vpnmanual-5320

PacketiX VPN 2.0 Online ManualIntroduction>

1/685

PacketiX VPN 2.0 Manual

PacketiX VPN 2.0 Wellcom to PacketiX VPN 2.0 Online Manual IntroductionWelcome to PacketiX VPN 2.0. Before Reading the Manual Content

Chapter 1: Overview1.1 What is PacketiX VPN? 1.2 Software of which PacketiX VPN is composed 1.3 PacketiX VPN 2.0 Product Configuration and License 1.4 VPN Operation Principle and Communication Method 1.5 Bolstering Security 1.6 VPN Communication Details 1.7 Handling Large Environments by Clustering 1.8 Multiple Language Support 1.9 VoIP / QoS Support Function

Chapter 2: PacketiX VPN 2.0 Overall Manual2.1 VPN Communications Protocol 2.2 User Authentication 2.3 Server Authentication 2.4 VPN Server Manager 2.5 VPN Client Manager 2.6 VPN Command Line Management Utility (vpncmd)

Chapter 3 PacketiX VPN Server 2.0 Manual3.1 Operating Environment 3.2 Operating Modes 3.3 VPN Server Administration 3.4 Virtual HUB Functions

file://C:htmlall.htm

2007/11/20

PacketiX VPN 2.0 Online Manual3.5 Virtual HUB Security 3.6 Local Bridges 3.7 Virtual NAT & Virtual DHCP Servers 3.8 Virtual Layer 3 Switches 3.9 Clustering 3.10 Logging Service 3.11 Day-to-Day Management

2/685

Chapter 4 PacketiX VPN Client 2.0 Manual4.1 Operating Environment 4.2 Operating the VPN Client 4.3 Virtual Network Adapter 4.4 VPN Server Connection Method 4.5 Connecting to VPN Server 4.6 Using and Managing Smart Cards 4.7 Management in a Large-Scale Environment 4.8 Measuring Effective Throughput 4.9 Other Functions

Chapter 5 PacketiX VPN Bridge 2.0 Manual5.1 Operating Environment 5.2 Operating Modes 5.3 Differences between VPN Server and VPN Bridge

Chapter 6 Command Line Management Utility Manual6.1 Overview of vpncmd 6.2 General Usage of vpncmd 6.3 VPN Server / VPN Bridge Management Command Reference (For Entire Server) 6.4 VPN Server / VPN Bridge Management Command Reference (For Virtual HUB) 6.5 VPN Client Management Command Reference 6.6 VPN Tools Command Reference

Chapter 7 Installing PacketiX VPN Server 2.07.1 Installation Precautions 7.2 Installing to Windows and Configuring the Default Settings 7.3 Installing to Linux and Configuring the Default Settings 7.4 Default Settings


2007/11/20

PacketiX VPN 2.0 Online Manual7.5 Installing to Other Unix Systems 7.6 Uninstalling PacketiX VPN Server 2.0

3/685

Chapter 8 Installing PacketiX VPN Client 2.08.1 Installation Precautions 8.2 Installing to Windows and Configuring the Default Settings 8.3 Uninstalling PacketiX VPN Client 2.0

Chapter 9 Installing PacketiX VPN Bridge 2.09.1 Installation Precautions 9.2 Installing to Windows and Configuring the Default Settings 9.3 Installing to Linux and Configuring the Default Settings 9.4 Default Settings 9.5 Uninstalling PacketiX VPN Bridge 2.0

Chapter 10 Instructions and Examples For Configuring a VPN10.1 Types of VPNs 10.2 Common Elements 10.3 Setting Up a PC-to-PC VPN 10.4 Setting Up a Generic Remote Access VPN 10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections) 10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing) 10.7 Combining a LAN-to-LAN VPN and a Remote Access VPN 10.8 Setting Up a Large Scale Remote Access VPN Service 10.9 Setting Up a Large Scale Virtual HUB Hosting Service 10.10 Using Remote Access as a Single User 10.11 Using SecureNAT to Set Up a Remote Access VPN With No Administrator Rights 10.12 Using Public Networks Like Public Wireless Access Safely

Chapter 11 Troubleshooting and Supplementary Information11.1 Troubleshooting 11.2 Useful Information 11.3 General Supplementary Information 11.4 Additional Security Information 11.5 Additional Information Regarding Communication Protocols 11.6 Additional Compatibility Information


2007/11/20

PacketiX VPN 2.0 Online Manual11.7 Future Plans for PacketiX VPN

4/685

Chapter 12 PacketiX VPN Software Specification12.1 PacketiX VPN Server 2.0 Specs 12.2 PacketiX VPN Client 2.0 Specs 12.3 PacketiX VPN Bridge 2.0 Specs 12.4 PacketiX VPN Protocol Specification 12.5 Error Codes

Chapter 13 Support13.1 About Support 13.2 Technical Information and Updates From softether.com

Change Log

Introduction> < PacketiX VPN 2.0 Manual Welcome to PacketiX VPN 2.0.>

IntroductionThank you for using the PacketiX VPN 2.0 official manual. The official manual contains detailed descriptions of how to use PacketiX VPN 2.0, technical information on the software, almost all functions, troubleshooting and supplementary information. You should read the official manual before attempting to use PacketiX VPN 2.0.

Welcome to PacketiX VPN 2.0. Before Reading the ManualTargets of the Manual Required Advance Knowledge Getting the Latest Information and Update Versions Description of Icons in Illustrations Notes Reporting Defects or Faults

Content


2007/11/20

PacketiX VPN 2.0 Online Manual

5/685

< PacketiX VPN 2.0 Manual < Introduction

Welcome to PacketiX VPN 2.0.> Before Reading the Manual>

Welcome to PacketiX VPN 2.0.Welcome to PacketiX VPN 2.0. PacketiX VPN 2.0 is the latest release of next-generation VPN communications software provided by SoftEther Corporation that offers stability, flexibility and expandability. PacketiX VPN 2.0 enables the user to safely create a high-performance Virtual Private Network (VPN) using an IP communications network, of which the Internet is the representative example. VPN technology can be taken maximum advantage of in fields ranging from communication for business applications to networks oriented toward individual and home use. You should read the PacketiX VPN 2.0 official manual to use the PacketiX VPN 2.0 to its full potential for VPN communications.

< Introduction

Before Reading the Manual>

< Welcome to PacketiX VPN 2.0.

Content>

Before Reading the ManualYou should be aware of the following before reading the manual:

Targets of the ManualThe PacketiX VPN 2.0 official manual contains an overview of and information on how to use the latest release of next-generation VPN communications software provided by SoftEther Corporation, how to construct a VPN, and how to solve problems. The manual is designed for network administrators, system administrators, system instructors, IT professionals and end users with detailed knowledge of computers who require information about the specifications of PacketiX VPN 2.0 software. If you want to get a detailed understanding of PacketiX VPN 2.0 and peripheral technologies, you should carefully read the entire manual. If not, you may also read just the required sections and skip the unnecessary ones. One of the most important features of PacketiX VPN 2.0 is that, when utilizing the advanced and efficient VPN functions, the end user is able to use VPN communications


2007/11/20

PacketiX VPN 2.0 Online Manualwithout a detailed knowledge of VPN. In other words, the software is easy to use and sufficient security is maintained even when in the initial state. In order to use the various functions of PacketiX VPN 2.0 properly, we recommend you read the entire manual. If using VPN of ordinary scale, all you need is some knowledge of TCP/IP and VPN. In this case, you may not have to read the entire manual.

6/685

Required Advance KnowledgeThe following knowledge is necessary to fully understand the contents of the manual. If you recognize that you do not have a sufficient understanding of the following, you should get the required technical information from books or from the Internet and use it in combination with the manual. Ethernet, principle communication system features of communications devices (network adapter, switching HUB, etc.) for Ethernet and specific method of constructing a network using Ethernet Internet Protocol (IP), principle communication system features of communications devices (router, layer 3 switch, etc.) for IP and specific method of constructing a network using IP. Knowledge of various types of gateways such as NAT proxy server firewall used together with IP. How to use several important network tools used for TCP/IP (ping, telnet, etc.) Basic way to use computer systems and operating systems that use PacketiX VPN and basic information on network implementation of system. Basic knowledge of PKI and certificate RSA code for using certificate authentication function (PKI). Although not required, in some cases software functions may be used more effectively by learning about the following items as well as those given above. Concept of user mode and kernel mode for ordinary operating systems. Information concerning technologies frequently used in computers these days such as hardware interrupt, software interrupt and system call. Implementation and architecture of TCP/IP for ordinary operating systems. Information concerning old VPN protocol (PPTP, IPSec, etc.) Detailed knowledge of features and phenomena that occur when using TCP/IP protocol on an actual network. Knowledge concerning communications protocol for commonly used applications. Knowledge concerning computers and programming required for advanced IT professionals and developers. Getting such supplementary knowledge not only enables you to master PacketiX VPN 2.0, but facilitates troubleshooting when problems occur, stable operation and


2007/11/20

PacketiX VPN 2.0 Online Manualconstructing and efficient system in fields not related to VPN as well.

7/685

Getting the Latest Information and Update VersionsThe information contained in the manual was the latest information at the time the manual was written. Information may however subsequently be updated, circumstances may change, an updated version of the software may be released or specifications may be changed. In such cases, you must get the latest information from SoftEther Corporation's official website. The latest online version of the manual is available at the following official website and can be downloaded free of charge. If you purchased PacketiX VPN 2.0 in media format and received it together with the manual, you should check the website if updated versions of the software and manual are available. http://www.softeter.com/

Description of Icons in IllustrationsThe manual contains numerous illustrations containing icons such as the following.

Icons that appear in illustrations in the manual

NotesThe specifications of PacketiX VPN 2.0 software and the contents of the manual are subject to change without notification. If you find any inconsistencies in descriptions of software functions or limitations in this manual and other documents released by SoftEther Corporation, those that appear most frequently generally apply. Unless otherwise specified, the names of companies, organizations, products, people, characters or data that appear in the manual as examples are fictitious and bear no


2007/11/20

PacketiX VPN 2.0 Online Manualresemblance to actual companies, organizations, products, people, characters or data. The software and manual may only be used as specified in the users' agreement. No part of the software or manual may be reproduced or transferred to another party or parties for any propose without the written permission of SoftEther Corporation (does not apply in cases where expressly permitted by the users' agreement or where exempt by copyright law). SoftEther Corporation may possess patents, patent pending, trademark, copyright or other property rights concerning the contents of the manual which shall not be licensed to the customer. Copyright (C) 2004-2007 SoftEther Corporation. All Rights Reserved. PacketiX is a trademark of SoftEther Corporation for which application for registration has been filed. Names of companies, products and services that appear in the manual may be registered trademarks or trademarks of those companies. This product includes software developed by OpenSSL. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes software developed by WinPcap. Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy). All rights reserved. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes software developed by zlib. (C) 1995-2004 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event

8/685


2007/11/20

PacketiX VPN 2.0 Online Manualwill the authors be held liable for any damages arising from the use of this software.

