11.2 Useful Information
This section will provide you with some useful tips and information
when using the PacketiX VPN 2.0 software.
- SoftEther's web site (http://www.softether.com/)
may contain more up to date support information than that found in
this manual. When you are troubleshooting a problem, always remember
to check there as well.
11.2.1 Installing VPN Server With a Variable Global IP Address
If the computer you want to install VPN Server on has a variable
global IP address (one that changes each time you connect to your ISP)
you can use a dynamic DNS service (DDNS service) to assign a hostname
that will always point to the global IP address of that computer. There
are a number of free DDNS services available for free on the Internet.
If you plan to install VPN Server on a corporate network, we strongly
recommend that you use a static global IP address if at all possible.
11.2.2 Making a VPN Connection to a LAN Consisting of Only Private
IP Addresses
If you are installing VPN Server to a LAN that only has private IP
addresses, you will have to configure the NAT, proxy server, or firewall
that converts the private IP address into a global IP address to perform
port mapping or static NAT to the VPN Server.
Also, if your VPN Server is on the Internet you can set up a VPN
Bridge that stays connected via a cascade connection to the VPN Server.
This will allow remote access VPN clients to access the layer 2 network
within the LAN by going through the VPN Server on the Internet. This
method makes it possible to connect to a LAN that only has private IP
addresses from a remote location. For this configuration a VPN Bridge
will be connected to the LAN you want to connect to remotely via a local
bridge connection, as well as to the VPN Server on the Internet via a
cascade connection.
Furthermore, if your LAN only has private IP addresses and VPN Bridge
can only be installed with system administrator rights, you can still
set up a remote access VPN by using SecureNAT. (See section 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights」 for
details.) In this case, you are dealing with a LAN that has many
limitations imposed upon it, but by utilizing SecureNAT you should be
able to enable remote access to the LAN without the need for any
administrator rights. However, you will still need to receive permission
to do so from the network's administrator beforehand.
11.2.4 Using an IPv6 over IPv4 Tunnel
You can create an IPv6 over IPv4 tunnel easily with PacketiX VPN. An
IPv6 over IPv4 tunnel encapsulates IPv6 packets into IPv4 packets,
allowing IPv6 packets to be sent between LANs when traffic must pass
through areas that only allow IPv4 packets to pass through.
Many older IPv6 over IPv4 tunneling technologies could not pass
through NATs or firewalls. However, PacketiX VPN encapsulates all
network traffic at the layer 2 (Ethernet) level. This allows even IPv6
packets to be processed as VPN traffic.
Therefore, you can use PacketiX VPN to provide IPv6 over IPv4
tunneling solutions for nearly every type of network environment.
11.2.5 About Wake On Lan (WOL)
If you use PacketiX VPN to set up your remote access VPN or
LAN-to-LAN VPN, you can start a computer on the network remotely by
sending a Wake On Lan (WOL) packet to that computer's physical network
adapter.
11.2.6 Installing VPN Server 2.0 Behind a NAT Enabled Router
If you are installing VPN Server behind a consumer or small business
targeted generic broadband router or a router with a built-in firewall
that contains NAT functionality, you will have to configure it properly
for VPN Server to work. You can enable static NAT or port mapping on the
router so that traffic from the Internet will be forwarded to a port on
the VPN Server, allowing it to be accessed from the Internet. Please
refer to your broadband router's instruction manual for more information
on how to achieve this.
11.2.7 Using an IDS to View Packets Going In/Out of a Virtual HUB
You can use the following two methods to view all of the Virtual
Ethernet frames going through a Virtual HUB with an IDS or virus
scanning system in order to search for unauthorized access attempts or
viruses.
- Connect to the Virtual HUB from VPN Client in monitoring mode.
This will enable the VPN Client's Virtual Network Adapter to capture
all packets going through the Virtual HUB. Now you can use snort or
some other IDS software on the Virtual Network Adapter to view the
packets going through the Virtual HUB. For more information please
refer to 「1.6.10 Monitoring Mode Session」 and 「4.4.17 Selecting the Connection Mode」. However, this method only allows for
the use of a software based IDS.
- By using the method described in section 「3.6.8 Outputting all Communication Data in the Virtual HUB to the
Network Adapter」, you can out
all of the packets going through the Virtual HUB from the LAN port
of the physical network adapter connected to the computer running
VPN Server. This method will allow you to use hardware based IDS to
view all of the packets going through a Virtual HUB.
While it is possible to monitor all frames, if there is so much
traffic that the Virtual HUB's buffer is nearly full then the network
adapter you output to may lose some of the data due to the limitations
of that network adapter.
11.2.8 Recreating a Switch's Port VLAN Functionality
VPN Server can achieve the same functionality as the VLAN
functionality (which groups multiple ports by a VLAN number, and
communicates through these VLAN numbers only) found on commercial layer
2 switching HUBs or layer 3 switches. By creating Virtual HUBs for each
section of a segment you want to separate, traffic will be separated
between these Virtual HUBs. By using this method you can recreate the
same functionality provided by a switch's port VLAN functionality. You
can also maintain the MAC address table database and other
administrative settings for each Virtual HUB in this way.
