Linux server and it for
administration purposes.  Now we want to set up something to allow some
external Windows (2000 pro and XP pro) clients to connect into the
network.

I have VPN server software all setup on the Office Linux server, but
since we can't do direct access or pass-through to it, I tried to come
up with a way to proxy a connection through the public server, through
the ssh tunnel, to the internal network.

I tried PPTP until I discovered the protocol will not support this mode
of operation, and, if I understand correctly, IPSEC will not allow this
either.

So, basically, I'm looking for some inventive way to do this.  It has to
support 1-4 (with room for growth) simultaneous connections to fit our
needs.  It does not need to support domain logins.

If this can't be done, that would also be valuable information - and
then we'll look into changing our ISP service to a more expensive
non-NAT'd setup. I just wanted to give the experts out there a shot at
coming up with something first.

Thanks for any ideas,
Lonnie Borntreger
IT Director: Life Journey Christian Church
Owner: Borntreger Information Technology Services

More information about the VPN mailing list