SafeNet SoftRemoteLt on Windows 7
Posted by CKret on September 16, 2009
At our company we use SafeNets SoftRemoteLT VPN solution for secure communication with our DB servers.
In Windows XP and Vista this works fine.
Since the release of Windows 7 RC I’ve tried to get SoftRemoteLt working but have had no luck.
That is until now…
In this post I will show you how to configure Windows 7 and Virtual Windows XP Mode to route VPN traffic through XP.
First you need to make sure you’ve got the prerequisits:
(Instructions for prerequisits are not covered by this post.)
- Windows 7 Professional or Ultimate
- Intel® Virtualization Technology or AMD-V™ feature is enabled in BIOS
Microsoft issued an update that eliminates this prerequisit. See KB977206. - Windows Virtual PC RC
- Windows XP Mode RC
- SafeNet SoftRemoteLt installed on Virtual Windows XP.
These instructions should work for other clients as well. - Make sure Internet and VPN is working.
(Windows Virtual PC RC and Windows XP Mode RC can be downloaded from here.)
There are several things we need to configure on both Windows 7 (host) and Windows XP Mode (guest):
- Add a Loopback adapter to the host.
- Configure the Loopback adapter.
- Add a Virtual adapter to the guest.
- Configure the Virtual adapter.
- Disable Internet Connection Sharing and Firewall on the guest.
- Enable routing on the guest.
- Configure routing on the guest.
- Configure routing on the host.
Let’s get started then.
Add a Loopback adapter to the host
For the host to utilize the VPN located on the guest we need more than unidirectional communication.
VPN traffic goes from the host to the guest, thrugh the VPN and out on the Internet.
When receiving data the guest needs to be able to route it back to the host.
Therefor we need another communication channel.
- Open up Device Manager and right click the root node.
- Select “Add Legacy Hardware” then click “Next”.
- Select “Install the hardware that I manually select from a list (Advanced)” and click “Next”.
- Select “Network Adapters” then click “Next”.
- In the left pane select “Microsoft”.
- In the right pane select “Microsoft Loopback Adapter” then click “Next”.
- On the confirmation screen click “Next”.
- When the installation is finished, click “Finish”.
Now you should have a new network adapter in the Network Connections.
Configure the Loopback adapter
Now it’s time to choose a subnet and IP address for your network connection.
I chose a subnet that wouldn’t collide with my home or work networks.
192.168.199.199 with subnet mask 255.255.255.0
- Open up the Network Connections.
- Find the new network adapter.
Mine is called “Local Area Connection 4”. - Right click the icon and select “Properties”.
- Select “Internet Protocol Version 4 (TCP/IPv4)” then click “Properties”.
- Select “Use the following IP address”.
- Enter the IP address and subnet mask and click “OK”.
- Click “OK”.
We’re almost done configuring the host. However, before we can finish we will configure the guest.
Add a Virtual adapter to the guest
Before we start you’ll need to shut down Windows XP Mode completely. Hibernation will not work.
- Open up Virtual Machines.
- Select “Windows XP Mode”.
- Click “Settings”.
- Select “Networking”.
- Set the number of network adapters to 2.
- For the second adapter, select “Microsoft Loopback Adapter” then click “OK”.
Moving on…
Configure the Virtual adapter
For the Virtual Adapter we should now choose an IP address in the same range as we chose before:
192.168.199.200 with subnet mask 255.255.255.0
- Start Windows XP Mode.
- Open up Network Connections.
You should now see two connections. Mine are called “Local Area Connection” and “Local Area Connection 2”.
The first one is your “Internet Connection” and the second one is the “Loopback Connection”.
- Right click your “Loopback Connection” then select “Properties”.
- Select “Internet Protocol (TCP/IP)” and click “Properties”.
- Select “Use the following IP address”.
- Enter the IP address and subnet mask and click “OK”.
- Click “OK”.
Disable Internet Connection Sharing and Firewall on the guest
We need to create or own routing and we do not want windows to interfere with our setup.
- Open “Services”.
- Find “Windows Firewall/Internet Connection Sharing (ICS)”.
- Right click the node and select “Properties”.
- Set “Startup type” to “Disabled” then click “Stop”.
- Click “OK”.
Don’t close “Services” just yet.
Enable routing on the guest
To enable routing we need to do two things:
- Start RegEdit.
- Find the key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter”
- The default value should be “0x00000000”, change it to “0x00000001”.
- Close RegEdit.
- Back in “Services” find “Routing and Remote Access”.
- Right click the node and select “Properties”.
- Set “Startup type” to “Automatic” then click “Start”.
- Click “OK”.
You may now close “Services”.
At this point you might need to restart Windows XP Mode.
Configure routing on the guest
In this step we’ll set up the routing needed for the host to be able to communicate through the guests VPN.
