Hi
Finally got a VPN tunnel up and running via the internet (alot more work, stress and a learning curve than expected (I've setup a linux vpn connection in the past which I got up alot quicker), and a wingate MTU issue nearly killed me near the end.. lol)
Anyhows, have a few questions and am hoping someone can answer or provided a Link
1) Can I limit the UDP/TCP ports and destination IP addresses that Wingate VPN will allow through? IE. I only want a user to be able to access port 5900 on computerX without having access to any other IP or ports within the subnet. In addition, I don't want any of the internal computers to get access to the remote computer
2) Trying to figure out what sort of VPN licences will be required. I'm setting up remote access for a client's small business which has approx 10 computers. One user will require remote access (Remote computer will connect via WingateVPN, and then tunnel a RealVNC network connection through it to control their computer). In addition, I am also planning to tunnel in for remote support (I use 3 computer and will most likely access any of the 10 computers within the network via RealVNC and MS file sharing). It looks like I'm going to need a single licence, and a gateway 3 user licence. Corrrect?
3 Is it possible to monitor traffic through the gateway (Specifically Source and destination IP and ports)
Thanks in advance
Wingate VPN qeustions
Moderator: Qbik Staff
5 posts
• Page 1 of 1
Wingate VPN qeustions
by igoTtavPn » Sep 22 05 10:10 am
- igoTtavPn
- Posts: 6
- Joined: Sep 17 05 10:22 am
by Pascal » Sep 22 05 2:04 pm
1. With regards to ports, not currently. You can control access to computers by routing. (Check the "Local Participation" option for each node/endpoint)
2. You need a license for each endpoint (Installation of WinGate VPN). The license size (3 / 10 / etc. users) is determined by the number of people participating in the VPN from that endpoint / installation.
3. That is a bit more difficult, but not much. You'd need to catch traffic before it leaves the machine (as it will then be encrypted and tunneled). Easiest might be to catch it on the LAN interface before / as it hits the VPN endpoint.
2. You need a license for each endpoint (Installation of WinGate VPN). The license size (3 / 10 / etc. users) is determined by the number of people participating in the VPN from that endpoint / installation.
3. That is a bit more difficult, but not much. You'd need to catch traffic before it leaves the machine (as it will then be encrypted and tunneled). Easiest might be to catch it on the LAN interface before / as it hits the VPN endpoint.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by igoTtavPn » Sep 24 05 4:59 pm
Hi Pascal
Tried the Routing solution. It'll work for what I need (the user will be connecting inside the 1st firewall via VPN, and then RAdmin'ing into a pc thought the 2nd firewall. So the routing solution works fine as there's only 1 port punched for RAdmin.
-=-=-=-
As per the Licenses, Still a little unsure of what I’ll need to purchase If there are a total of 2 users connecting to the VPN (local machine participation only for one user, and up to 3 machines for my self), then what licenses am I required to get?
It sounds like I'll need a 3 User License for the machine Hosting the VPN, a 3 user license for myself so I can connect up to the VPN, and a single user license for the user connecting up (7 licenses)
Correct?
Other questions relating to licensing include:
a) What happens if the user has 2 machines that they connect with (not concurrently)? Does each machine require a license (they have a laptop and a home machine)
b) Are the 3 VPN licenses on the Host concurrent? IE. Licenses limiting the active connection count to 3 VPN connections or does the host require a license for each user that connect (no matter when the joiner may connect)
c) How are active participants Defined. If I’m the Joiner, and once I connect to the Host VPN, a 5 people connect to me, then how many licenses would be required (could be interpreted different ways)
d) Additionally, I'd like to connect into the VPN from my machine, Radmin through the 2nd firewall to a machine, then have the machine I'm connecting to, open a Wingate VPN tunnel back to my self (the software would act as a joiner) and then I drop the initial VPN connection (basically log into the more restrictive VPN 1st and then open a less restrictive VPN connection. Would I need another license for this machine to connect back to my machine
e) If I can convince other clients to use the Wingate VPN software, will the license I purchase be usable with future clients (should be)
-=-=-=-
Additionally, Have a few other questions that I'm hoping you may be able to answer
1. Can multiple VPN hosts be running off difference listening ports off the same VPN server? (Doesn’t look like it)
2. Why does the MTU size effect the Wingate tunnel. Shouldn’t the network layer break the data up into correctly sized frames and then re-assemble them on the other end (not the most efficient though)? (Or does Wingate set the packets as so not to be fragmented?). IE. I can send large files via FTP between 2 machines across the Internet; but when I run a Wingate VPN tunnel on top, I have shrink the packet size. If I had an initial issue with the MTU, then wouldn’t straight [non tunneled] ftp also fail?
