Novell Border Manager VPN

Using WinRoute Pro with Novell BorderManager VPN (IPSEC)

This document describes the setup that makes it possible to connect a local network that uses NAT to share a single IP address provided by ISP to a remote network that uses Novell BorderManager Enterprise Server for VPN connectivity.

According to the README.TXT file supplied on the installation diskette of the Novell BorderManager VPN Client,

“You cannot use NAT in the path between a VPN client and a VPN server. This is because when the IP and IPX packets are encapsulated and encrypted at the VPN client, the source IP address that is used for the encapsulation is the address of the VPN client. The IPSEC Authentication Header calculation of the packet is based on this address and the address of the destination VPN server. Therefore, if either address (the VPN client or the VPN server) is modified by NAT, the calculation will fail when it gets to the destination VPN server and the packet will be discarded. Most likely, however, NAT will drop the IPSEC packets because it only handles TCP, UDP, and Internet Control Message Protocol (ICMP) packets.

When you have workstations in an intranet that must communicate securely with networks protected by a VPN server across the Internet, we suggest you use the Novell BorderManager Enterprise Edition site-to-site VPN feature (instead of the client-to-site VPN).”

However, the Novell BorderManager Enterprise Server is very expensive for the home user. Additionally, it requires extensive setup of the static routes on the remote network that is being accessed. The solution suggested above by Novell is therefore not feasible for the person who would like to connect his local network that uses NAT to a remote network via Novell BorderManager VPN.

Amazingly, it is possible to connect the local network that uses NAT to a remote network using WinRoute Pro and Novell BorderManager VPN Client. This configuration allows any computer on the local network to access the resources on the remote network when the VPN tunnel has been established on the router computer. No remote network configuration is required.

Below are the configuration steps for the local network.

Step 1: Install and configure Novell BorderManager VPN Client software on the computer that is going to be used as a router. Ensure that a VPN connection to the remote network can be successfully established and the resources on the remote network can be accessed.

Step 2: Install WinRoute Pro on the router computer. Follow the instructions found in the Administrator’s Guide for configuring the WinRoute Pro and configuring the computers on the local network to work with WinRoute Pro. Use the regular configuration for single IP address sharing. Ensure that the resources on the Internet can be accessed from any computer on the local network.

Step 3: When you need to access the resources on the remote network, run the Novell BorderManager VPN client on the router computer and login to the remote network.

This is made possible by the architecture of WinRoute Pro. Because it works on the IPSEC level, address translation occurs before the packet is routed to the virtual network adapter. Therefore the packets sent to the VPN server have the real source IP address. On the way back the packets received from virtual network adapter pass through the address translation layer and are routed to the correct computer on the local network.

The limitations of this setup are that the VPN login must be performed manually on the router computer and that the VPN connection will time out after a certain period of inactivity that is set on the VPN server. Also, the IPX packets aren’t going to be routed even if the VPN tunnel has IPX protocol enabled. Therefore, the IPX tunneling will be available only on the router computer.

Overall, this setup provides cost-effective and convenient way to connect a local network that uses NAT to a remote network using Novell BorderManager VPN.