home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 35 Internet
/
35-Internet.zip
/
tnl140.zip
/
faq.txt
< prev
next >
Wrap
Text File
|
1998-11-01
|
17KB
|
455 lines
████████████████████████████████████████████████████████████████████████████
_|_|_|_|_| _| _| _|_|
_| _| _| _|_|_| _|_|_| _|_| _| _| _| _|
_| _| _| _| _| _| _| _|_|_|_| _| _| _|
_| _| _| _| _| _| _| _| _| _| _|
_| _|_|_| _| _| _| _| _|_|_| _| _| _|_|_|_|
Isn't the public Internet just great!
████████████████████████████████████████████████████████████████████████████
TUNNEL/2 Version 1.40 November 1, 1998
==========================================================================
F R E Q U E N T L Y A S K E D Q U E S T I O N S
===========================================================Solutions======
QUESTION: What is Tunnel/2 and how do I find out more?
Tunnel/2 connects two or more sites via the Internet--securely--as if
they were at the same geographical location. The home page is a good
place to find more information:
http://www.fx.dk/tunnel
QUESTION: Why use Tunnel/2?
Tunnel/2 provides a tunnel over normal socket connections and is,
unlike many other Tunnel solutions, not dependant on hardware.
Most important features of Tunnel/2 are two-way dial-on-demand,
the ability to have a static IP address that is always reachable,
RADIUS authentication of remote users, powerful RSA-1024 key
sync-up and DES-56 real-time encryption, filtering and compression.
Additionally, Tunnel/2 provides some features that are not found
in any other tunneling software. E.g. the ability to plugin new
user-exits, using the Plugin Development Kit.
QUESTION: Is Tunnel/2 targeted at businesses or private users?
Both - Businesses can use Tunnel/2 to build a Virtual Net with
superior connectivity. Private users can use it to:
* get behind the company firewall (from home),
* go out through the company firewall and have FULL access to
another place on net, such as the home LAN (from work)
* reach hosts behind a Masqueraded PC.
QUESTION: Quick start?
The absolute minimal setup to run Tunnel/2 is:
Tunnel Master
1.Setup the password.txt file in the Tunnel Master 'root' directory
2.Run TM.EXE with default values
Tunnel Slave
1.Connect InJoy dialer to the Internet with the /D command line
option (to avoid creation of default route).
2.Copy 'connect.txt' from the InJoy directory to Slave directory
3.Run TS.EXE /M:masterIPaddr /S:password /F
Continue here: http://www.fx.dk/tunnel/vpn_life.htm
QUESTION: Where are the easy step-by-step setup instructions?
An updated online version can be found at:
http://www.fx.dk/tunnel/vpn_life.htm
QUESTION: My ISP gateway's address changes at each connect, what can I do?
It is possible to grab the 'ISP Gateway Address' from the InJoy file
'connect.txt' instead of providing the address on the command line.
It requires TS to have the file in the working directory, so either just
install TS on top of InJoy (not a problem) or let InJoy copy the file
to the TS directory when connected.
If the ISP Gateway address never changes, just copy 'connect.txt' to the
slave directory in a one time operation.
The Tunnel Slave needs the ISP Gateway address in order to add a host
route through it, to the Master.
QUESTION: Do you have a customer provided setup guide? You know, one
that was actually used to get up and working.
This setup guide has not been checked for accuracy by F/X.
-->MASTER
* install the Tunnel/2 package on the machine you want as the Master.
* configure TCP for IP forwarding via the TCP configuration or execute
ipgate ON each time you start the Tunnel/2 master.
* It is ok to use default TM start up parameters unless your company is
already using 10.2 for the internal net, then specify a new Tunnel/2
subnet on the start up (using the /r parameter) TM /r:10.3.1.1
* add a route on EACH machine on your local net that will route packets
for the TM machine (10.2.0.0 or 10.3.0.0 if example above) to the
machine on your local net.
For example: if the Tunnel/2 master lives on machine 10.1.1.45 on your
local net, and you want to reach the machine at 10.1.1.55 from the
Tunnel/2 slave you will have to add a route on 10.1.1.55 that points
the Tunnel/2 subnet to 10.1.1.45,
route add -net 10.3.0.0 10.1.1.45 255.255.0.0 1
Tm subnet TM location subnet mask hops
* In other words, if you are at the slave and you want to ping 10.1.1.55
you need to add a route on 10.1.1.55 that points back to the Tunnel/2
Master machine for the Tunnel/2 subnet.