9/685

Reporting Defects or FaultsIf you discover any defects in the software or manual, or any contents of the manual which do not correspond accurately with the operation results of the software, contact us as follows. If software was purchased from PacketiX VPN partner (dealer): Contact the person in charge of support at the place of purchase. If software was purchased directly from SoftEther Corporation, or if the software is a version that was provided by SoftEther Corporation free of charge: Contact SoftEther Corporation hrough the official website at http://www.softeter.com/ .

< Welcome to PacketiX VPN 2.0. < Before Reading the Manual

Content> Chapter 1: Overview >

ContentIt is complete contents of PacketiX VPN 2.0 online manual.

IntroductionWelcome to PacketiX VPN 2.0. Before Reading the ManualTargets of the Manual Required Advance Knowledge Getting the Latest Information and Update Versions Description of Icons in Illustrations Notes Reporting Defects or Faults

Content

Chapter 1: Overview1.1 What is PacketiX VPN?1.1.1 SoftEther VPN and PacketiX VPN 1.1.2 Structure and Operating Principle of VPN 1.1.3 Limitations of old VPN Solution 1.1.4 VPN Communication by PacketiX VPN


2007/11/20

PacketiX VPN 2.0 Online Manual1.1.5 NAT, Proxy Server and Firewall Pass 1.1.6 Stability and Security 1.1.7 High-speed Communications Throughput 1.1.8 Advanced Function and Expandability 1.1.9 Platform Independence and Interchangeability 1.1.10 Addition of Functions by Option Pack

10/685

1.2 Software of which PacketiX VPN is composed1.2.1 PacketiX VPN Server 1.2.2 PacketiX VPN Client 1.2.3 PacketiX VPN Bridge 1.2.4 PacketiX VPN Server Manager 1.2.5 PacketiX VPN Command Line Management Utility (vpncmd) 1.2.6 Other Included Utilities

1.3 PacketiX VPN 2.0 Product Configuration and License1.3.1 Types of Editions According to Usage Objective 1.3.2 Functions and Features of the Various Editions 1.3.3 PacketiX VPN Server 2.0 Standard Edition 1.3.4 PacketiX VPN Server 2.0 Enterprise Edition 1.3.5 PacketiX VPN Server 2.0 Carrier Edition 1.3.6 PacketiX VPN Server 2.0 Embedded Edition 1.3.7 PacketiX VPN Server 2.0 Academic Edition 1.3.8 64-bit version of PacketiX VPN Server 2.0 1.3.9 Connection Licenses 1.3.10 Client Connection Licenses 1.3.11 Bridge Connection License 1.3.12 PacketiX VPN Client and PacketiX VPN Bridge 1.3.13 Demo Version License 1.3.14 License Expiration Date 1.3.15 Server ID of License 1.3.16 License ID and License Key 1.3.17 License Validity and Information Check Method 1.3.18 Additional Purchase of Licenses 1.3.19 PacketiX VPN 2.0 Option Pack 1.3.20 PacketiX VPN 2.0 Administration Pack

1.4 VPN Operation Principle and Communication Method1.4.1 Conventional Ethernet Configuration 1.4.2 Virtual HUB 1.4.3 Virtual Network Adapter 1.4.4 Cascade connection and virtual layer 3 switch


2007/11/20

PacketiX VPN 2.0 Online Manual1.4.5 Bridge Connection of Virtual Network and Physical Network 1.4.6 Computer-to-computer VPN 1.4.7 Remote Access VPN 1.4.8 Base-to-Base VPN of Ordinary Scale 1.4.9 Base-to-Base VPN of Large Scale

11/685

1.5 Bolstering Security1.5.1 Abundant User Authentication Options 1.5.2 Robust Encryption 1.5.3 Server Certificate Verification 1.5.4 Use with Smart Cards

1.6 VPN Communication Details1.6.1 VPN Sessions 1.6.2 Accepting Connection by VPN Server 1.6.3 Connecting to Virtual HUB 1.6.4 TCP/IP Communication of Session Data 1.6.5 Association with MAC Address 1.6.6 Session from other VPN Server / VPN Client / VPN Bridge 1.6.7 VPN Session Connection Modes 1.6.8 Client Mode Session 1.6.9 Bridge/Router Mode Session 1.6.10 Monitoring Mode Session 1.6.11 Local Bridge Session 1.6.12 Cascade Connection Session 1.6.13 SecureNAT Session 1.6.14 Virtual Layer 3 Switch Session

1.7 Handling Large Environments by Clustering1.7.1 Necessity of Clustering 1.7.2 Applications of Clustering 1.7.3 Large Scale Remote Access VPN Server 1.7.4 Large Scale Virtual HUB Hosting VPN Server 1.7.5 Product License and Connection License when Clustering

1.8 Multiple Language Support1.8.1 Unicode Support 1.8.2 User Interface that Supports Multiple Languages 1.8.3 Limitations

1.9 VoIP / QoS Support Function1.9.1 What is VoIP / QoS Support Function? 1.9.2 Applying to Extension System by Connecting Bases by Layer 2 VPN Using IP Telephone Equipment


2007/11/20

PacketiX VPN 2.0 Online Manual1.9.3 If VoIP / QoS Support Function can be Used 1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support Function

12/685

Chapter 2: PacketiX VPN 2.0 Overall Manual2.1 VPN Communications Protocol2.1.1 Communication Speed 2.1.2 Flexibility 2.1.3 Communication Efficiency and Stability 2.1.4 Encrypted Communication Security 2.1.5 Support for VoIP / QoS

2.2 User Authentication2.2.1 Anonymous Authentication 2.2.2 Password Authentication 2.2.3 RADIUS Authentication 2.2.4 NT Domain and Active Directory Authentication 2.2.5 Individual Certificate Authentication 2.2.6 Signed Certificate Authentication

2.3 Server Authentication2.3.1 Necessity of Server Authentication 2.3.2 Server Individual Certificate Authentication 2.3.3 Server Signed Certificate Authentication

2.4 VPN Server Manager2.4.1 What is VPN Server Manager 2.4.2 VPN Server Manager Support System 2.4.3 Connecting to VPN Server and VPN Bridge 2.4.4 Installing VPN Server Manager Alone 2.4.5 Setup Wizard 2.4.6 Limitations

2.5 VPN Client Manager2.5.1 What is VPN Client Manager? 2.5.2 System that Supports VPN Client Manager 2.5.3 Integrating with VPN Client 2.5.6 Limitations

2.6 VPN Command Line Management Utility (vpncmd)2.6.1 What is vpncmd? 2.6.2 Displaying Command Help

Chapter 3 PacketiX VPN Server 2.0 Manual3.1 Operating Environment


2007/11/20

PacketiX VPN 2.0 Online Manual3.1.1 Support for Windows 3.1.2. Support for Linux 3.1.3 Support for FreeBSD 3.1.4 Support for Solaris 3.1.5 Support for Mac OS X 3.1.6 Support for Embedded Devices 3.1.7 Limitations

13/685

3.2 Operating Modes3.2.1 Service Mode 3.2.2 User Mode

3.3 VPN Server Administration3.3.1 Administration without the need for System Stop 3.3.2 PacketiX VPN Server and Virtual HUBs 3.3.3 Administration Tools & Remote Administration 3.3.4 Administration Authority 3.3.5 SSL Certificates 3.3.6 Listener Ports 3.3.7 Configuration File 3.3.8 Configuration Version Numbers 3.3.9 Configuration History 3.3.10 Administration of Statistical Information 3.3.11 Automatic Adjustment when Disk Space is Insufficient 3.3.12 Failure Recovery 3.3.13 Keep Alive Internet Connection Function 3.3.14 Obtaining Server Information 3.3.15 Selecting Encryption Algorithms for use in SSL Transmission 3.3.16 Initializing the VPN Server Service Reboot & Configuration Information 3.3.17 Syslog Transmission Function 3.3.18 Restricting IP Address Remote Administration Connection Sources

3.4 Virtual HUB Functions3.4.1 Creating Virtual HUBs 3.4.2 Online & Offline Status 3.4.3 Maximum Simultaneous Connections 3.4.4 Connection Mode 3.4.5 Session Management 3.4.6 MAC Address Tables 3.4.7 IP Address Table 3.4.8 Confirming the Existence of IP Addresses with Poll Packets 3.4.9 Communicating in Bridge / Router Mode Session


2007/11/20

PacketiX VPN 2.0 Online Manual3.4.10 Communicating in Monitoring Mode Session 3.4.11 Cascade Connection Functions 3.4.12 Server Authentication in Cascade Connections 3.4.13 Local Bridge 3.4.14 Administrator Connection 3.4.15 Obtaining Information on the Virtual HUBs

14/685

3.5 Virtual HUB Security3.5.1 Delegating Virtual HUB Administration Authority 3.5.2 Virtual HUB Anonymous Enumeration Settings 3.5.3 External Authentication Server Settings 3.5.4 Users and Groups 3.5.5 Trusted Certification Authority Certificates 3.5.6 Certificates Revocation List 3.5.7 Setting CN & Serial Number on Signed Certificate Authentication 3.5.8 Setting an Alias in RADIUS Authentication or NT Domain & Active Directory Authentication 3.5.9 Security Policies 3.5.10 Packet Filtering with the Access List 3.5.11 Limiting Connections with the IP Access Control List 3.5.12 Virtual HUB Administration Options

3.6 Local Bridges3.6.1 What is a Local Bridge? 3.6.2 Local Bridge Settings & Operation 3.6.3 Preparing the Local Bridge network adapter 3.6.4 Local Bridge Sessions 3.6.5 Supported Network Adapter Types 3.6.6 Use of network adapters not supporting Promiscuous Mode 3.6.7 Tagged VLAN Frames 3.6.8 Outputting all Communication Data in the Virtual HUB to the Network Adapter 3.6.9 Using Tap Devices 3.6.10 Points to Note when Local Bridging in Windows 3.6.11 Points to Note when Local Bridging in Linux 3.6.12 Points to Note when Local Bridging in Solaris

3.7 Virtual NAT & Virtual DHCP Servers3.7.1 What is SecureNAT? 3.7.2 Setting the Virtual Host Network Interface 3.7.3 Virtual NAT 3.7.4 Points to Note when using Virtual NAT Function


2007/11/20

PacketiX VPN 2.0 Online Manual3.7.5 Virtual DHCP Server 3.7.6 Points to Note when using the Virtual DHCP Server 3.7.7 SecureNAT Sessions 3.7.8 Logging SecureNAT Status

15/685

3.8 Virtual Layer 3 Switches3.8.1 What is a Virtual Layer 3 Switch? 3.8.2 Difference between Bridging & IP Routing 3.8.3 Defining Virtual Layer 3 Switches 3.8.4 Adding Virtual Interfaces to connect to Virtual HUBs 3.8.5 Editing the Routing Table 3.8.6 Starting and Stopping Virtual Layer 3 Switches 3.8.7 Limitations

