WinGate Forums

[Rigord]

I have now a remote VPN client which IP address is dynamically assigned by its ISP. The VPN host is behind a NAT router. Norton Internet Security is installed on the VPN server, allowing connections only to/from computers on local subnets (192.168.X.x). My question is, how can I grant the remote client access to the VPN server, knowing that connections won't be authorized because of its dynamic IP address (I cannot authorize it with NIS simply because I don't know it in advance). Is there a way to have the VPN server allocate a local IP address to the remote client during the VPN session? Would the DHCP service be of any help?

[Lt_Flash]

How can remote computer connect to your server when firewall allows only connects from local nets? VPN host must have public IP visible to any computer in Internet, allowing it to connect. You can open just port 809 in your firewall and your clients will connect to VPN host, and then they see all your local net.

[Rigord]

That's exactly what I'm saying. The remote client can't connect to my vpn server if it doesn't have a local IP during the VPN session. A Windows 2000 VPN server can temporarily allocate a local IP address to the client. I was wondering if Wingate VPN could do that.

My server is behind a router which port 809 is opened. There is no connection problem if the client is itself in a LAN with a fixed local IP (though in a different subnet that the VPN host), (see my previous post). This works because I can pre approve the client's ip address in Norton Internet Security. But in case of a client with dynamic IP, how should I do?

[Lt_Flash]

But remote computer won't have fixed IP!! And it will be public! So, your firewall won't pass that connection. WinGate have DHCP built-in and it can assign local IP for remote computer, but first of all remote computer must sneak into your local net, which is not possible because of the firewall block.
I belive that the problem is because of the public IP of remote computer. Let's assume it's 195.23.45.67. Your router is 195.1.1.1 with port 809 open. Your WinGate server is local or it's on router? If it is on router, than it has 195.1.1.1 IP. But we have a firewall on the same 195.1.1.1, which allows only 192.168.0.0 network traffic to pass. So, when our 195.23.45.67 will try to connect, it will use 195.1.1.1 as a destination. It can't use local IP like 192.168.1.1 because it's not visible from Inet. So, your firewall won't pass this connection. But you can use NAT on router and mapped port to allow access to WinGate on any comp in your local net. You shoul map port 809 on router to WinGate local IP (192.168.1.1:809 for example). And then any remote computer, that will try to enter your network have to connect to 195.1.1.1, actually connecting to 192.168.1.1

[Rigord]

Flash, I fully understand. However, I think I did not make myselk clear enough. My remote client with dynamic IP can access my VPN server located behind my LAN router. The problem is with the firewall software on the VPN server. To add security, I configured it to let only pre approved local IP to connect to the VPN server. Which means, local LAN clients can connect to the VPN server, and remote VPN clients located in a remote LAN (with a local fixed local IP address, I insist) can connect to the VPN server as well. Now, because deactivating the firewall software on my VPN server is out of the question, I still have the problem of connecting a remote client that would not have a fixed local IP.

The botton line is, this remote client cannot be connected to the vpn network because the local software firewall installed on the VPN server (not on the router) can't have the remote client in its preapproved list, and I understand now that because it can't sneak ont the local network, it cannot be assigned an IP by the wingate DHCP service.

What should I do?

[adrien]

Is there a way where you can enable in your office firewall to allow any packets coming from the MAC address of the WinGate VPN server?

Then you would be able to allow in anyone who can satisfy WinGate's security requirements (i.e. SSL connection, X.509 certificate, validated client, and twofish 128-bit key encrypted tunnel packets), since WinGate will only forward VPN packets which pass its validation.

Then it wouldn't matter what the remote IP was, if it was coming in from a VPN connection, you would trust it since it would have the WinGate machine's MAC address, and if it was coming from somewhere else, you wouldn't.

Adrien