--> SLAVE
* Install the Tunnel/2 package on the machine
* Configure TCP for IP forwarding
* Delete default route (route delete default)
* Start Internet connection
* Start Tunnel/2 slave
TS /G:123.456.789.123 /M:101.123.456.11 /F /S:password
ISP gateway Internet address Force Password set up
address of your remote net Connect in connect.txt
gateway. The real in the master
address the Internet directory
sees to access your
remote net, NOT a
Tunnel/2 address
* If you started Tunnel/2 master with the defaults that's all you need for
the slave. If you used the /R parameter on the Master you need the /R
parameter on the slave TS /G:123.456.789.123 /M:101.123.456.11
/R:10.3.2.1
QUESTION: How do I get the plugins?
Plugins are not part of the Tunnel/2 demo version, but are separately
available from F/X Communications, see www.fx.dk/tunnel/order.htm
QUESTION: Is Tunnel/2 secure without the DES-56 Security Plugin?
The Tunnel/2 standard installation uses password checking to authenticate
remote clients. This is done via a 3-way authentication protocol that is
known to be secure.
Data being transferred through the tunnel is NOT encrypted.
QUESTION: How secure is the DES-56 Security Plugin?
The security plugin uses RSA-1024 for key sync-up and DES-56 for
real-time encryption of packets.
RSA-1024 is known as 'military grade' security and with todays
hardware it is literally impossible to hack.
DES-56 has been used for encryption in many areas and is generally
considered to be safe. With real-time encryption of data, an
implementation must choose the best compromise regarding key-bit-size
and sheer processing power. Today DES-56 serves as the best compromise.
QUESTION: How fast is the Security Plugin - DES-56?
DES-56 is secure, thus not fast. On a Pentium 133Mhz Slave computer F/X
typically experiences a maximum of ~11 Kbit per second. The F/X Tunnel
uses multiple threads and would therefore benefit from SMP architecture.
Compressing data before they are encrypted will in many cases dramatically
improve the transfer rate.
QUESTION: What does the Compression Plugin offer?
The compression plugin is based on the same successful algorithm as
PKZip (tm). Use it to compress data before going through a leased line,
a modem, or even encryption.
The compression is fast and offers a great bandwidth use reduction.
QUESTION: What does the Filter Plugin offer?
The filter plugin allows you to optionally discard packets matched on IP
address (combined with netmask), TCP port number, protocol, a hex-string,
a bit-value, or advanced compound filters.
There is no byte within a packet that cannot be addressed using the
filter plugin.
QUESTION: How many Slaves can a Tunnel Master support?
One Tunnel Master has handled as much as 400 Tunnel Slaves without
problems (since March 1996). Several Tunnel Masters can work together
to handle major networks.
Notice that the use of plugins will dramatically increase the CPU load.
The theoretical limitation for one Tunnel Master would be just just
below 2000 Slaves, provided enough CPU power.
QUESTION: Where does the Tunnel Master store information about slaves?
When a Slave connects to the Master it tells the Master characteristics
about itself. That information is stored in the file 'connect.dat' which
is updated at every Slave connect.
Over time, you will see that 'connect.dat' records information about more
and more slaves as you periodically change your setup. To clean up that
information, simply delete the file.
QUESTION: Routing - what is PROXY ARP used for?
The Tunnel Master uses the 'ARP.EXE' program to add PROXY ARP entries at
the TM location. PROXY ARP entries automatically updates the LAN routing
of any LAN PC with information on how to reach the Tunnel Slaves.
PROXY ARP has a history of being a source of many problems and you
should always verify the ARP table, using the 'arp -a' command.
F/X suggests that you update your router with new routes to make sure
packets for the Tunnel subnet is routed properly to the Tunnel Master.
With some versions of TCP/IP the output window is likely to show
ARP caused problems. These errors can be ignored and are very
likely to be triggered on only some versions of the TCP/IP stack.
Use 'arp -a' to verify your own PROXY ARP entries at any time.
QUESTION: How does two-way Dial-On-Demand work?
In order for Tunnel/2 to provide two-way Dial-On-Demand, you must
equip the Tunnel Master with one or more modems. TM uses these modems
to quickly call the modem at the Slave PC, in order to trigger that
(remote) dialer to dial the local ISP.
This requires the dialer at the Slave PC to support dialing at an
incoming "RING". The InJoy dialer (also from F/X Communications)
can do that.
When Dial-On-Demand is triggered by Slave activity, then it simply sends
out a packet on the IP stack and leaves it to the dialer to dial-out.
QUESTION: In what order should I start the software?
Order shouldn't matter. However, if packets don't seem to take the
right route, try this: Make at least one Internet connection with the
dialer before you bring up the Tunnel. If you have routing problems,
be sure to try this cure.
QUESTION: Starting TS/TM gives message: "ACTION: TUNNEL UP", why?
The message is caused by an auto-generated command, similar to using
'settun /A'.
The command causes the Tunnel to create the TCP/IP stack interface and
routes. It does NOT mean that a tunnel connection is actually established.