3.9 Clustering3.9.1 What is Clustering? 3.9.2 Cluster Controllers 3.9.3 Cluster Member Servers 3.9.4 Load Balancing 3.9.5 Load Balancing using Performance Standard Ratio 3.9.6 Fault Tolerance 3.9.7 Static Virtual HUBs 3.9.8 Dynamic Virtual HUBs 3.9.9 Connecting to Arbitrary Servers in Static Virtual HUBs 3.9.10 Collectively Administering the Entire Cluster 3.9.11 Cluster Configuration Licenses 3.9.12 Functions not Available Simultaneously with Clustering

3.10 Logging Service3.10.1 Log Save Format & Save Cycle 3.10.2 Server Log 3.10.3 Virtual HUB Security Log 3.10.4 Virtual HUB Packet Log 3.10.6 Obtaining Log Files on a Remote Administration Terminal 3.10.17 Syslog Transmission function

3.11 Day-to-Day Management3.11.1 Auditing the Server Log 3.11.2 Checking Usage Status 3.11.3 Backing Up Configuration Information 3.11.4 Recovering from Failure 3.11.5 Rolling Back the Configuration 3.11.6 Confirming Hard Disk Availability


2007/11/20

PacketiX VPN 2.0 Online Manual3.11.7 Network Administration Support Tools 3.11.8 Checking Sufficiency of Required Resources 3.11.9 Measuring Effective Throughput

16/685

Chapter 4 PacketiX VPN Client 2.0 Manual4.1 Operating Environment4.1.1 Windows Support 4.1.2 Linux Support 4.1.3 Support for Other Systems 4.1.4 Limitations

4.2 Operating the VPN Client4.2.1 VPN Client Manager 4.2.2. Command Line Management Utility (vpncmd) 4.2.3 Task Tray Icon

4.3 Virtual Network Adapter4.3.1 Support for Multiple Virtual Network Adapters 4.3.2 Virtual Network Adapter Creation and Setup 4.3.3 Managing the Version of the Virtual Network Adapter Device Driver 4.3.4 Bridge Connection Between a Virtual Network Adapter and Physical Network Adapter

4.4 VPN Server Connection Method4.4.1 Selecting the Proper Connection Method 4.4.2 Direct TCP/IP Connection 4.4.3 Connection Via HTTP Proxy Server 4.4.4 Connection Via SOCKS Proxy Server 4.4.5 Server-Certificate Verification 4.4.6 Selecting a Virtual Network Adapter 4.4.7 User Authentication Setting 4.4. Use of the Smart Card Authentication 4.4.9 Automatic Reconnection Function 4.4.10 Connection Status and Error Message Displays 4.4.11 Advanced Communication Settings 4.4.12 Number of TCP/IP Connections for VPN Session Communications 4.4.13 Interval Between TCP Connections and Length of TCP Connection 4.4.14 Half-Duplex Mode Option 4.4.15 SSL Encryption Option 4.4.16 Data Compression Option 4.4.17 Selecting the Connection Mode 4.4.18 Routing Table Rewrite Process


2007/11/20

PacketiX VPN 2.0 Online Manual4.4.19 Startup Connection 4.4.20 Exporting and Importing Connection Settings 4.4.21 Creating a Shortcut for a Connection Setting 4.4.22 VPN Server and VPN Bridge Cascade Connection Setting

17/685

4.5 Connecting to VPN Server4.5.1 Starting a VPN Connection 4.5.2 Checking the Connection Status 4.5.3 Terminating a VPN Connection 4.5.4 Operations When an Error Occurs

4.6 Using and Managing Smart Cards4.6.1 Smart Card Device Driver 4.6.1 Selecting a Smart Card 4.6.3 Listing and Obtaining Smart Card Objects 4.6.4 Deleting Smart Card Objects 4.6.5 Changing a PIN Code 4.6.6 Using Smart Card Authentication to Connect to VPN Server 4.6.8 Limitations

4.7 Management in a Large-Scale Environment4.7.1 Remote Management of VPN Client 4.7.2 Distributing Configuration Files 4.7.3 Distributing a Connection Setting File to Users

4.8 Measuring Effective Throughput4.8.1 Using the Communication Throughput Measurement Tool 4.8.2 Configuring the Communication Throughput Measurement Tool 4.8.3 Communication Throughput Measurement Precautions

4.9 Other Functions4.9.1 Changing the User Password Registered to VPN Server 4.9.2 Internet Connection Maintenance Function 4.9.3 Voice Guide Function 4.9.4 Translucent Window Function 4.9.5 Setting Lock Function 4.9.6 Simple Mode and Normal Mode

Chapter 5 PacketiX VPN Bridge 2.0 Manual5.1 Operating Environment5.1.1 Support for Windows 5.1.2. Support for Linux 5.1.3 Support for FreeBSD 5.1.4 Support for Solaris


2007/11/20

PacketiX VPN 2.0 Online Manual5.1.5 Support for Mac OS X 5.1.6 Support for Embedded Devices 5.1.7 Limitations

18/685

5.2 Operating Modes5.2.1 Service Mode 5.2.2 User Mode

5.3 Differences between VPN Server and VPN Bridge5.3.1 Features and Usage of VPN Bridge 5.3.2 Virtual HUB on VPN Bridge 5.3.3 Cascade Connection Function on VPN Bridge 5.3.4 Receiving a Connection on VPN Bridge 5.3.5 Local Bridge Function on VPN Bridge 5.3.6 SecureNAT Function on VPN Bridge 5.3.7 Virtual Layer 3 Switch Function on VPN Bridge 5.3.8 Coexistence of VPN Bridge and VPN Server

Chapter 6 Command Line Management Utility Manual6.1 Overview of vpncmd6.1.1 vpncmd 6.1.2 vpncmd Management Mode

6.2 General Usage of vpncmd6.2.1 Command Input Rules 6.2.2 Command Help Display 6.2.3 Command Line Parameters When Starting a vpncmd Command 6.2.4 Batch Processing Mode 6.2.5 Saving a Log 6.2.6 vpncmd Process Return Values 6.2.7 Character Encoding 6.2.8 Calling vpncmd in Windows 6.2.9 Stand-Alone Installation of vpncmd

6.3 VPN Server / VPN Bridge Management Command Reference (For Entire Server)6.3.1 About - Display the version information 6.3.2 ServerInfoGet - Get server information 6.3.3 ServerStatusGet - Get Current Server Status 6.3.4 ListenerCreate - Create New TCP Listener 6.3.5 ListenerDelete - Delete TCP Listener 6.3.6 ListenerList - Get List of TCP Listeners 6.3.7 ListenerEnable - Begin TCP Listener Operation


2007/11/20

PacketiX VPN 2.0 Online Manual6.3.8 ListenerDisable - Stop TCP Listener Operation 6.3.9 ServerPasswordSet - Set VPN Server Administrator Password 6.3.10 ClusterSettingGet - Get Clustering Configuration of Current VPN Server 6.3.11 ClusterSettingStandalone - Set VPN Server Type as Standalone 6.3.12 ClusterSettingController - Set VPN Server Type as Cluster Controller 6.3.13 ClusterSettingMember - Set VPN Server Type as Cluster Member 6.3.14 ClusterMemberList - Get List of Cluster Members 6.3.15 ClusterMemberInfoGet - Get Cluster Member Information 6.3.16 ClusterMemberCertGet - Get Cluster Member Certificate 6.3.17 ClusterConnectionStatusGet - Get Connection Status to Cluster Controller 6.3.18 ServerCertGet - Get SSL Certificate of VPN Server 6.3.19 ServerKeyGet - Get SSL Certificate Private Key of VPN Server 6.3.20 ServerCertSet - Set SSL Certificate and Private Key of VPN Server 6.3.21 ServerCipherGet - Get the Encrypted Algorithm Used for VPN Communication. 6.3.22 ServerCipherSet - Set the Encrypted Algorithm Used for VPN Communication. 6.3.23 KeepEnable - Enable the Keep Alive Internet Connection Function 6.3.24 KeepDisable - Disable the Keep Alive Internet Connection Function 6.3.25 KeepSet - Set the Keep Alive Internet Connection Function 6.3.26 KeepGet - Get the Keep Alive Internet Connection Function 6.3.27 SyslogEnable - Set syslog Send Function 6.3.28 SyslogDisable - Disable syslog Send Function 6.3.29 SyslogGet - Get syslog Send Function 6.3.30 ConnectionList - Get List of TCP Connections Connecting to the VPN Server 6.3.31 ConnectionGet - Get Information of TCP Connections Connecting to the VPN Server 6.3.32 ConnectionDisconnect - Disconnect TCP Connections Connecting to the VPN Server 6.3.33 BridgeDeviceList - Get List of Network Adapters Usable as Local Bridge 6.3.34 BridgeList - Get List of Local Bridge Connection 6.3.35 BridgeCreate - Create Local Bridge Connection 6.3.36 BridgeDelete - Delete Local Bridge Connection 6.3.37 Caps - Get List of Server Functions/Capability 6.3.38 Reboot - Reboot VPN Server Service 6.3.39 ConfigGet - Get the current configuration of the VPN Server 6.3.40 ConfigSet - Write Configuration File to VPN Server 6.3.41 RouterList - Get List of Virtual Layer 3 Switches 6.3.42 RouterAdd - Define New Virtual Layer 3 Switch

19/685


2007/11/20

PacketiX VPN 2.0 Online Manual6.3.43 RouterDelete - Delete Virtual Layer 3 Switch 6.3.44 RouterStart - Start Virtual Layer 3 Switch Operation 6.3.45 RouterStop - Stop Virtual Layer 3 Switch Operation 6.3.46 RouterIfList - Get List of Interfaces Registered on the Virtual Layer 3 Switch 6.3.47 RouterIfAdd - Add Virtual Interface to Virtual Layer 3 Switch 6.3.48 RouterIfDel - Delete Virtual Interface of Virtual Layer 3 Switch 6.3.49 RouterTableList - Get List of Routing Tables of Virtual Layer 3 Switch 6.3.50 RouterTableAdd - Add Routing Table Entry for Virtual Layer 3 Switch 6.3.51 RouterTableDel - Delete Routing Table Entry of Virtual Layer 3 Switch 6.3.52 LogFileList - Get List of Log Files 6.3.53 LogFileGet - Download Log file 6.3.54 HubCreate - Create New Virtual HUB 6.3.55 HubCreateDynamic - Create New Dynamic Virtual HUB (For Clustering) 6.3.56 HubCreateStatic - Create New Static Virtual HUB (For Clustering) 6.3.57 HubDelete - Delete Virtual HUB 6.3.58 HubSetStatic - Change Virtual HUB Type to Static Virtual HUB 6.3.59 HubSetDynamic - Change Virtual HUB Type to Dynamic Virtual HUB 6.3.60 HubList - Get List of Virtual HUBs 6.3.61 Hub - Select Virtual HUB to Manage 6.3.62 LicenseAdd - Add License Key Registration 6.3.63 LicenseDel - Delete Registered License 6.3.64 LicenseList - Get List of Registered Licenses 6.3.65 LicenseStatus - Get License Status of Current VPN Server 6.3.66 MakeCert - Create New X.509 Certificate and Private Key 6.3.67 TrafficClient - Execute Communication Throughput Measurement Tool Client 6.3.68 TrafficServer - Execute Communication Throughput Measurement Tool Server 6.3.69 Check - Check if PacketiX VPN Operation is Possible

