WinGate Forums

[joern_norheim]

Hello!

I hva just installed WinGate VPN 2.1.0, and have set up a gateway host machine in our office. I'm trying to VPN my way into the office, but are experiencing problems....

I connect OK, and I get both networks up on the "Network" tab in the GateKeeper on the client machine.

The office network is visible in two places; Once as "Local network of VPNGW [Master]" and once as "Local network of VPNCLIENT [Local]".
In the VPNGW hierarch all of the office PC turn up but with "Not accessible" after...

All IP addresses of the machines in the office net is correct...

The published routes are;

VPNGW: "Behind NAT/translated"; 192.168.0.0/255.255.255.0; 192.168.0.17/255.255.255.255

VPNCLIENT: "Behind NAT/translated"; 10.0.0.0/255.255.255.0; 10.0.0.33/255.255.255.255


Our office network has and ADSL router which is our default gateway, with IP 192.168.0.1

My home net has and ADSL router witch is default gateway and IP 10.0.0.33

I can't ping the VPN host machine
I can't browse the office network machines.
When I try "Retest" on the VPNGW machine in the host network "Not accessible" reappears after a while.

I have seen that RIP should be used to make the default gateway routers aware of the new network when connecting, but from what I can understand it should not be neccessary to use RIP or add static routes when pinging the VPN host machine(in this VPNGW)? Or is this incorrect?


I enclose the report from GateKeeper....