QUESTION: But what if I already have a default route when I launch TS?
Be sure NOT to have a default route when bringing up the Tunnel Slave.
TS.EXE will NOT automatically do this for you.
If you use InJoy as your dialer, use the /D option to avoid having a
default route. /D is supported by InJoy version 1.1 and later.
QUESTION: Why does the Tunnel Slave create a default route?
TS will create a default route and accordingly route all packets through
the tunnel, to the Master.
TS does give you a handle to avoid this. If you start the Slave with
the /D parameter, then it won't create a default route. This allows
you to route your corporate traffic through the Tunnel and the
remaining traffic directly through the dialer.
QUESTION: What platforms are supported?
So far Tunnel/2 only runs on OS/2.
F/X is actively seeking to provide Tunnel/2 on the Windows platform,
but so far we cannot commit to a release date for this project.
QUESTION: Can I connect Tunnel/2 clients to other Tunnel software?
Standards for tunneling has been a moving target and none of the current
standards provide the functions that F/X is seeking to provide.
Remember, Tunnel/2 is supporting advanced features such as a two-way
dial-on-demand, real-time compression, DES encryption, filtering and
hardware independence.
Accordingly, Tunnel/2 uses a proprietary protocol and can therefore
not connect to other tunnel types. However, by adding an OS/2
gateway PC to the Master LAN, Tunnel/2 can easily coexist with
other tunnel solutions.
F/X is keeping an eye on the new standards as they appear and when
we find one that allows us to use it, we'll definitely support it.
QUESTION: Is Tunnel/2 100% stable and ready for commercial use?
Yes, Tunnel/2 is stable and ready for commercial use.
Check out this interview with the Saskatchewan Wheat Pool (SWP). SWP is
Canada's largest publicly traded agricultural co-operative. SWP now has
annual total sales of more than $4.1 billion.
Interviewed perform January, 1998 by ComputerWorld in Denmark.
Q: How many locations are connected to the VPN now? How many will be
(supposing that the project isn't completed yet)?
A: The number will go up over time, but we have about 300 stations
right now.
Q: How does the cost of setting up an Internet-based VPN compare to
leased lines and/or Frame Relay services? I suppose that it is
cheaper, but how much?
A: Our VPN sites cost somewhere between $100 and $200 per month for
sites which do not maintain TCPBEUI connections. Sites with TCPBEUI
connections cost us $300-400 per month. Having the ability to filter
NetBIOS keep-alive frames in a future version of Tunnel/2 will
reduce our cost significantly.
We also use Frame Relay connections for many of our sites. Frame costs
us about $1000 per month at each site.
With Tunnel/2 we can route IP to an entire subnet at each site. Sites
have a Warp Server along with at least one Windows 95 machine which
is used for office automation as well as at least one machine used
for point of sale. I would guesstimate that we average 1.5 OA machines
and 2.5 POS machines per site.
Whether frame or Tunnel/2, all sites have equivalent functionality. We
use 33.6kbps modems to connect to our ISP and 56kbps DSUs at Frame
Relay sites. The speed is similar, but frame is about 25% faster when
transferring uncompressible data.
Q: As I understand it, security currently is based on encryption of data
and a password scheme. Are you planning to add additional security
measures later?
A: No.
Q: Would you recommend Internet-based VPN's as a WAN solution for other
companies? Are there special factors that should be taken into
account when considering the technology? Was it easier or harder to
implement than you had imagined?
A: I would definitely recommend VPN technology. It provides an important
link to sites which would not be economically connected with any other
way. Situations which involve long periods of inactivity really
perform well with the VPN. For us, the speed is comparable to 56k
Frame Relay. I would consider reliability to be similar to frame as
well, but we have a particularly good ISP.
At some sites, we have a permanent Internet connection. With these
sites, we use Tunnel/2 (without InJoy) to provide a permanent
connection into our Intranet. It works very well and provides the
security and connectivity we need.
As long as some form of Internet connectivity exists, Tunnel/2 will
provide full intranet connectivity. In addition, it provides a way
to assign permanent addresses to given machines. Even a roaming lap
top could have a static IP address regardless of the ISP being
connected to. We consider Tunnel/2 to be a key component in our global
connectivity strategy.
Tunnel/2 demands a decent understanding of IP routing, although I'm
sure that future versions of the product will make this less so.
QUESTION: Does Tunnel/2 support the OS/2 utilities: IPTRACE and IPFORMAT?
Yes.
QUESTION: Is Tunnel/2 year 2000 compliant?
Yes.
████████████████████████████████████████████████████████████████████████████
Copyright (c) 1998, F/X Communications. All rights reserved.
████████████████████████████████████████████████████████████████████████████