20/685

6.4 VPN Server / VPN Bridge Management Command Reference (For Virtual HUB)6.4.1 Online - Switch Virtual HUB to Online 6.4.2 Offline - Switch Virtual HUB to Offline 6.4.3 SetMaxSession - Set the Max Number of Concurrently Connected Sessions for Virtual HUB 6.4.4 SetHubPassword - Set Virtual HUB Administrator Password 6.4.5 SetEnumAllow - Allow Enumeration by Virtual HUB Anonymous Users 6.4.6 SetEnumDeny - Deny Enumeration by Virtual HUB Anonymous Users 6.4.7 OptionsGet - Get Options Setting of Virtual HUBs


2007/11/20

PacketiX VPN 2.0 Online Manual6.4.8 RadiusServerSet - Set RADIUS Server to use for User Authentication 6.4.9 RadiusServerDelete - Delete Setting to Use RADIUS Server for User Authentication 6.4.10 RadiusServerGet - Get Setting of RADIUS Server Used for User Authentication 6.4.11 StatusGet - Get Current Status of Virtual HUB 6.4.12 LogGet - Get Log Save Setting of Virtual HUB 6.4.13 LogEnable - Enable Security Log or Packet Log 6.4.14 LogDisable - Disable Security Log or Packet Log 6.4.15 LogSwitchSet - Set Log File Switch Cycle 6.4.16 LogPacketSaveType - Set Save Contents and Type of Packet to Save to Packet Log 6.4.17 CAList - Get List of Trusted CA Certificates 6.4.18 CAAdd - Add Trusted CA Certificate 6.4.19 CADelete - Delete Trusted CA Certificate 6.4.20 CAGet - Get Trusted CA Certificate 6.4.21 CascadeList - Get List of Cascade Connections 6.4.22 CascadeCreate - Create New Cascade Connection 6.4.23 CascadeSet - Set the Destination for Cascade Connection 6.4.24 CascadeGet - Get the Cascade Connection Setting 6.4.25 CascadeDelete - Delete Cascade Connection Setting 6.4.26 CascadeUsernameSet - Set User Name to Use Connection of Cascade Connection 6.4.27 CascadeAnonymousSet - Set User Authentication Type of Cascade Connection to Anonymous Authentication 6.4.28 CascadePasswordSet - Set User Authentication Type of Cascade Connection to Password Authentication 6.4.29 CascadeCertSet - Set User Authentication Type of Cascade Connection to Client Certificate Authentication 6.4.30 CascadeCertGet - Get Client Certificate to Use for Cascade Connection 6.4.31 CascadeEncryptEnable - Enable Encryption when Communicating by Cascade Connection 6.4.32 CascadeEncryptDisable - Disable Encryption when Communicating by Cascade Connection 6.4.33 CascadeCompressEnable - Enable Data Compression when Communicating by Cascade Connection 6.4.34 CascadeCompressDisable - Disable Data Compression when Communicating by Cascade Connection 6.4.35 CascadeProxyNone - Specify Direct TCP/IP Connection as the Connection Method of Cascade Connection 6.4.36 CascadeProxyHttp - Set Connection Method of Cascade Connection to be

21/685


2007/11/20

PacketiX VPN 2.0 Online Manualvia an HTTP Proxy Server 6.4.37 CascadeProxySocks - Set Connection Method of Cascade Connection to be via an SOCKS Proxy Server 6.4.38 CascadeServerCertEnable - Enable Cascade Connection Server Certificate Verification Option 6.4.39 CascadeServerCertDisable - Disable Cascade Connection Server Certificate Verification Option 6.4.40 CascadeServerCertSet - Set the Server Individual Certificate for Cascade Connection 6.4.41 CascadeServerCertDelete - Delete the Server Individual Certificate for Cascade Connection 6.4.42 CascadeServerCertGet - Get the Server Individual Certificate for Cascade Connection 6.4.43 CascadeDetailSet - Set Advanced Settings for Cascade Connection 6.4.44 CascadePolicySet - Set Cascade Connection Session Security Policy 6.4.45 PolicyList - Display List of Security Policy Types and Settable Values 6.4.46 CascadeStatusGet - Get Current Cascade Connection Status 6.4.47 CascadeRename - Change Name of Cascade Connection 6.4.48 CascadeOnline - Switch Cascade Connection to Online Status 6.4.49 CascadeOffline - Switch Cascade Connection to Offline Status 6.4.50 AccessAdd - Add Access List Rules 6.4.51 AccessList - Get Access List Rule List 6.4.52 AccessDelete - Delete Rule from Access List 6.4.53 AccessEnable - Enable Access List Rule 6.4.54 AccessDisable - Disable Access List Rule 6.4.55 UserList - Get List of Users 6.4.56 UserCreate - Create User 6.4.57 UserSet - Change User Information 6.4.58 UserDelete - Delete User 6.4.59 UserGet - Get User Information 6.4.60 UserAnonymousSet - Set Anonymous Authentication for User Auth Type 6.4.61 UserPasswordSet - Set Password Authentication for User Auth Type and Set Password 6.4.62 UserCertSet - Set Individual Certificate Authentication for User Auth Type and Set Certificate 6.4.63 UserCertGet - Get Certificate Registered for Individual Certificate Authentication User 6.4.64 UserSignedSet - Set Signed Certificate Authentication for User Auth Type 6.4.65 UserRadiusSet - Set RADIUS Authentication for User Auth Type 6.4.66 UserNTLMSet - Set NT Domain Authentication for User Auth Type

22/685


2007/11/20

PacketiX VPN 2.0 Online Manual6.4.67 UserPolicyRemove - Delete User Security Policy 6.4.68 UserPolicySet - Set User Security Policy 6.4.69 UserExpiresSet - Set User's Expiration Date 6.4.70 GroupList - Get List of Groups 6.4.71 GroupCreate - Create Group 6.4.72 GroupSet - Set Group Information 6.4.73 GroupDelete - Delete Group 6.4.74 GroupGet - Get Group Information and List of Assigned Users 6.4.75 GroupJoin - Add User to Group 6.4.76 GroupUnjoin - Delete User from Group 6.4.77 GroupPolicyRemove - Delete Group Security Policy 6.4.78 GroupPolicySet - Set Group Security Policy 6.4.79 SessionList - Get List of Connected Sessions 6.4.80 SessionGet - Get Session Information 6.4.81 SessionDisconnect - Disconnect Session 6.4.82 MacTable - Get the MAC Address Table Database 6.4.83 MacDelete - Delete MAC Address Table Entry 6.4.84 IpTable - Get the IP Address Table Database 6.4.85 IpDelete - Delete IP Address Table Entry 6.4.86 SecureNatEnable - Enable the Virtual NAT and DHCP Server Function (SecureNat Function) 6.4.87 SecureNatDisable - Disable the Virtual NAT and DHCP Server Function (SecureNat Function) 6.4.88 SecureNatStatusGet - Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function) 6.4.89 SecureNatHostGet - Get Network Interface Setting of Virtual Host of SecureNAT Function 6.4.90 SecureNatHostSet - Change Network Interface Setting of Virtual Host of SecureNAT Function 6.4.91 NatGet - Get Virtual NAT Function Setting of SecureNAT Function 6.4.92 NatEnable - Enable Virtual NAT Function of SecureNAT Function 6.4.93 NatDisable - Disable Virtual NAT Function of SecureNAT Function 6.4.94 NatSet - Change Virtual NAT Function Setting of SecureNAT Function 6.4.95 NatTable - Get Virtual NAT Function Session Table of SecureNAT Function 6.4.96 DhcpGet - Get Virtual DHCP Server Function Setting of SecureNAT Function 6.4.97 DhcpEnable - Enable Virtual DHCP Server Function of SecureNAT Function 6.4.98 DhcpDisable - Disable Virtual DHCP Server Function of SecureNAT Function 6.4.99 DhcpSet - Change Virtual DHCP Server Function Setting of SecureNAT Function 6.4.100 DhcpTable - Get Virtual DHCP Server Function Lease Table of SecureNAT

23/685


2007/11/20

PacketiX VPN 2.0 Online ManualFunction 6.4.101 AdminOptionList - Get List of Virtual HUB Administration Options 6.4.102 AdminOptionSet - Set Values of Virtual HUB Administration Options 6.4.103 CrlList - Get List of Certificates Revocation List 6.4.104 CrlAdd - Add a Revoked Certificate 6.4.105 CrlDel - Delete a Revoked Certificate 6.4.106 CrlGet - Get a Revoked Certificate 6.4.107 AcList - Get List of Rule Items of IP Access Control List 6.4.108 AcAdd - Add Rule to IP Access Control List 6.4.109 AcDel - Delete Rule from IP Access Control List

24/685

6.5 VPN Client Management Command Reference6.5.1 About - Display the version information 6.5.2 VersionGet - Get Version Information of VPN Client Service 6.5.3 PasswordSet - Set the password to connect to the VPN Client service. 6.5.4 PasswordGet - Get Password Setting to Connect to VPN Client Service 6.5.5 CertList - Get List of Trusted CA Certificates 6.5.6 CertAdd - Add Trusted CA Certificate 6.5.7 CertDelete - Delete Trusted CA Certificate 6.5.8 CertGet - Get Trusted CA Certificate 6.5.9 SecureList - Get List of Usable Smart Card Types 6.5.10 SecureSelect - Select the Smart Card Type to Use 6.5.11 SecureGet - Get ID of Smart Card Type to Use 6.5.12 NicCreate - Create New Virtual Network Adapter 6.5.13 NicDelete - Delete Virtual Network Adapter 6.5.14 NicUpgrade - Upgrade Virtual Network Adapter Device Driver 6.5.15 NicGetSetting - Get Virtual Network Adapter Setting 6.5.16 NicSetSetting - Change Virtual Network Adapter Setting 6.5.17 NicEnable - Enable Virtual Network Adapter 6.5.18 NicDisable - Disable Virtual Network Adapter 6.5.19 NicList - Get List of Virtual Network Adapters 6.5.20 AccountList - Get List of VPN Connection Settings 6.5.21 AccountCreate - Create New VPN Connection Setting 6.5.22 AccountSet - Set the VPN Connection Setting Connection Destination 6.5.23 AccountGet - Get Setting of VPN Connection Setting 6.5.24 AccountDelete - Delete VPN Connection Setting 6.5.25 AccountUsernameSet - Set User Name of User to Use Connection of VPN Connection Setting 6.5.26 AccountAnonymousSet - Set User Authentication Type of VPN Connection Setting to Anonymous Authentication