- Start a “Command Prompt”.
- Enter “netsh routing ip nat install”.
This will install NAT routing. - Enter “netsh routing ip nat add interface “Local Area Connection” full”.
This will route traffic through your “Internet Connection”. - Enter “netsh routing ip nat add interface “Local Area Connection 2″ private”.
This will route traffic through your “Loopback Connection”.
Guest is done! Only one more thing to do.
Configure routing on the host
You’ll need to know which subnet your VPN network is using.
We will configure the routing so that all traffic meant for your VPN network goes through the “Loopback adapter”.
Let’s say your VPN subnet is
172.16.16.0 with netmask 255.255.255.0
- Start a “Command Prompt” as Administrator. (Run as Administrator).
- Enter “route -p add 172.16.16.0 mask 255.255.255.0 192.168.199.200”
Note that 192.168.199.200 is the IP address of the guests Virtual Adapter we set earlier.
All done.
From now on all you need to do is start SoftRemoteLt from the “Windows Virtual PC” folder in the Start Menu and you’re all set.
Jmp Start 
Pedro said
thanks for the info.
Precious information
BR
Pedro
SteveE said
Hi,
Excellent article! My company uses Safenet Netscreen Remote (10.8.3) and they are not planning on releasing a windows 7 supported version. I was able to go through your entire tutorial perfectly, and I can fire up my VPN client from the virtual applications folder and connect ok – but for some reason my traffic is not reaching the secure domain insde the vpn tunnel. I followed your steps verbatim, and everything seemed to work ok. Is it possible, that there is something with my vpn configuration that is specifically dis-allowing the loopback mechanism? Any other thoughts on how I can verify my routing / or trouble shoot the issue? Any ideas/suggestions are highly appreciated!
Thanks
SteveE
Christopher said
I had a similar issue, but it was solved when I uninstalled Netscreen Remote and then reinstalled it. I had a hunch that it needed to know about the second network adapter at install time to properly support it. I don’t know if that intuition was correct, but installing the VPN software *after* creating the net setup in XP Mode seems to have done the trick.
Thank you so much, CKret!
SteveE said
Just to clarify my previous comment, I have verified that the route command is configured to the correctdestination host and subnet used inside of my company’s secure domain, but ping attempts to IP inside the secure domain are not successfull….
Bernhard said
Hi CKret,
great articel! But: Same problem like SteveE. Any ideas?
Thanks
Bernhard
Rodix said
Thanks for the great guide!
I’am having the same problem as Steve.
The VPN tunnel connection works great, but it seems that there’s no traffic going through the tunnel (ping, rdp, etc)
Is there any solution?
CKret said
First of all: Thanks for the comments and sorry for the late reply.
If you have followed the steps to the letter it should work.
However, the one thing that I can remember having problems with was that at one point I specified a gateway for the loopback adapter and/or the Virtual adapter. This should not be done since we configure the routing later on.
I’ve also read that some VPN software disables the ability to route traffic through loopback adapters. I cannot confirm or deny this since the only VPN I’ve tried is SafeNet SoftRemoteLt.
Other than that I cannot say exactly what the problem in your cases are.
mike said
I have same issue with SteveE. I also used Window 7 Ultimate RC and followed the instructions above. I was able to authenticate to my SSG-5 firewall. But was not able to access any resource within the firewall.
CKret said
See my comment above.
BojSin said
Excellent! working like a charm.
I just have to figure out how to route the DNS… not so important
Thanks a lot for this trick!
BojSin
Leonid said
Thank you it works perfect.
Bill Chandler said
Ckret–thanks so much for posting this. I’ve followed your instructions, and run into the same problems as other folks–can’t get into the VPN tunnel once it is established. Works fine from the XP virtual box, but the W7 box won’t look at it–I can’t even get the W7 box to ping the loopback adapter on the XP box. Still hacking like a maniac to see what I’ve missed, but I thought I’d throw that little tidbit out as well–I’m looking at my home network and anything else around here.
Thanks again!
Gordon said
Ckret–thanks so much for your efforts. I’m having a few difficulties with the final configuration on the guest. Specifically netsh doesn’t like the interface name:
command:
C:\Documents and Settings\XPMUser>netsh routing ip nat add interface “Local Area
Connection” full
response:
The interface ‘”Local’ does not exist.
An interface with this name is not registered with the router.
Is there some other trick I’m missing?
Thanks.
Gordon said
Oops – problem solved. I was cutting and pasting the text from my browser. It turns out that the ” double quotes, were the wrong character. so by deleting and replacing the double quotes I was able to get the command shell to interpret them correctly.
CKret said
Good job!
Did you get everything to work?
To anyone else reading this blog post:
You’ll need to use the names of the network connections that your copy of Windows 7 or Windows XP Mode provides.