Best regards,
Jørn Norheim






--------------------
1.01 WINGATE CONFIGURATION REPORT

1.02 Wednesday, January 04, 2006, 00:28

1.03

1.04 ---------------------------------------------

1.05 WinGate Engine

1.06 ---------------------------------------------

1.07 WinGate 6.1.1 (Build 1077)

1.08 Operating System: Windows 2000 (NT 5.1)

1.09 Language:

1.10 User database: WinGate

1.11 Num. users: 3

1.12

1.13

3.01 ---------------------------------------------

3.02 Licence details

3.03 ---------------------------------------------

3.04 License Key 1

3.05 Version: WinGate VPN 6

3.06 Expiry: 03/Feb/2006

3.07

4.01 ---------------------------------------------

4.02 Dialer information

4.03 ---------------------------------------------

4.04 Dialer is disabled

4.05

5.01 ---------------------------------------------

5.02 Network Interfaces

5.03 ---------------------------------------------

5.04 Local Area Connection (Ethernet) internal

5.05 1394 Connection (Ethernet) external

5.06 1394 Connection 2 (Ethernet) external

5.07 MS TCP Loopback interface (Loopback)

5.08

6.01 ---------------------------------------------

6.02 Services

6.03 ---------------------------------------------

6.04

6.05 System Policies

6.06 ---------------------------------------------

6.07 Default System Access Rights:

6.08 Everyone - Unrestricted rights

6.09 Default Start/Stop Rights:

6.10 Administrators - Unrestricted rights

6.11 Default Edit Rights:

6.12 Administrators - Unrestricted rights

6.13

6.14 DHCP Service (DHCP Service)

6.15 ---------------------------------------------

6.16 Session Timeout: 180

6.17 Port: 67

6.18 Startup: Automatic start/stop

6.19 Access Rights: Defaults: may be used instead

6.20 Everyone - Unrestricted rights

6.21 Start/Stop Rights: Defaults: may be used instead

6.22 Edit Rights: Defaults: may be used instead

6.23

6.24 DNS Service (DNS Service)

6.25 ---------------------------------------------

6.26 Session Timeout: 180

6.27 Port: 53

6.28 Startup: Automatic start/stop

6.29 Access Rights: Defaults: may be used instead

6.30 Start/Stop Rights: Defaults: may be used instead

6.31 Edit Rights: Defaults: may be used instead

6.32

6.33 Remote Control Service (Remote Control Service)

6.34 ---------------------------------------------

6.35 Session Timeout: 180

6.36 Port: 808

6.37 Startup: Automatic start/stop

6.38 Access Rights: Defaults: may be used instead

6.39 Start/Stop Rights: Defaults: may be used instead

6.40 Edit Rights: Defaults: may be used instead

6.41

7.01 ---------------------------------------------

7.02 System Route Table

7.03 ---------------------------------------------

7.04 Current Route Table:

7.05 ---------------------------------------------

7.06 Network Mask Gateway Interface Metric

7.07 0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.33 20

7.08 10.0.0.0 255.255.255.0 10.0.0.33 10.0.0.33 20

7.09 10.0.0.33 255.255.255.255 127.0.0.1 127.0.0.1 20

7.10 10.255.255.255 255.255.255.255 10.0.0.33 10.0.0.33 20

7.11 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

7.12 224.0.0.0 240.0.0.0 10.0.0.33 10.0.0.33 20

7.13 255.255.255.255 255.255.255.255 10.0.0.33 10.0.0.33 1

7.14

8.01 ---------------------------------------------

8.02 Enhanced Network Support

8.03 ---------------------------------------------

8.04 Enhanced Network Support: Qbik NDIS Hook 6.0 - Installed and active

8.05 Driver: Enabled

8.06 NAT: Disabled

8.07 Router: Enabled

8.08 Firewall level: Medium

8.09

8.10 Firewall

8.11 ---------------------------------------------

8.12 Disable network name broadcasts to the Internet: Enabled

8.13 Allow users to ping this machine locally: Enabled

8.14 Allow users to ping this machine from the Internet: Disabled

8.15 Discard spoofed packets: Enabled

8.16

8.17 Routing

8.18 ---------------------------------------------

8.19 Multiple default routes: Enabled

8.20 Relay UDP broadcast packets: Enabled

8.100

8.101 Port Security

8.102 ---------------------------------------------

8.103

8.104 Security for: External TCP

8.105 Action: Allow Port: 113 - AUTH

8.106 Action: Allow Port: 1024 - 4096 - External

8.107

8.108 Security for: External UDP

8.109 Action: Allow Port: 809 - Hole for VPN (Data)

8.110

8.111 Security for: Internal TCP

8.112

8.113 Security for: Internal UDP

8.114 Action: Allow Port: 0 - Hole for Dialer Monitor (Auto)

8.115 Action: Allow Port: 53 - Hole for DNS Service (Auto)

8.116 Action: Allow Port: 67 - Hole for DHCP Service (Auto)

8.117

8.118 Security for: NAT TCP

8.119

8.120 Security for: NAT UDP

8.121

8.122 Security for: DMZ TCP

8.123

8.124 Security for: DMZ UDP

8.125

8.126 Security for: (unknown)

8.127

8.128 Security for: (unknown)

8.500

9.01 ---------------------------------------------

9.02 END OF CONFIGURATION REPORT




[/img]

[Pascal]

VPNGW: "Behind NAT/translated"; 192.168.0.0/255.255.255.0; 192.168.0.17/255.255.255.255

VPNCLIENT: "Behind NAT/translated"; 10.0.0.0/255.255.255.0; 10.0.0.33/255.255.255.255


Our office network has and ADSL router which is our default gateway, with IP 192.168.0.1

My home net has and ADSL router witch is default gateway and IP 10.0.0.3

Most likely cause is the data channel being blocked at router level. As both networks are behind ADSL routers you might need a little setup there. Have you ensured that both routers will forward the Data Channel (809) ports through to the WinGate VPN endpoints? (Known as pinholes, virtual servers, etc. depending on the make/model of router)

[joern_norheim]

I have set up the office router with a virtual server as you suggested, and created firwall rules to accompany port 809 for both UDP and TCP. Is this needed also for my DSL router at home??

I was for some reason convinced that it was only needed at the host side. Does WinGate initiate TCP sessions and/or sends UDP packets both ways? Is the SSL channel that the client has opened (visible in the GateKeeper) only for control and such?

I will try giving my home PC a static IP, and creating a virtual server and open the firewall accordingly....



(BTW; I'm really hoping this will work :-) I've already wasted time on another product that did not deliver on it's promise)


Best regards,
Jørn Norheim

[joern_norheim]

Hello again!

I now have got things up and running.. The trick seemed to be opening port 809 in my home DSL router's firewall.

I only need to get our office router to accept RIP, as my home DSL router does now...

Seems like this might be success story :-)


Best regards,
Jørn Norheim

[Pascal]

That's great and correct. 809 TCP is the control channel. 809 UDP is the data channel across which the network traffic is actually shunted.

So, sounds good! Glad you're getting along with it. There are some tricks with pinging to establish maximum MTU (Because of VPN packet overhead) to get the optimal speeds, etc. but sounds as if you're really getting somewhere.

[joern_norheim]

Well, im getting along, but I'm not quite there yet :) I have another coulple of questions;

1:

Am I to understand that alle clients that are behind NAT'ing routers need "virtual server"'s to be set up in the router to make things work?

( The reason that I'm asking, is that I added a virtual server in my router for my desktop machine at home. When everything worked, I removed it again, because I wanted to know what actually was the thing that maked things work for me.. It was still working without the virtual server...? Maybe something is cached and it will stop working after a reboot?)


2:

In addition to this, I tried setting up my laptop at home.. Did the same installation as on my desktop, but could not browse or ping anything...
The really strange thing was the my desktop computer was able to ping the office network with the laptop as a gateway..... This I could see because routes popped in and out of my desktop when I connected and disconnected on the laptop..... The laptop's routing table did not seem to change...

What can be the reason for this?


3:

At our office we have some salespeople that travel a great deal... I am wondering how WinGate will work with public accesspoints (airports, internet cafe's and such), where there is no way of changing firewalls, adding virtual servers (if needed) and IP addresses might be in the 192.168.0.0/24 range which our office uses?? Is there any smart strategy to use to make WinGate work in as many scenarios as possible?


4:

How many licenses will we need to buy? Our office consists of a local network (LAN) with a number of PCs.. We're 10 employees, which will all be using VPN when it's set up.




Best regards,
Jørn Norheim

[Pascal]

Am I to understand that alle clients that are behind NAT'ing routers need "virtual server"'s to be set up in the router to make things work?

Only if it will block port 809 coming in. A lot depends on the router itself; I don't have that problem when I am connecting to the office network from home, for example. (But only my home machine is behind a router, the office server has a direct connection).

because routes popped in and out of my desktop when I connected and disconnected on the laptop..... The laptop's routing table did not seem to change...

The OS level routing table will not change. WinGate VPN handles the routing of traffic internally. How did you have this setup? Were both machines joining the VPN at the same time? If that was the case, you might have had a routing conflict.

At our office we have some salespeople that travel a great deal... I am wondering how WinGate will work with public accesspoints (airports, internet cafe's and such), where there is no way of

One of our users reported problems there as well, particularly with the route conflicts. One way around it might be to setup your "travelling" machine with an IP range that is outside of what you'd reasonably expect somebody else to have. Then adjust the published routes to those ones, which should be okay. (I'll need to test that myself, though)

How many licenses will we need to buy? Our office consists of a local network (LAN) with a number of PCs.. We're 10 employees, which will all be using VPN when it's set up.

You need one license per installation of the software. Count the number of VPN participants (computers using the VPN) going through that installation and that gives you the license size.