2007/11/20

PacketiX VPN 2.0 Online Manual6.5.27 AccountPasswordSet - Set User Authentication Type of VPN Connection Setting to Password Authentication 6.5.28 AccountCertSet - Set User Authentication Type of VPN Connection Setting to Client Certificate Authentication 6.5.29 AccountCertGet - Get Client Certificate to Use for Cascade Connection 6.5.30 AccountEncryptDisable - Disable Encryption when Communicating by VPN Connection Setting 6.5.31 AccountEncryptEnable - Enable Encryption when Communicating by VPN Connection Setting 6.5.32 AccountCompressEnable - Enable Data Compression when Communicating by VPN Connection Setting 6.5.33 AccountCompressDisable - Disable Data Compression when Communicating by VPN Connection Setting 6.5.34 AccountProxyNone - Specify Direct TCP/IP Connection as the Connection Method of VPN Connection Setting 6.5.35 AccountProxyHttp - Set Connection Method of VPN Connection Setting to be via an HTTP Proxy Server 6.5.36 AccountProxySocks - Set Connection Method of VPN Connection Setting to be via an SOCKS Proxy Server 6.5.37 AccountServerCertEnable - Enable VPN Connection Setting Server Certificate Verification Option 6.5.38 AccountServerCertDisable - Disable VPN Connection Setting Server Certificate Verification Option 6.5.39 AccountServerCertSet - Set Server Individual Certificate for VPN Connection Setting 6.5.40 AccountServerCertDelete - Delete Server Individual Certificate for VPN Connection Setting 6.5.41 AccountServerCertGet - Get Server Individual Certificate for VPN Connection Setting 6.5.42 AccountDetailSet - Set Advanced Settings for VPN Connection Setting 6.5.43 AccountRename - Change VPN Connection Setting Name 6.5.44 AccountConnect - Start Connection to VPN Server using VPN Connection Setting 6.5.45 AccountDisconnect - Disconnect VPN Connection Setting During Connection 6.5.46 AccountStatusGet - Get Current VPN Connection Setting Status 6.5.47 AccountNicSet - Set Virtual Network Adapter for VPN Connection Setting to Use 6.5.48 AccountStatusShow - Set Connection Status and Error Screen to Display when Connecting to VPN Server 6.5.49 AccountStatusHide - Set Connection Status and Error Screen to be Hidden when Connecting to VPN Server 6.5.50 AccountSecureCertSet - Set User Authentication Type of VPN Connection

25/685


2007/11/20

PacketiX VPN 2.0 Online ManualSetting to Smart Card Authentication 6.5.51 AccountRetrySet - Set Interval between Connection Retries for Connection Failures or Disconnections of VPN Connection Setting 6.5.52 AccountStartupSet - Set VPN Connection Setting as Startup Connection 6.5.53 AccountStartupRemove - Remove Startup Connection of VPN Connection Setting 6.5.54 AccountExport - Export VPN Connection Setting 6.5.55 AccountImport - Import VPN Connection Setting 6.5.56 RemoteEnable - Allow Remote Management of VPN Client Service 6.5.57 RemoteDisable - Deny Remote Management of VPN Client Service 6.5.58 KeepEnable - Enable the Keep Alive Internet Connection Function 6.5.59 KeepDisable - Disable the Keep Alive Internet Connection Function 6.5.60 KeepSet - Set the Keep Alive Internet Connection Function 6.5.61 KeepGet - Get the Keep Alive Internet Connection Function 6.5.62 MakeCert - Create New X.509 Certificate and Private Key 6.5.63 TrafficClient - Execute Communication Throughput Measurement Tool Client 6.5.64 TrafficServer - Execute Communication Throughput Measurement Tool Server 6.5.65 Check - Check if PacketiX VPN Operation is Possible

26/685

6.6 VPN Tools Command Reference6.6.1 About - Display the version information 6.6.2 MakeCert - Create New X.509 Certificate and Private Key 6.6.3 TrafficClient - Execute Communication Throughput Measurement Tool Client 6.6.4 TrafficServer - Execute Communication Throughput Measurement Tool Server 6.6.5 Check - Check if PacketiX VPN Operation is Possible

Chapter 7 Installing PacketiX VPN Server 2.07.1 Installation Precautions7.1.1 Checking the Operating Environment 7.1.2 Hard Disk Space 7.1.3 CPU Processing Speed 7.1.4 Conflicting Software

7.2 Installing to Windows and Configuring the Default Settings7.2.1 Selecting the Installation Mode 7.2.2 Installation Procedure Using the Installer 7.2.3 Optimizing the TCP/IP Communication Settings 7.2.4 Precautions After Installation


2007/11/20

PacketiX VPN 2.0 Online Manual7.2.5 Managing VPN Server with VPN Server Manager 7.2.6 Managing with vpncmd 7.2.7 Starting and Stopping Service 7.2.8 Adding and Deleting the Service 7.2.9 Limitations When Starting with General User Rights

27/685

7.3 Installing to Linux and Configuring the Default Settings7.3.1 Recommended System 7.3.2 Selecting the Installation Mode 7.3.3 Checking the Required Software and Libraries 7.3.4 Extracting the Package 7.3.5 Creating an Executable File 7.3.6 VPN Server Location 7.3.7 Using the vpncmd Check Command to Check Operations 7.3.8 Registering a Startup Script 7.3.9 Starting and Stopping Service 7.3.10 Limitations when Starting with General User Rights

7.4 Default Settings7.4.1 Changing the Manager Password 7.4.2 Registering the License 7.4.3 Checking the Current License Status and the Usage Status of the Number of Connections 7.4.4 Creating a Virtual HUB

7.5 Installing to Other Unix Systems 7.6 Uninstalling PacketiX VPN Server 2.07.6.1 Uninstallation in Windows 7.6.2 Uninstallation in Linux

Chapter 8 Installing PacketiX VPN Client 2.08.1 Installation Precautions8.1.1 Checking the Operating Environment 8.1.2 Network Connection Environment 8.1.3 Conflicting Software

8.2 Installing to Windows and Configuring the Default Settings8.2.1 Installation Procedure Using the Installer 8.2.2 Optimizing the TCP/IP Communication Settings 8.2.3 Precautions After Installation 8.2.4 VPN Client Manager Operations 8.2.5 Operating with vpncmd 8.2.6 Creating a Virtual Network Adapter


2007/11/20

PacketiX VPN 2.0 Online Manual8.2.7 Configuring a Virtual Network Adapter 8.2.8 Creating a Connection Setting

28/685

8.3 Uninstalling PacketiX VPN Client 2.08.3.1 Uninstallation 8.3.2 Virtual Network Adapter

Chapter 9 Installing PacketiX VPN Bridge 2.09.1 Installation Precautions9.1.1 Checking the Operating Environment 9.1.2 Hard Disk Space 9.1.3 CPU Processing Speed 9.1.4 Conflicting Software

9.2 Installing to Windows and Configuring the Default Settings9.2.1 Selecting the Installation Mode 9.2.2 Installation Procedure Using the Installer 9.2.3 Optimizing the TCP/IP Communication Settings 9.2.4 Precautions After Installation 9.2.5 Managing VPN Bridge with VPN Server Manager 9.2.6 Managing with vpncmd 9.2.7 Starting and Stopping Service 9.2.8 Adding and Deleting the Service 9.2.9 Limitations when Starting with General User Rights

9.3 Installing to Linux and Configuring the Default Settings9.3.1 Recommended System 9.3.2 Selecting the Installation Mode 9.3.3 Checking the Required Software and Libraries 9.3.4 Extracting the Package 9.3.5 Creating an Executable File 9.3.6 VPN Bridge Location 9.3.7 Using the vpncmd Check Command to Check Operations 9.3.8 Registering a Startup Script 9.3.9 Starting and Stopping Service 9.3.10 Limitations when Starting with General User Rights

9.4 Default Settings9.4.1 Changing the Manager Password 9.4.2 Creating a Cascade Connection with a Local Bridge

9.5 Uninstalling PacketiX VPN Bridge 2.09.5.1 Uninstallation in Windows 9.6.2 Uninstallation in Linux


2007/11/20


29/685

Chapter 10 Instructions and Examples For Configuring a VPN10.1 Types of VPNs10.1.1 PC-to-PC VPN 10.1.2 Remote Access VPN 10.1.3 LAN-to-LAN VPN

10.2 Common Elements10.2.1 VPN Server Location 10.2.2 Deciding the VPN Server / Virtual HUB Administrator 10.2.3 Changing Existing NAT/Firewall Configurations 10.2.4 Selecting a User Authentication Method 10.2.5 Selecting what Functionality to Use 10.2.6 Virtual Layer 3 Switching 10.2.7 Virtual DHCP Server 10.2.8 Virtual NAT 10.2.9 Advice about Protocol Conflicts when Making a LAN-to-LAN Connection

10.3 Setting Up a PC-to-PC VPN10.3.1 Configuring VPN Server 10.3.2 Network Layout 10.3.3 Calculating the Number of Required Licenses 10.3.4 Connecting to the VPN Remotely/Performing a Communication Test

10.4 Setting Up a Generic Remote Access VPN10.4.1 Connecting to a LAN Remotely 10.4.2 Using Local Bridging 10.4.3 Examining User Authentication Methods 10.4.4 Network Layout 10.4.5 Calculating the Number of Required Licenses 10.4.6 Installing VPN Server On a LAN 10.4.7 Configuring the Local Bridge 10.4.8 Connecting to the VPN Remotely/Performing a Communication Test

10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)10.5.1 About Bridge-Connected LAN VPNs 10.5.2 Local Bridge and Cascade Connection Functionality 10.5.3 Pros and Cons of Bridging 10.5.4 Network Layout 10.5.5 Calculating the Number of Required Licenses 10.5.6 Installing VPN Server On the Main LAN 10.5.7 Installing VPN Bridge to the Sub-LAN


2007/11/20

PacketiX VPN 2.0 Online Manual10.5.8 Configuring the Local Bridges 10.5.9 Configuring Cascade Connections 10.5.10 Connecting to the LAN-to-LAN VPN/Performing a Communication Test 10.5.11 Supplementary Information

30/685

10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)10.6.1 Combining Bridge Connections and IP Routing 10.6.2 IP Routing Via Virtual Layer 3 Switching 10.6.3 Pros and Cons of IP Routing 10.6.4 Network Layout 10.6.5 Calculating the Number of Required Licenses 10.6.6 Installing VPN Server On the Main LAN 10.6.7 Installing VPN Bridge on the Other LANs 10.6.8 LAN-to-LAN VPN Connection 10.6.9 Supplementary Information

