Cannot log in from offsite, still

Forum for all technical support and trouble shooting of the WinGate VPN.

Moderator: Qbik Staff

Cannot log in from offsite, still

Postby defiantclass1 » May 27 06 10:30 am

I have worked on this for days now and just cannot get it to work. I'm at a total loss.

I have Wingate Ent. on server A with port 809 UDP open and set to No Participation.

I have Wingate VPN Only on server B with port 809 UDP open and set to Local Network and allow tunnels to/from all nodes

I have Wingate VPN Only on a client machine on the LAN with port 809 UDP open and set to Local Machine Only and allow tunnels to/from all nodes

and Wingate VPN Only on client machines at 2 offsite locations with port 809 UDP open and set to Local Machine Only and allow tunnels to/from all nodes

The one LAN client is okay.

One offsite client has a bridge cable modem with no port configurations available and running Norton Security which I have tried to configure to allow port 809 through, but it's not clear, so I went as far as to completely disable Norton all together (temporarily). No connection to VPN at all. Remote Host Timed Out.

The other offiste client (with the same config) has a Linksys modem with port 809 UDP opened. It connects to the VPN no problem but not to Server B.

Server B is the only connection I care about in all. All I want, for now, is for all machine I decide to configure to connect to server B. I don't want the clients to interact with each other in any way. Nor do I want anyone getting to the Master node.

I have assigned the appropriate users on the master node policies. I am testing with the Administrator user with full permissions to all machines.

Lost....Thanks
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby Pascal » May 29 06 2:48 pm

I'm a little bit confused as to how your setup is currently looking. From my perspective (Please clarify if I'm wrong here) you have:

* Server A on network A, set to no participation. (Will publish no routes, in other words)

* Server B on network B, set to local network. (This allows all LAN PCs behind it to participate in the VPN)

* A WinGate VPN client on network B (Connecting to where?)

* A WinGate VPN client on network C set to Local Machine only

* A WinGate VPN client on network D set to Local Machine only

Is that roughly correct? And you want all nodes on the VPN (networks) to connect to Server B and to access resources on there?
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand

Postby defiantclass1 » May 29 06 3:50 pm

Thanks Pascal, I was just logging in to give some additional info...

Server A (Winagate Server) Wingate Enterprise on Network A - No Participation (publish no routes) 192.168.0.1

Server B (Terminal Sever) Wingate VPN Only is on Network A - Set to Local Network 192.168.0.6

A Wingate VPN Only client on Network A - set to Local Machine to connect to Server B 192.168.0.52

This is all one local area network
___________________________________________________________

Then,

A Wingate VPN Only client at a remote site (Network B) - stand alone pc - Local Machine Only - 68.100.199.XXX

A Wingate VPN Only client at a remote site (Network C) - on a local area network behind a NAT firewall 68.100.16.xxx with port 809 UDP forwarded to PC 192.168.1.103
____________________________________________________________
The VPN Only client on Network A has no problems

The VPN Only client on Network B cannot connect to the VPN at all **Remote Host Timed Out** This has a bridge type Toshiba modem with no port management capability. Also has Norton Security which I disabled for testing but that didn't help.

The VPN Only client Network C can connect to VPN but cannot access any machines (should be able to connect to Server B - Terminal Server since it is set to Local Network). **Not Available**

I would like to set Server B Terminal Server to Local Machine Only as I don't want anyone to be able to navigate to another machine through it, but during this testing, I just have to set to Local Network for now........

And yes, I am only interested in anyone connecting to Server B Terminal Server in the end. Not to other clients, not to the Master, and not to any other machines on the network by way of the Server B's Network Places.
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby Pascal » May 29 06 4:22 pm

Okay, a few questions and some suggestions here.

* Why does the client machine on Network A need to connect to the VPN?
* Assuming that VPN client from Network C connects to Server A - does the Terminal Server (B) point it's default gateway back to Server A? Or have it's presence on that network somehow indicated?

What I would do is to have the VPN installed on Server B. Do not have a VPN on A (Until you want to share that network) and setup a port forward (ENS Redirect) for 809 TCP and UDP to the Terminal Server machine. Have that Terminal Server set to Local Machine only and you should be okay.

Otherwise, paint me a bit more of a picture of what you want to achieve with this sharing, then maybe I can find a better solution for you.
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand

Postby defiantclass1 » May 29 06 4:43 pm

Okay, that sounds like a good idea. But a couple Q&A's for you.

The client is on Network A simply for testing purposes until I get a handle on it all. I don't really need it.

The reason I have VPN on Server A is because that is where my Wingate Enterprise installation is. I thought if I had that I should use it in order to make use of my licenses or whatever. Maybe that is not an issue?

Can I have a VPN Only installation on Server B (and the offsite clients) and still make use of whatever benifits I have from having an Enterprise license?

To try and answer your question on the Gateway of Server B,,,, Server B has a fixed IP address of 192.168.0.6 with a default gateway of 192.168.0.1 which is the Wingate Enterprise installation server. Is that what you were looking for?