The ones mentioned in the post are relevant to my setup and might be totally different on your systems.
If you are using another language then this is most certainly true.
Rune said
When trying to add the persistent route on my host system i get this error:
The route addition failed: The parameter is incorrect
Any ideas on what i am doing wrong?
i am using this command, route -p add xx.xx.xx.xx mask 25.25.25.0 192.168.3.2
(xx is ofcourse to be swopped with my vpn ip adress)
CKret said
i am using this command, route -p add xx.xx.xx.xx mask 25.25.25.0 192.168.3.2
Your netmask is wrong. It should be 255.255.255.0 (not 25.25.25.0).
Also make sure that 192.168.3.2 is the IP-address of the Guests Virtual Adapter you configured in step 4.
Jetmike said
I have followed to the T. I was able to authenticate but not pass traffic prior to the changes from both 7 and the guest xp and all the same after the changes. Tracert goes no where. The safenet adapter adds the required route in the guest as per route print. I really only need this on the guest as a support measure.
Jack said
Ok here is the fix.
It’s now working in my Windows 7 Ultimate laptop.
1. Stop the Volume Shadow Copy service (VSS) (which prompt an error message when I tried to install the client)
2. Install Juniper Client and ignore the error messages about the virtual adapter
3. Restart your PC
4. If Microsoft IKE and IPSec services are running, stop them
5. Import you Security Policy
6. Startup the Service SafeNet IKE Service
7. Connect to your network
Jaap said
Thanks for the info, we used it for a while and it worked.
Recently we where pointed at the free Shrew Soft VPN Client (http://www.shrew.net) as an alternative for the safenet client. It’s compatible with Windows 7.
We use it no with our Juniper SSG and Juniper netscreen devices with no problems.
Regards,
Jaap
Diego Arbelaez said
Hi,
in the last command…
Enter “route -p add 172.16.16.0 mask 255.255.255.0 192.168.199.200″
what is supposed to be the “172.16.16.0” ip?
Thanks for the tutorial on setting this up
Mark said
Hi there CKRet,
Thanks for posting such a great article. I have really very little Windows routing experience and I could follow your instructions with ease alas I’ve been through the procedure a couple of times now and have been unable to get the desired result. I can connect to my company’s VPN from XP mode alright but alas I can’t seem to pipe the traffic from Windows 7. In fact the host (Win 7) doesn’t even seem to be able to see the Guest loop back adapter. I should be able to ping 192.168.199.200(Guest loopback) right from the host (Win 7)?
Thanks again for this article. There were a number of articles out there seem to go into as much depth as yourself when discussing setting up the loopback adapters, but for the part where you need to tie the host and the guest together with the NAT routing they gloss over it. Thanks for going into such detail.
Thanks,
Mark.
Doomhammer said
Good Morning,
I’am french and i try to configure soft remote with your tutorial.
Thanks for your tutorial.
I’am a problem, i can’t ping vpn address with host. The vpn on the guest is good.
I had respect parameters. Do i add any route?
Thanks by advance and sorry for ma bad english language…
Mark Gargan said
Hey CKret,
Thanks for putting the above howto together. The amount of detail it contained was spot on for a windows networking newbie like muself. I’ve followed the above to a tee but I’m still stuggling to get it going. I’m working on Windows 7 with Virtual XP mode installed. I’m accessing a Netgear VPN in work with ProSafe VPN client. I can ping the loopback adapter in both the host and the guest but only FROM the host and the client respectively. i.e. 192.168.199.199 is pingable from the host and 192.168.199.200 is pingable from the guest. Alas I can’t ping the host’s loopback from the guest and vice versa. When I do a netstat -an in either mode I can see the loopback adapter associated with the mode I’m in but not the other’s mode. The problem seems to be the networking between Windows 7 and the XpMode. I connect out to the internet wirelessly and in the networking tab of the XP modes settings I have the first network adapter set to Shared NAT and the second is the loopback adapter.
Sometimes when I ping a work address from the host I get the following error
Reply from 192.168.199.199: Destination host unreachable.
Request timed out.
Which I think is a bit strange as on the host side, work IP address are mapped with the mask of 255.255.0.0 to the guest loop back adapter 192.168.199.200 so I can’t really see where the host’s loopback adapter is coming into play?
Any help would be greatly appreciated,
Mark.
VPN Install said
Hello my name is Anthon, I really liked your article! Nice work
conrad said
Hello, thanks for this tutorial. It really helped me… I have a problem. From the guest I can connect via VPM to my company network aslo using softremote. When I go on the host (Win7) I can load the softremote from the virtual machine but when I launch the VPN connection from twin7 it doesn’t work as it request me a valid certificate. It seems that it does not “see” the connect softremote.. Can you pls help?
Thanks