10.7 Combining a LAN-to-LAN VPN and a Remote Access VPN10.7.1 Using LAN-to-LAN Communication and Remote Access Together 10.7.2 Calculating the Number of Required Licenses 10.7.3 Supplementary Information

10.8 Setting Up a Large Scale Remote Access VPN Service10.8.1 VPN Server's Processing Limit 10.8.2 Increase Network Scalability By Using Clustering 10.8.3 Using Static Virtual HUBs 10.8.4 Network Layout 10.8.5 Calculating the Number of Required Licenses 10.8.6 Installing and Configuring the Cluster Controller 10.8.7 Installing and Configuring the Cluster Member Servers 10.8.8 Creating Static Virtual HUBs 10.8.9 Making a Local Bridge between the Existing LAN and the Virtual HUBs 10.8.10 Managing VPN Sessions on a Clustered VPN

10.9 Setting Up a Large Scale Virtual HUB Hosting Service10.9.1 The Necessity of a Virtual HUB Hosting Service 10.9.2 Increase Network Scalability By Using Clustering 10.9.3 Using Dynamic Virtual HUBs 10.9.4 Network Layout 10.9.5 Calculating the Number of Required Licenses 10.9.6 Installing and Configuring the Cluster Controller 10.9.7 Installing and Configuring the Cluster Member Servers 10.9.8 Creating Dynamic Virtual HUBs 10.9.9 Assigning Virtual HUB Administrator Rights


2007/11/20

PacketiX VPN 2.0 Online Manual10.9.10 Managing VPN Sessions on a Clustered VPN 10.9.11 Automating the Creation and Management of a Large Quantity of Virtual HUBs or Users 10.9.12 User's Usage Status and Billing 10.9.13 Limiting Administrator Rights by Configuring the Virtual HUB Management Options

31/685

10.10 Using Remote Access as a Single User10.10.1 Dangers of the Internet and the Need for VPN 10.10.2 Installing the VPN Server at Home 10.10.3 Assigning IP Addresses and the DDNS Service 10.10.4 Adjusting Settings For Broadband Routers or Other Networking Hardware 10.10.5 Determining the Necessity of Local Bridging 10.10.6 Accessing Your Home Network From a Remote Network Safely 10.10.7 Using Electronic Devices that can only Communicate over the same Network

10.11 Using SecureNAT to Set Up a Remote Access VPN With No Administrator Rights10.11.1 Utilizing SecureNAT to Make Things More Convenient 10.11.2 Using SecureNAT For Amazingly Simple, Secure Remote Access With No Administrator Rights 10.11.3 A Practical Example Network 10.11.4 Starting Up VPN Bridge on the Remote LAN 10.11.5 Using Remote Access 10.11.6 SecureNAT and Security 10.11.7 The Dangers of Misusing SecureNAT

10.12 Using Public Networks Like Public Wireless Access Safely10.12.1 The Dangers of Public Network Services 10.12.2 Utilizing VPN for Safer Public Network Usage 10.12.3 Installing VPN Server at Home or at Work 10.12.4 Accessing the Internet Via a VPN Server's Local Bridge 10.12.5 About SoftEther's Secure Access Service

Chapter 11 Troubleshooting and Supplementary Information11.1 Troubleshooting11.1.1 Programs Suddenly Terminate during Normal Operation. 11.1.2 I am unable to communicate with the IP address of the Virtual Network Adapter used for local bridging from within the VPN. 11.1.3 A [Protocol Error] is occurring. 11.1.4 I am getting the message [The time on the server and the client does not


2007/11/20

PacketiX VPN 2.0 Online Manualmatch.]. 11.1.5 I am getting slow transfer speeds when using Windows file sharing on the VPN. 11.1.6 There is a large number of broadcast packets constantly being sent over the network. What should I check? 11.1.8 The CPU load increases after enabling Virtual NAT for SecureNAT. 11.1.9 Protocols that use many broadcast packets are not working properly. 11.1.10 Multicast packets are being dropped. 11.1.11 Even though I have installed VPN Server and connected to it from outside the network, I still can not connect to the local network. 11.1.12 I forgot my VPN Server's administrator password. 11.1.13 What do I do if I lost my license key? 11.1.14 RADIUS authentication is not functioning properly. What should I check? 11.1.15 NT Domain or Active Directory authentication is not functioning properly. What should I check? 11.1.16 Setting the listener port to port 443 always gives an error. 11.1.17 I added a local bridge but it is always offline or showing an error. 11.1.18 The local bridge to my wireless network adapter is not functioning properly. 11.1.19 I created a Virtual Layer 3 Switch but it is always offline or showing an error. 11.1.20 I have set up a cluster but I can not communicate between Virtual HUBs on the cluster. 11.1.21 I am not performing any communication over the VPN, but packets are being sent to the Internet periodically. 11.1.22 After I have created a Virtual Network Adapter I get the message, [No network cable is connected.]. 11.1.23 I forgot my password for VPN Client. 11.1.24 My Windows 98 Second Edition or Windows Millennium Edition system becomes unstable when I use a Virtual Network Adapter. 11.1.25 I uninstalled VPN Client but my Virtual Network Adapter is still there. 11.1.26 I am having trouble when using a smart card. 11.1.27 I am unable to create a Virtual Network Adapter with VPN Client under Linux. 11.1.28 My VPN connection is disconnected when I designate the Virtual Network Adapter as the default gateway in VPN Client under Linux. 11.1.29 I forgot my VPN Bridge's administrator password. 11.1.30 I have connected LANs together with bridge connections using VPN Server and VPN Bridge, but I still can not communicate between computers on the LANs. What should I check? 11.1.31 I am getting a warning message in syslog stating that ARP packets are

32/685


2007/11/20

PacketiX VPN 2.0 Online Manualbeing received from the IP address "0.0.0.0" when using local bridging under FreeBSD.

33/685

11.2 Useful Information11.2.1 Installing VPN Server With a Variable Global IP Address 11.2.2 Making a VPN Connection to a LAN Consisting of Only Private IP Addresses 11.2.4 Using an IPv6 over IPv4 Tunnel 11.2.5 About Wake On Lan (WOL) 11.2.6 Installing VPN Server 2.0 Behind a NAT Enabled Router 11.2.7 Using an IDS to View Packets Going In/Out of a Virtual HUB 11.2.8 Recreating a Switch's Port VLAN Functionality 11.2.9 Accepting Connections from SoftEther 1.0 Virtual Network Adapter Software 11.2.10 Performing Administration Via TELNET as Supported in SoftEther 1.0 11.2.11 Increasing Cluster Controller Redundancy 11.2.18 Connecting to Multiple VPN Servers or Virtual HUBs at Once 11.2.19 Using SecureNAT to Provide Remote Access to an Otherwise Inaccessible Network.

11.3 General Supplementary Information11.3.1 Using This Software Together With Anti-Virus Software or a Personal Firewall 11.3.2 About the 1/1000th of a Second Delay Encountered When Communicating Over a VPN 11.3.3 NTLM Authentication Support for Connections Via Proxy Server 11.3.4 How Far Away Can You Establish a VPN Session Connection From? 11.3.5 I measured the throughput of traffic through my VPN with my usual measurement utilities, and they are showing very low transfer speeds. What's wrong? 11.3.6 The Difference Between VPN Bridge's SecureNAT and VPN Server's SecureNAT 11.3.7 Can a single user open multiple VPN sessions? 11.3.8 According to the Windows end user license agreement, is it OK to use a client based operating system such as Windows XP as a VPN server? 11.3.9 Things to Consider When Using Windows 98. 98 SE, or ME as a VPN Server 11.3.10 I have more connections to my VPN than I have licenses for. What happened? 11.3.11 About MAC Addresses Starting With "00:AE" 11.3.12 How MAC Addresses Are Assigned to Virtual HUBs 11.3.13 Naming Computers Running VPN Server 11.3.14 Differences Between the Academic Edition and the Standard Production Edition


2007/11/20

PacketiX VPN 2.0 Online Manual11.3.15 VPN Server Computer Specifications and the Number of Possible Simultaneous Connections 11.3.16 Determining When to Use Clustering and Load Balancing 11.3.17 When Using a Special PPPoE Connection Tool to Connect to the Internet 11.3.18 Things to Consider When Using Your Operating System to Make a Bridged Connection Between a Virtual Network Adapter and a Physical Network Adapter 11.3.19 What if the Virtual Network Adapter and the physical network adapter both have the same network address? 11.3.20 How is the Virtual Network Adapter's MAC address generated? 11.3.21 Are Virtual Network Adapters' MAC addresses unique? 11.3.22 Things to be aware of when using SSH port forwarding software to connect to a VPN server 11.3.23 Concerning the priority of default gateways when one exists on both the Virtual Network Adapter network and on the physical network 11.3.25 If you are unable to create a Virtual HUB with VPN Bridge... 11.3.26 If you are unable to use local bridging in FreeBSD, Solaris, or Mac OS X... 11.3.27 Connecting to a VPN Bridge Listener Port From VPN Client

34/685

11.4 Additional Security Information11.4.1 Dealing With Viruses or Worms on Your VPN 11.4.3 Is there any danger of my VPN Client service being controlled remotely immediately after installing VPN Client before I have configured it?

11.5 Additional Information Regarding Communication Protocols11.5.1 Usable Protocols Other than TCP/IP 11.5.2 Using NetBEUI, IPX/SPX, AppleTalk, etc. 11.5.3 Sending Multicast Packets Within the VPN 11.5.4 Using IP Phone Protocols 11.5.5 Using NetMeeting or Other Video Conferencing Protocols 11.5.6 Using PacketiX VPN to Communicate on an Existing VPN Tunnel

11.6 Additional Compatibility Information11.6.1 Coexistence With SoftEther 1.0 11.6.2 Relationship With Mitsubishi Materials Corporation's SoftEther CA 11.6.3 Compatibility With SoftEther 1.0 Protocols 11.6.4 Compatibility With Other VPN Products

11.7 Future Plans for PacketiX VPN11.7.1 Localization Plans 11.7.3 About VPN Client for Windows CE 11.7.4 About VPN Client for Platforms Other than Windows or Linux

Chapter 12 PacketiX VPN Software Specification12.1 PacketiX VPN Server 2.0 Specs


2007/11/20

PacketiX VPN 2.0 Online Manual12.1.1 Supported Operating Systems (Recommended) 12.1.2 Supported Operating Systems (All) 12.1.3 Hardware Requirements 12.1.4 Software Specs 12.1.5 Program File Structure

35/685

12.2 PacketiX VPN Client 2.0 Specs12.2.1 Supported Operating Systems (Recommended) 12.2.2 Supported Operating Systems (All) 12.2.3 Hardware Requirements 12.2.4 Software Specs 12.2.5 Program File Structure 12.2.6 List of Supported Smart Cards and Hardware Security Devices

12.3 PacketiX VPN Bridge 2.0 Specs12.3.1 Supported Operating Systems (Recommended) 12.3.2 Supported Operating Systems (All) 12.3.3 Hardware Requirements 12.3.4 Software Specs 12.3.5 Program File Structure

12.4 PacketiX VPN Protocol Specification12.4.1 Protocol Specs 12.4.2 Packets Sendable Over a VPN 12.4.3 How to Detect the PacketiX VPN Protocol

12.5 Error Codes

Chapter 13 Support13.1 About Support13.1.1 Support Bundled with Commercial Software Licenses

13.2 Technical Information and Updates From softether.com13.2.1 Technical Information/Manual 13.2.2 Downloading the Latest Version Updates

Change Log

< Before Reading the Manual < Content

Chapter 1: Overview > 1.1 What is PacketiX VPN?>


2007/11/20


36/685

Chapter 1: OverviewPacketiX VPN 2.0 is revolutionary VPN software that offers many features not found in older VPN software or hardware. This chapter contains an overview of the software contained in PacketiX VPN 2.0, plus a description of its functions and supplementary information.