11.2.9 Accepting Connections from SoftEther 1.0 Virtual Network
Adapter Software
Having PacketiX VPN Server 2.0 Virtual HUB accept connections from
SoftEther 1.0's Virtual Network Adapter software is a simple procedure
provided you have both SoftEther 1.0 and PacketiX VPN 2.0. Your
operating system will also need to be Windows XP, Windows Server 2003,
Windows Vista, or later.
Install SoftEther 1.0's Virtual HUB and Virtual Network Adapter along
with PacketiX VPN Client to the computer you installed PacketiX VPN
Server 2.0 on. Next, make a permanent connection from the SoftEther 1.0
Virtual Network Adapter to the SoftEther 1.0 Virtual HUB and from
PacketiX VPN Client 2.0's Virtual Network Adapter to PacketiX VPN Server
2.0's Virtual HUB. Now connect to the two Virtual Network Adapters with
a Windows bridge connection. You will also need to set the connection
mode for PacketiX VPN Client 2.0 to bridge/routing mode.
In this state, when the SoftEther 1.0 Virtual Network Adapter is
connected to the SoftEther 1.0 Virtual HUB, Virtual Ethernet frames
going through that VPN connection will automatically be sent to the
PacketiX VPN Server 2.0 Virtual HUB as well, allowing both versions of
the software to operate together seamlessly.
Please note that SoftEther 1.0's Virtual HUB service and PacketiX VPN
Server 2.0 both use port 443 by default, so you will need to configure
them so that they do not cause a conflict with each other.
11.2.10 Performing Administration Via TELNET as Supported in
SoftEther 1.0
With SoftEther 1.0, you could perform Virtual HUB administration with
TELNET. You can use TELNET or SSH to perform administration on PacketiX
VPN Server 2.0 as well. For this, you will need a separate TELNET or SSH
server. (Operating systems such as UNIX or Windows 2000 and higher
usually come with a TELNET or SSH server already.) From the
administrative console you can connect to the server you want to perform
administration on. Then, in that console session you can execute vpncmd
which will allow you to perform administrative tasks through TELNET or
SSH. Please see section 「Chapter 6 Command Line Management Utility Manual」 for more information on how to use vpncmd.
11.2.11 Increasing Cluster Controller Redundancy
As described in section 「3.9 Clustering」, VPN Server's clustering capabilities
will automatically introduce fault-tolerance between the cluster member
servers. However, the standard capabilities of VPN Server do not
implement any fault-tolerance for the cluster controller itself.
Therefore, if the cluster controller has a power failure, hardware
failure (such as a memory error), or some other failure, the cluster
controller's job can not automatically be transferred to another
computer. We strongly recommend that you use Registered ECC memory,
RAID, UPS, and other such features to increase the stability of your
cluster controller server if you are setting up a large scale cluster.
You can implement the following ideas in a shell script or other
program, or seek a commercial solution to increase redundancy for your
cluster controller.
- Set aside two machines for your cluster controller computer: one
as your main machine, and one as a backup.
- Ensure that both computers have the same operating system,
hardware configuration (network adapter, etc.), and VPN server type
installed.
- While your main server is running, periodically backup the
contents of the VPN Server configuration file (vpn_server.config) to
a backup device.
- If your main server fails due to a power failure, hardware
failure (such as a memory error), or some other failure, you can
detect this and begin operation of your backup server. Set the
backup server's global IP address to that of your main server and
use the latest backup of your VPN Server configuration file to start
the VPN Server service. You will need to be careful here to avoid
conflicting with the main server's IP address. With this method you
can set up a temporary cluster controller as a backup with the same
configuration data as your main cluster controller that can take
over in the case of a hardware failure.
-
When you have finished repairing your main server you can copy the
latest configuration file back to it and put it back into operation
as your main cluster controller.
-
Implement the ideas written above in a shell script or other
program, or use a commercial solution to increase redundancy and
test your system thoroughly.
11.2.18 Connecting to Multiple VPN Servers or Virtual HUBs at Once
You can create multiple Virtual Network Adapters and connection
configurations with VPN Client and designate each connection
configuration to use a separate Virtual Network Adapter. This allows a
single VPN client computer to easily connect to multiple VPN Servers or
Virtual HUBs at the same time. This is the same concept as if you
installed multiple physical network adapters to your computer and
connected each one to a different LAN. Please refer to section 「Chapter 4 PacketiX VPN Client 2.0 Manual」 for
more information.
11.2.19 Using SecureNAT to Provide Remote Access to an Otherwise
Inaccessible Network.
By using SecureNAT you can easily provide remote access to a network
which normally can not be connected to from the Internet. You can even
do so without having administrator rights on the computers on that
network. However, you will still need permission from that network's
administrator beforehand. Please refer to section 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights」 for more
information.
|