Routing recommendations for sharing VPN connection between VBox guest and host

[Lewis G Rosenthal <lgrosenthal@2rosenthals.com>]

Greetings, all.

If I could pick the collective brain for a moment, I'd like to solicit
some thougths as to how I might approach the following scenario:

I have a client who requires VPN access from OS/2 (eComStation) to an
IBM zOS image, using the TN3270 client (and associated applications
require OS/2 on the client side). The VPN connection is a Cisco
AnyConnect, which is supported by openConnect on Linux, but for which
there is no OS/2 client (as far as I know, and I do a considerable
amount of OS/2 consulting).

His SonicWALL router predates the SSL-capable units, doing only IPSec,
and while we are on site-to-site IPSec VPN between us, and my Astaro
Security Gateway (now Sophos UTM) can connect and then route the traffic
through for him, I'm looking to create more of a self-contained solution
for him. So...

My idea is to install Ubuntu 12 (or openSUSE; I'm a Novell guy, so SUSE
is more familiar to me) as a VirtualBox guest under the OS/2 host (yes,
we do have VirtualBox support for OS/2). Using openConnect, assuming it
works similarly to other SSL VPNs I've used on Linux, it should create a
ppp0 interface upon connection. My thinking is to enable forwarding
between interfaces (I would configure the guest to use bridged
networking, so that host and guest are on the same subnet), and then on
the OS/2 side, build a few static routes in the table to direct traffic
from the host machine destined for the protected remote subnet(s)
through the Linux guest. I only need IPv4 support (OS/2 does not have an
IPv6-aware stack, anyhow).

My initial tests (using a Fortinet SSL VPN connection to a test network,
only because it was convenient) would not allow the traffic to pass
(after configuring the ppp0l IP as a destination host via the guest's
IP, and testing ping, attempting to add the remote protected subnet
yielded me the dreaded "SIOCADDRT: network unreachable" on the host (the
OS/2 IP stack was ported from BSD 4.3, IIRC, so it's pretty standard).
I'm thinking that there's something else I need to do on the guest side
(under Linux, which is why I'm posting this here) to enable forwarding.
Do I need to masquerade the ppp0 interface?

Any and all thoughts are welcome.

TIA

-- 
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, RTRP, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
Need a managed Wi-Fi hotspot?                www.hautspot.com
Warpstock 2013 - Atlanta, GA - Oct 4-6      www.warpstock.org
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------