1.1 What is PacketiX VPN?1.1.1 SoftEther VPN and PacketiX VPN 1.1.2 Structure and Operating Principle of VPN 1.1.3 Limitations of old VPN Solution 1.1.4 VPN Communication by PacketiX VPN 1.1.5 NAT, Proxy Server and Firewall Pass 1.1.6 Stability and Security 1.1.7 High-speed Communications Throughput 1.1.8 Advanced Function and Expandability 1.1.9 Platform Independence and Interchangeability 1.1.10 Addition of Functions by Option Pack

1.2 Software of which PacketiX VPN is composed1.2.1 PacketiX VPN Server 1.2.2 PacketiX VPN Client 1.2.3 PacketiX VPN Bridge 1.2.4 PacketiX VPN Server Manager 1.2.5 PacketiX VPN Command Line Management Utility (vpncmd) 1.2.6 Other Included Utilities

1.3 PacketiX VPN 2.0 Product Configuration and License1.3.1 Types of Editions According to Usage Objective 1.3.2 Functions and Features of the Various Editions 1.3.3 PacketiX VPN Server 2.0 Standard Edition 1.3.4 PacketiX VPN Server 2.0 Enterprise Edition 1.3.5 PacketiX VPN Server 2.0 Carrier Edition 1.3.6 PacketiX VPN Server 2.0 Embedded Edition 1.3.7 PacketiX VPN Server 2.0 Academic Edition 1.3.8 64-bit version of PacketiX VPN Server 2.0 1.3.9 Connection Licenses 1.3.10 Client Connection Licenses 1.3.11 Bridge Connection License 1.3.12 PacketiX VPN Client and PacketiX VPN Bridge 1.3.13 Demo Version License 1.3.14 License Expiration Date


2007/11/20

PacketiX VPN 2.0 Online Manual1.3.15 Server ID of License 1.3.16 License ID and License Key 1.3.17 License Validity and Information Check Method 1.3.18 Additional Purchase of Licenses 1.3.19 PacketiX VPN 2.0 Option Pack 1.3.20 PacketiX VPN 2.0 Administration Pack

37/685

1.4 VPN Operation Principle and Communication Method1.4.1 Conventional Ethernet Configuration 1.4.2 Virtual HUB 1.4.3 Virtual Network Adapter 1.4.4 Cascade connection and virtual layer 3 switch 1.4.5 Bridge Connection of Virtual Network and Physical Network 1.4.6 Computer-to-computer VPN 1.4.7 Remote Access VPN 1.4.8 Base-to-Base VPN of Ordinary Scale 1.4.9 Base-to-Base VPN of Large Scale

1.5 Bolstering Security1.5.1 Abundant User Authentication Options 1.5.2 Robust Encryption 1.5.3 Server Certificate Verification 1.5.4 Use with Smart Cards

1.6 VPN Communication Details1.6.1 VPN Sessions 1.6.2 Accepting Connection by VPN Server 1.6.3 Connecting to Virtual HUB 1.6.4 TCP/IP Communication of Session Data 1.6.5 Association with MAC Address 1.6.6 Session from other VPN Server / VPN Client / VPN Bridge 1.6.7 VPN Session Connection Modes 1.6.8 Client Mode Session 1.6.9 Bridge/Router Mode Session 1.6.10 Monitoring Mode Session 1.6.11 Local Bridge Session 1.6.12 Cascade Connection Session 1.6.13 SecureNAT Session 1.6.14 Virtual Layer 3 Switch Session

1.7 Handling Large Environments by Clustering1.7.1 Necessity of Clustering 1.7.2 Applications of Clustering


2007/11/20

PacketiX VPN 2.0 Online Manual1.7.3 Large Scale Remote Access VPN Server 1.7.4 Large Scale Virtual HUB Hosting VPN Server 1.7.5 Product License and Connection License when Clustering

38/685

1.8 Multiple Language Support1.8.1 Unicode Support 1.8.2 User Interface that Supports Multiple Languages 1.8.3 Limitations

1.9 VoIP / QoS Support Function1.9.1 What is VoIP / QoS Support Function? 1.9.2 Applying to Extension System by Connecting Bases by Layer 2 VPN Using IP Telephone Equipment 1.9.3 If VoIP / QoS Support Function can be Used 1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support Function

< Content < Chapter 1: Overview

1.1 What is PacketiX VPN?> 1.2 Software of which PacketiX VPN is composed>

1.1 What is PacketiX VPN?PacketiX VPN is next-generation VPN software that offers stability, flexibility and expandability, and is compatible with all advanced networks that produce wide bandwidth an high load required by large corporations and Internet providers as well as networks for individuals and homes and networks for small and medium size businesses. This section contains an overview of PacketiX VPN, a comparison with older VPN protocol, and a description of its advanced functions.

1.1.1 SoftEther VPN and PacketiX VPNSoftEther Corporation previously developed and distributed VPN software called SoftEther 1.0. SoftEther 1.0 is software that enabled users to construct a simple layer 2 VPN by installing a Virtual Network Adapter and Virtual HUB on Windows, and was distributed as freeware. PacketiX VPN 2.0 is VPN software that is the next version of SoftEther 1.0. When developing PacketiX VPN 2.0, however, SoftEther Corporation did not use even a single line of the source code of the SoftEther 1.0 program. It was designed and developed from scratch. With PacketiX VPN 2.0, therefore, the company was able to release software that does not contain any of the defects contained in SoftEther 1.x (CA 1.x) or the lack of interchangeability and limited expandability. At the beta version stage the name for PacketiX VPN 2.0 was not yet decided and was tentatively called SoftEther VPN 2.0, but the name was changed to PacketiX VPN 2.0


2007/11/20

PacketiX VPN 2.0 Online Manualwith the official version release with a new brand name that includes network and security product of SoftEther Corporation called PacketiX. The names SoftEther VPN 2.0 that currently appears on the Internet and in articles in some magazines and books and PacketiX VPN 2.0 are one and the same product.

39/685

Fig. 1-1-1. Correlation of SoftEther 1.0 and PacketiX VPN 2.0

1.1.2 Structure and Operating Principle of VPNVirtual Private Network (VPN) is a technology that started to spread around 1998. VPN technology allows users to construct a virtual network that maintains security in an existing IP network such as the Internet and communicate freely within the virtual network. The following is a description of common VPN structure.

Tunneling and EncapsulatingVPN is a solution for constructing a virtual network. A technique called "tunneling" that enables users to construct a virtual network between two remote points on an existing public IP network and communicate freely is used with VPN. With tunneling technology, packets transmitted on a physical communications medium such as conventional network cable or optical fiber are encapsulated as data of another protocol such as TCP/IP packets without directly transmitting on a physical network. Encryption and electronic signature can be added simultaneously when encapsulating. Encapsulated data is transmitted through a session called a "tunnel" between the start and end point of VPN communication. The other party who receives the encapsulated data removes the original packets from the capsules. If the data is encrypted when encapsulated, it must be decrypted. If an electronic signature has been added, the user can check whether the contents of the packet have been tampered with during transmission by testing the integrity of the electronic signature. When VPN communication is to be carried out, because the data transmitted between the computer sending the data and the computer receiving the data travels through the tunnel is sent encapsulated, unprotected data is never exposed on the network.


2007/11/20


40/685

Fig. 1-1-2. Structure and operating principle of common VPN

Ensuring Security of Transmitted Data by EncryptionOne of the advantages of using VPN is enhanced security by encryption. An IP network that can be accessed by anyone such as the Internet is always exposed to danger of eavesdropping and masquerading. Even if expensive transmission services and infrastructure such as dedicated line service or satellite links are used, the lines could be physically bugged or data could be surreptitiously viewed by communications company technicians maliciously or out of curiosity, or could be tapped and analyzed by the government, etc. When sending and receiving data over such WAN, it is therefore recommended that data by encrypted by some means.

Fig. 1-1-3 Danger of sending and receiving data over the Internet The fact that not all existing communication applications and protocols support encryption is a possible problem. For example, HTTP protocol includes a protocol called HTTPS which is encrypted by SSL. SSH protocol is encrypted from the beginning. Numerous Internet based applications however either do not have an encryption function, or if they do, they might have a problem with packaging or encryption strength.


2007/11/20


41/685

Fig. 1-1-4 Encrypted packets and packets that are not encrypted If these conventional communications protocols with insufficient security are used as they are on WAN such as dedicated lines or the Internet, the data can be intercepted or altered by hacking. Security can be dramatically enhanced by automatically encrypting communication of almost all applications using IP or Ethernet by utilizing VPN.

Better Connectivity and Network IndependenceAnother significant advantage of using VPN is that it enhances connectivity and offers network independence. Because with public IP networks such as the Internet, as a rule, any IP packet can be transmitted from a computer of any IP address to another computer of any IP address, if data is to be transmitted over the Internet, when communication is to be conducted between a client computer and server computer, the server computer may actually receive packets from a different computer with malicious intent. Nowadays vulnerable operating systems and worms that open security holes in transmission software and server software on the Internet are going around and there is possibility of infection. Because the computer directly connected to the Internet is substantially unsafe, it is not recommended that computers that process important communications data for business, etc., be allotted direct Internet global IP addresses and connected to the Internet. However when sending and receiving data between remote bases via public IP network such as the Internet as a rule at least one global IP address port must be open and standing by for communications. This is necessary along with using TCP/IP protocol. Thus when sending and receiving data between computers at remote bases if VPN is not used attainability must be secured for IP packets of both computers in which case problems may occur with the previously mentioned security.