3. Since MTU can be an issue with Wingate VPN, how would I go about hosting a VPN which would allow remote Dial up connections, and DSL/Cable connections to access the same connection without having to set the MTU at a level acceptable to the Dial up connection (I’m just theorizing that MTU could be an issues as I’m still having issues getting WinGate VPN working with CompuServe dialup)
4. Am I required to use the dialer within Wingate to Make a VPN connection, or can I dial the Internet connection manually and then manually start the VPN Tunnel?
5. Have you ever heard of Wingate joiner VPN connection bringing down a Dlink 704p dsl/cable router before? Since Installing Wingate VPN as a Joiner, have had a Dlink 704P router go screwy 3 times where traffic will only route as far as the external WAN gateway but no further (check for Firmware updates; but no luck).
6. Does Qbik recommend any one particular Cable/DSL router over another for use with Wingate VPN?
7. Would you have a testing Wingate VPN connection that I could connect up via my CompuServe Dialup account to see if I can get this dialup account to connect up to and stay up. Basically just need to try and run a ‘ping –t’ for about 5 minutes to see if the connection tanks or not (and if its something wrong with how I’ve configured the Hosting VPN Machine
Thanks for the previous and in advance for your future assistance
Paul
Tried the Routing solution. It'll work for what I need (the user will be connecting inside the 1st firewall via VPN, and then RAdmin'ing into a pc thought the 2nd firewall. So the routing solution works fine as there's only 1 port punched for RAdmin.
-=-=-=-
As per the Licenses, Still a little unsure of what I’ll need to purchase If there are a total of 2 users connecting to the VPN (local machine participation only for one user, and up to 3 machines for my self), then what licenses am I required to get?
It sounds like I'll need a 3 User License for the machine Hosting the VPN, a 3 user license for myself so I can connect up to the VPN, and a single user license for the user connecting up (7 licenses)
Correct?
Other questions relating to licensing include:
a) What happens if the user has 2 machines that they connect with (not concurrently)? Does each machine require a license (they have a laptop and a home machine)
b) Are the 3 VPN licenses on the Host concurrent? IE. Licenses limiting the active connection count to 3 VPN connections or does the host require a license for each user that connect (no matter when the joiner may connect)
c) How are active participants Defined. If I’m the Joiner, and once I connect to the Host VPN, a 5 people connect to me, then how many licenses would be required (could be interpreted different ways)
d) Additionally, I'd like to connect into the VPN from my machine, Radmin through the 2nd firewall to a machine, then have the machine I'm connecting to, open a Wingate VPN tunnel back to my self (the software would act as a joiner) and then I drop the initial VPN connection (basically log into the more restrictive VPN 1st and then open a less restrictive VPN connection. Would I need another license for this machine to connect back to my machine
e) If I can convince other clients to use the Wingate VPN software, will the license I purchase be usable with future clients (should be)
-=-=-=-
Additionally, Have a few other questions that I'm hoping you may be able to answer
1. Can multiple VPN hosts be running off difference listening ports off the same VPN server? (Doesn’t look like it)
2. Why does the MTU size effect the Wingate tunnel. Shouldn’t the network layer break the data up into correctly sized frames and then re-assemble them on the other end (not the most efficient though)? (Or does Wingate set the packets as so not to be fragmented?). IE. I can send large files via FTP between 2 machines across the Internet; but when I run a Wingate VPN tunnel on top, I have shrink the packet size. If I had an initial issue with the MTU, then wouldn’t straight [non tunneled] ftp also fail?
3. Since MTU can be an issue with Wingate VPN, how would I go about hosting a VPN which would allow remote Dial up connections, and DSL/Cable connections to access the same connection without having to set the MTU at a level acceptable to the Dial up connection (I’m just theorizing that MTU could be an issues as I’m still having issues getting WinGate VPN working with CompuServe dialup)
4. Am I required to use the dialer within Wingate to Make a VPN connection, or can I dial the Internet connection manually and then manually start the VPN Tunnel?
5. Have you ever heard of Wingate joiner VPN connection bringing down a Dlink 704p dsl/cable router before? Since Installing Wingate VPN as a Joiner, have had a Dlink 704P router go screwy 3 times where traffic will only route as far as the external WAN gateway but no further (check for Firmware updates; but no luck).