But I see your point about not having a VPN installation on Server A, as long as I'm not skipping over licensing benifits. I'd rather not ask my boss to purchase more than what I have to.

Thanks a bunch Pascal!
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby Pascal » May 29 06 5:44 pm

defiantclass1 wrote:Can I have a VPN Only installation on Server B (and the offsite clients) and still make use of whatever benifits I have from having an Enterprise license?


You can make use of the Enterprise features on the server that has that license applied. As VPN is part of an Enterprise license, you wouldn't gain / lose anything by not having a VPN installation on Server A. If you have an Enterprise License installed there you have VPN.

Which Enterprise features were you particularly keen on applying to the VPN traffic?
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand

Postby defiantclass1 » May 30 06 12:17 am

Well, I just thought that I should use the Enterprise installation as a VPN node. Now that we parse it out, I guess I'm not making any sense, am I?

I guess because you said "If you have an Enterprise License installed there you have VPN", but if I have Wingate Ent installed on Server A, that is 1 installation becuase VPN installs by default with Enterprise. But if I don't use VPN within that installation and install it on Server B (VPN Only), that becomes a 2nd installation and I'll have to pay for it, then of course each installation there after.

I guess the question is, is Enterprise edition a single user license or a gateway license for xxx users??

Thanks, and I'm sorry. I know this is covered in your whitepapers, just having difficulty understanding it.
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby defiantclass1 » May 30 06 1:52 am

The other issue I have with this new setup (Server B only/no VPN on Server A) is, the VPN Only installation does not have the policies tab like the Enterprise version where I can allow specific users/groups to use this VPN.

As a side note, the whitepaper on installing and configuring, the links within it don't work. I don't know if they point to pages outside of the paper or just elsewhere in the document.......??

Thanks, I appreciate your time....
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby Pascal » May 30 06 8:42 am

defiantclass1 wrote:I guess the question is, is Enterprise edition a single user license or a gateway license for xxx users??


I'm not quite sure if you're asking about the VPN portion or the entirety of the license. Enterprise licenses begin at a 6 user size; I believe the VPN portion is matched to that. (6 users if you have a 6 user enterprise license, etc.)

You can see the Enterprise Features here.

VPN does not currently allow you to specify data channel level access control. It does however authenticate control channel connections made to it. (In answer to the policy question)
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand

Postby defiantclass1 » May 31 06 5:04 am

Pascal, I appreciate all you time on this. I am very frustrated. I went to the office today and removed the configuration from all machines there and at my home machine.

I created a new vpn host on the server machine that has the program I am interested in running, taking the wingate enterprise machine out of the loop. (this is per your earlier suggestion).

On the wingate firewall I directed port 809 tcp/udp to that machine. In the policies on the vpn host, I allowed the appropriate users. Exported the configuration file.

I took it home and imported it in to the client and was ableto connect to the vpn. I can see the machine, but it is "not accessible".

Using another compter at home with Windows Remote Desktop, I logged in to that machine at work and look at the vpn host. I could see my home machine, but again it was "not accessible" as well.

I don't know...
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby adrien » May 31 06 7:39 am

Hi

When you say that on the WinGate firewall you directed 809 TCP/UDP to this machine, does that mean you are running a different installation of WinGate VPN on a machine on your LAN behind a WinGate? This should work, but if the WinGate you are connecting through is also configured to use VPN, there can be problems with tunnel packets being intercepted by the intermediary WinGate if it is configured to have VPN data on the same port number. If you change tunnel port numbers it should fix that.

Otherwise issues of unavailability of machines comes down to routing - both which routes have been published on the VPN, and how routing is set up on other machines on the LAN.

If the machine you are trying to access on the VPN server side is on the same machine as is running winGate VPN, and the client machine is running the VPN joining software, then the routing should be set up OK... unless there is a route conflict (i.e. both sets of machines using the same range of internal IP addresses).

If you like we can have a look at your setup with Remote Desktop.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby defiantclass1 » May 31 06 8:42 am

Adrien,

I would very much like to try that, tomorrow if possible. I am trying a new way right now. I removed all configurations and created a new VPN config file from the WinGate Server machine. I was going to try and just use that machine as the vpn host, go home and import that config file and see if I can connect to it. I thought I would trim down the variables in play here.

The problem with this set up is, all the users connecting will have access to every machine on the network, which I didn't want. I'll have to construct some other method of restricting their access to the one machine on the network that has the application I am interested in them getting to.

I'll report back with the outcome.

Thank you!
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby defiantclass1 » Jun 01 06 4:00 am

Good news, after reconfiguring everything to communicate just to the Wingate sevrer, it works.

Thank you very much for your help!
defiantclass1
 
Posts: 62
Joined: Aug 11 04 1:14 pm

Postby Pascal » Jun 01 06 11:50 am

Cool, that's great to hear!
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand


Return to WinGate VPN

Who is online

Users browsing this forum: No registered users and 22 guests

cron