2007/11/20

PacketiX VPN 2.0 Online ManualFig. 1-1-5 When carrying out TCP/IP connection on the Internet as a rule at least one must have a global IP address and the port must be open to the public. By using VPN these problems can be easily and reliably solved. The fact that VPN carries out communication with the structure whereby encapsulated packets flowing in the tunnel established between computers at remote bases as was previously mentioned when establishing the tunnel user authentication is mutually conducted between the computers and the tunnel is established only if successful. Also once the tunnel is established, as long as physical network communication is not cut off, it is constantly maintained and all the data flowing through the tunnel is encrypted and if electronic signature is added, other computers on the Internet not related to the tunnel can no longer interrupt communications of that tunnel. With this tunneling technology, multiple computers at remote bases, computers, computer network, by connecting using VPN, a safe virtual network built by VPN can theoretically be made independent of WAN lines such as the Internet with security problems.

42/685

Fig. 1-1-6 Prevention of eavesdropping/tampering by third party with malicious intent using VPN

Inexpensive Internet Connection can be Used Instead of Dedicated LineBy utilizing the structure of VPN such as previously described, without using dedicated line services that used to charge high usage fees, with more robust security that dedicated line services, communications can be conducted between computers of any base via the Internet. Especially recently, for several thousand yen per month, because Internet services using optical fiber or ADSL are available, such inexpensive services can be used for same or safer communications purpose. By using VPN, public networks whereby any computers can communicate freely by IP Internet can establish a company dedicated virtual communications network within that network, and a safe and stable independent network can be constructed without worrying about danger of Internet.


2007/11/20


43/685

Fig. 1-1-7 Using inexpensive and fast Internet connection instead of dedicated line

1.1.3 Limitations of old VPN SolutionSeveral VPN software and hardware solutions have existed for some time, and since 1998 VPN technology and technologies employing it have been used at various sites. For example the following VPN protocols are currently incorporated into several network products and used. PPTP L2TP / IPSec vtun OpenVPN Port transmission by SSH Other minor VPN standards However many older VPN protocols have the following limitations, and under various circumstances, use must be restricted or cannot be used.

Difficulty of Pass of Network Gateway DevicesWith many business networks as some home networks, company networks are separated from the Internet by measures such as NAT (IP masquerade) proxy servers and firewalls, number of IP addresses is limited and security is bolstered. Devices that conduct this processing are called network gateway devices. In some cases network gateway device is a dedicated device (appliance) and in some cases is a highperformance computer on which Linux, etc., is installed. However many older VPN protocols cannot communicate via this network gateway device. One reason for this is many VPN protocols headers of special protocol that is not ordinary TCP/IP protocol may be added when encapsulating communications packets. For example a VPN protocol called PPTP uses an extremely minor protocol called Generic Routing Encapsulation (GRE). A VPN protocol called L2TP furthermore requires use of


2007/11/20

PacketiX VPN 2.0 Online ManualIPSec, whereby a header is added because it is an IPSec packet. The majority of conventional VPN protocols such as in these examples, because VPN communications is realized by an approach unlike ordinary TCP/IP connection-oriented communication model, cannot carry out VPN communications transcending many network gateway devices, especially NAT (IP masquerade), almost all proxy servers and firewalls. Therefore when used, the majority of conventional VPN protocols require a global IP address be allotted to both the VPN connection source client computer and connection destination VPN server computer or installation of network gateway devices customized so special packets can be processed.

44/685

Fig. 1-1-8 Many older VPN protocols have difficulty passing NAT router firewalls, etc.

Limitations of Protocol that can Communicate within VPNMany conventional VPN protocols are limited to layer 3 protocol (IP layer, etc) and furthermore upper layer protocol (TCP layer, application layer, etc.) and communication is conducted by encapsulated tunneling. With this system however VPN protocol cannot be made to individually communicate via VPN with protocols that do not comply. For example in many cases legacy protocols such as special protocol for control, IPX/SPX and NetBEUI currently used by general purpose equipment cannot be used via VPN and it is difficult to transmit existing system communications using Internet VPN instead of a dedicated line.

Fig. 1-1-9 VPN protocol that encapsulates older IP cannot send and receive packets other than IP packets

IP Routing is NecessaryOf older VPN protocols, if VPN is realized using types of protocols that encapsulate layer 3 (IP layer), basically one of the following must be selected.


2007/11/20

PacketiX VPN 2.0 Online Manual1. Install VPN client software on all computers participating in VPN and connect. 2. Connect existing network of base to VPN and conduct IP routing. If constructing VPN by method 1, if installing VPN client software on all computers that might be connected to VPN and carrying out VPN communications, by conducting connection operation for the VPN server, communications can be freely carried out only between computers installed with VPN client software. With this method however the more computers there are that want to carry out VPN communications the more administration is necessary, computers for which VPN client software cannot be installed or devices for networks such as other network appliances or digital electrical appliances cannot participate in VPN. If VPN is constructed by method 2, computers in the network of the base connected to VPN can send and receive data to/from each other, and computers for which VPN client software cannot be installed and devices for networks such as other network appliances and digital electrical appliances automatically participate in VPN. This method is however disadvantageous in that it requires IP routing between existing networks connected to VPN and virtual networks by VPN. Therefore if remote access VPN or VPN connected between bases is realized by old VPN protocol, it requires large scale setting modification for existing networks such as routing table setting modification for existing IP network routers, etc.

45/685

Fig. 1-1-10 Devices that do not support routing cannot communicate via VPN of old IP base

Dependence on Certain PlatformFor many old VPN protocols there is a problem if the range of platforms that support the various VPN protocols is not very wide, and even if they can be used among multiple platforms, differences in respective implementation have caused resulted in trouble in practical application in some cases. Some VPN protocols furthermore require hardware of certain network device vendors and compatibility of protocols among vendors has declined.


2007/11/20


46/685

Fig. 1-1-11 Communication among VPN products of different vendors cannot be carried out

High Cost, Low PerformancePrice of network devices and security software is generally extremely high, including network security solutions other than VPN solutions. Realistically however network security products introduced at high cost often do not satisfy performance and function requirements. Particularly concerning function and performance, the most important factor of conventional VPN is providing security; network permeability and communications performance are not considered as important. The reason for this is, when old VPN protocol began to appear, broadband was not yet very popular but was the fastest Internet connection line available for average businesses and homes whereby speed increased from several Mbps to tens of Mbps. Currently, even for ordinary homes, with the backbone of broadband line businesses of several tens to 100Mbps, Internet connection lines of gigabit scale are available at an extremely low price compared to several years ago. There is not that much VPN hardware and VPN products that can use these fast physical lines efficiently enough, and the ones that do exist are mostly installed on extremely expensive network dedicated devices.

Need for new VPN System to Compensate for Shortcomings in old VPN ProtocolOld VPN protocol includes the problems described above and various other problems. A high function, reliable, highly flexible VPN system that solves the problems and limitations is therefore necessary.

1.1.4 VPN Communication by PacketiX VPNAlong with solving various limitations of old VPN solutions such as those previously described, PacketiX VPN 2.0 is VPN software with many new innovative functions.

Features of PacketiX VPN 2.0By just using PacketiX VPN 2.0, many of the matters such as those whereas in the past problems could not be solved unless you combined multiple network security products or software, and programming or developed original tools can be realized by a simple operation.


2007/11/20

PacketiX VPN 2.0 Online ManualAs for PacketiX VPN 2.0, encapsulated and tunneling communications, layer 2, in other words, set to Ethernet, if PacketiX VPN 2.0 is used, network devices such as conventional network adapter switching HUB and layer 3 switch are realized by software, and by connecting by tunnel called PacketiX VPN protocol based on TCP/IP protocol among them, the user can construct highly flexible VPN that was not possible with products up to now. The operation principle of PacketiX VPN and specifications are explained by 1.4 VPN Operation Principle and Communication Method . The method of actually designing/constructing and applying various networks by PacketiX VPN is also explained in Chapter 10 Instructions and Examples For Configuring a VPN .

47/685

Fig. 1-1-12 Making various types of hardware devices on Ethernet virtual for PacketiX VPN

Advantages of Making Ethernet VirtualUnlike old many VPN protocols, PacketiX VPN targets layer 2 (Ethernet) for VPN communications. In other words, with VPN that targeted old layer 3, encapsulated IP packets flowed through the tunnel, but with PacketiX VPN, encapsulated Ethernet packets flow though the tunnel.


2007/11/20


48/685

Fig. 1-1-13 Comparison of old VPN protocol and PacketiX VPN when base-to-base connection VPN is constructed

1.1.5 NAT, Proxy Server and Firewall PassPacketiX VPN conducts VPN communications by establishing a VPN session called a tunnel between VPN Server and VPN Client or VPN Bridge. Packets that virtually flow in VPN session which is an Ethernet network are actually encapsulated and flow through a physical IP network. At this time however PacketiX VPN encapsulates random Ethernet frames to TCP/IP protocol. This point is a feature not present in the majority of old VPN protocols. Also with PacketiX VPN, any TCP/IP port number can be designated and used for VPN communications. The default port numbers are 8888 and 443 (for HTTPS) and 992. For details concerning TCP/IP port number designation, see 3.3.6 Listener Ports . By conducting all VPN communication by TCP/IP, PacketiX VPN can conduct VPN communication via the majority of network gateway devices. VPN can be easily established through almost all types of NAT proxy servers and firewalls. If PacketiX VPN is used, VPN communications can be easily and safely conducted even in environments that used to be hard to use VPN because of NAT, proxy server and firewall settings. Because it is no longer necessary to open a hole in existing firewall settings to introduce VPN, the burden on the network administrator is reduced and it helps prevent deterioration of network security due to firewall setting modifications. Users can also safely access company LAN via free Internet connection spots such as destination stations and airport hotels if they take along a laptop computer installed with VPN Client. Because many free Internet connection spots have introduced NAT or firewall transparent proxy servers, VPN protocol cannot be used in many cases. If equipped with


2007/11/20

PacketiX VPN 2.0 Online ManualPacketiX VPN however they can be used without worry.

49/685

Fig. 1-1-14 Passage through NAT proxy server or firewall by PacketiX VPN

1.1.6 Stability and SecurityAs was previously mentioned, PacketiX VPN uses TCP/IP protocol only for VPN communications and any Ethernet frames can be tunneled. When VPN communication is carried out, PacketiX VPN encrypts all data by Internet standard encryption protocol called Secure Socket Layer (SSL). At this time the system administrator can use any encryption algorithm of electronic signature algorithm he chooses. For details see 3.3.15 Selecting Encryption Algorithms for use in SSL Transmission . With PacketiX VPN, not only is communications encrypted, but security concerning user authentication and server authentication is bolstered. PacketiX VPN supports user authentication using RADIUS servers used by companies, NT domain / Active Directory and certificate authentication using X509 and RSA. Also supports some smart cards used for purposes deemed necessary for high security. For details see 1.5 Bolstering Security . Protocol used for transmitting VPN communications packets and security checks such as user authentication actually flowing through a physical IP network during VPN communications is called PacketiX VPN protocol. PacketiX VPN protocol not only encrypts all communication contents by SSL, but it establishe

Documents

vpnmanual-5320