6. Does Qbik recommend any one particular Cable/DSL router over another for use with Wingate VPN?
7. Would you have a testing Wingate VPN connection that I could connect up via my CompuServe Dialup account to see if I can get this dialup account to connect up to and stay up. Basically just need to try and run a ‘ping –t’ for about 5 minutes to see if the connection tanks or not (and if its something wrong with how I’ve configured the Hosting VPN Machine
Thanks for the previous and in advance for your future assistance
Paul
- igoTtavPn
- Posts: 6
- Joined: Sep 17 05 10:22 am
by Pascal » Sep 25 05 12:34 pm
igoTtavPn wrote: It sounds like I'll need a 3 User License for the machine Hosting the VPN, a 3 user license for myself so I can connect up to the VPN, and a single user license for the user connecting up (7 licenses)
Not 7 licenses. Three, by my count. Count the number of places you will install WinGate VPN at. That is the number of licenses you need. Now, for each license, count the number of computers that will connect from that location. That is the minimum license size for that location.
igoTtavPn wrote: e) If I can convince other clients to use the Wingate VPN software, will the license I purchase be usable with future clients (should be)
Should be. Qbik has always followed a policy of making licenses future useable. In fact, you can use a version 3.x license with a version 6.x installation. For the rest of the questions we'd need Matt / James, they know more of the indepth licensing. (Sorry, dev team)
igoTtavPn wrote: 1. Can multiple VPN hosts be running off difference listening ports off the same VPN server? (Doesn’t look like it)
No, there is one listening port. Why would you want multiple ones?
igoTtavPn wrote: packet size. If I had an initial issue with the MTU, then wouldn’t straight [non tunneled] ftp also fail?
No, because a VPN tunnel adds a small header to each packet. And that is precisely why the MTU should generally be adjusted, to ensure that the header+packet combination does not require fragmentation and thus gives you optimal throughput.
igoTtavPn wrote: Am I required to use the dialer within Wingate to Make a VPN connection, or can I dial the Internet connection manually and then manually start the VPN Tunnel?
So long as you have an active internet connection that's fine, doesn't matter who establishes it.
igoTtavPn wrote: as a Joiner, have had a Dlink 704P router go screwy 3 times where traffic will only route as far as the external WAN gateway but no further (check for Firmware updates; but no luck).
Check if it publishes / listens for RIP v 2 and check if WinGate VPN will broadcast that.
igoTtavPn wrote: Does Qbik recommend any one particular Cable/DSL router over another for use with Wingate VPN?
No, not really. WinGate VPN needs an internet connection, that's the basics of it. A large portion of our useability testing was done on 56K dialup with a variety of modems. That way we could see that performance was acceptable and it worked sweetly. Broadband is just icing on the cake.
igoTtavPn wrote: connect up via my CompuServe Dialup account to see if I can get this dialup account to connect up to and stay up. Basically just need to try and run a ‘ping –t’ for about 5 minutes to see if the
We do, but I don't have details on me. I'll check when I'm back in the office tomorrow and will then email you those details.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by MattP » Sep 27 05 2:08 pm
Other questions relating to licensing include:
a) What happens if the user has 2 machines that they connect with (not concurrently)? Does each machine require a license (they have a laptop and a home machine)
Well, each license can only be activated on one machine at any one time, so you would need to deactivate and reactivate the license when-ever you wanted to swap machines. The licenses are intended to be used on one machine, but we don't control how many times you activate/deactivate.
b) Are the 3 VPN licenses on the Host concurrent? IE. Licenses limiting the active connection count to 3 VPN connections or does the host require a license for each user that connect (no matter when the joiner may connect)
Licensing is based on concurrent users. So only users that are currently connected are counted towards the license seats.
c) How are active participants Defined. If I’m the Joiner, and once I connect to the Host VPN, a 5 people connect to me, then how many licenses would be required (could be interpreted different ways)
Not sure what you mean about the 5 people connecting to you. There is no limit to the number of inward connections that you can host.
d) Additionally, I'd like to connect into the VPN from my machine, Radmin through the 2nd firewall to a machine, then have the machine I'm connecting to, open a Wingate VPN tunnel back to my self (the software would act as a joiner) and then I drop the initial VPN connection (basically log into the more restrictive VPN 1st and then open a less restrictive VPN connection. Would I need another license for this machine to connect back to my machine
You could just set the machine to connect the VPN automatically, or you can schedule a connection. I don't see that you'd need another license to make this work.
- MattP
- Qbik Staff
- Posts: 991
- Joined: Sep 08 03 4:30 pm
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 114 guests