Originally Posted by err0s
Nope - if the end device is getting a 10.x.x.x address from the hotspot's DHCP, and the VPN's end node you are trying to connect to is another 10.x.x.x then you definitely have a problem. When the client tries to connect to a 10.x.x.x it's going to look in its local route tables and not through the tunnel.
Stevew gives a great description of how two VPN gateways negotiate and encrypt (PHASE 1), but does not address the tunnel creation between the endpoints/nodes (PHASE 2).
What is needed is a way to change the IP address the hotspot issues to the host, and unfortunately the current code does not supply a user friendly way to adjust this. Using a 10.0.0.1 is extremely short sited as it conflicts with a good 90% of the corporate IP addressing schemes I've run into.
No no no - when the hotspot is in use, the WAN address of the BB is the ONLY thing the tunnel will see, not the Hotspot LAN IP on the connected device, so it doesn't matter which address/subnet the device is getting, unless I'm missing something here.
I use my MAC's through a VPN tunnel with the 10.x.x.x BB assigned address, but, the address the tunnel see's, is the BB's WAN address, not the HotSpot LAN IP handed out to the MAC. I only had to create an L2TP VPN to do this...which is what I said above. This is why I said what said above - you have to create a VPN that will support user authentication. What happens in this case, with our Sonicwall's/Fortigate's, is that the BB WAN IP will get a private IP address assigned by the Firewall, regardless of the 10.x.x.x address handed out to the connected devices.
I can traverse the IPSEC VPN'S all day long using the L2TP VPN. I don't see where there's an issue, except if the OP doesn't have the capability to set it up, but even if that were the case, I'm sure there's a network admin somewhere in that equation?
Not sure why the 10.x.x.x address is a problem, since it never gets transmitted beyond the HotSpot...but maybe I'm just not getting where the issue is?
This DOES work - I use it all the time and I'm the one who set it up.
I think you're forgetting that the private address of the device or the BB is irrelevant, since the BB is a WAN assigned IP router connecting through the firewall VPN. That being said, unless the BB had a 192.xxx.xxx.xxx WAN IP, or whatever the firewall is configured for, it would always have to be configured to connect. The key here is that the OP is tethering --
There is no way short of creating a user-authenticating VPN to do this, given that we never know what the WAN IP of the Bold will be on any given day. I'm not a vastly experienced firewall expert, and perhaps I am missing something here, so if I'm wrong, I stand corrected. I just know enough to be dangerous...LOL