TunnelBuilder for Windows FAQ
Most Frequently Asked Questions for TunnelBuilder for Windows:
TunnelBuilder 6.0 Version Issues:
General Questions
Networking Support:
Typical error messages:
Q: What Windows platforms are supported?
A: TunnelBuilder supports both Windows 95, 98 and NT with service pack 4 minimum. TunnelBuilder on NT does not support PPTP over dialup, however it supports all three VPN protocols over LAN (PPTP/L2TP/NTS-TP).
Q: What Networking protocols does TunnelBuilder for Windows support?
A: It supports IP, IPX and NetBEUI so users can access Novell Netware volumes, MS LANMAN, and MS NT server volumes securely from home. IP and NetBEUI are incompatible, so you should only select one or the other.
Windows Networking over VPN requires either a Shadow IPserver, WINS server, or LMHOSTS file to resolve the Netbios names to an IP Address (Netbios over TCP protocol). We recommend IPserver for the fastest, most flexible NetBIOS Name Server.
Q: What kind of encryption does TunnelBuilder support?
A: TunnelBuilder and TunnelMaster supports the standard encryption algorythms recommended by the L2TP and PPTP protocols. This is the RC4 encryption method defined by RSA. Both 40 bit (key length) and 128 bit versions are available. TunnelBuilder does not support IPSec encryption.
Q: Can I talk to the Internet and a corporate intranet at the same time without logging out of the PPTP server?
A: Yes. The NTS TunnelBuilder architecture allows you to simultaneously access the Internet (in clear mode) and your intranet (in encrypted mode) without logging out of the PPTP server.
Q: How do I configure my company's firewall or network traffic filters to allow me to tunnel to our NT RAS from outside of our network?
A: For PPTP protocols, configure your firewall or filters to pass through all Generic Routing Encapsulation (GRE, which is IP protocol type 47) packets and TCP/IP traffic to and from port 1723 (decimal) on your NT RAS.
For L2TP protocols, configure the firewall to pass through all packets using UDP port 1701 (decimal).
This normally needs to be allowed in both directions.
Q: How do I dial into an NT-Remote Access Service (RAS)?
A: The NT RAS service supports many flavors of authentication during PPP negotiation. TunnelBuilder supports CHAP MD-80, which uses Microsoft proprietary authentication, Chap MD-5, and clear text (PAP). You should configure the NT-RAS service to use Microsoft- Chap encrypted authentication, and require Data encryption. TunnelBuilder derives the encryption key from the MS Chap authentication, so always require MS - Chap at the RAS server if you want encryption to work.
Each user configured on the NT needs to have Dial-in access enabled from the user manager.
When connecting into RAS, you often need to supply the NT Domain Name as part of the authentication. The NT Domain is not necessary for TunnelMaster VPN servers.
To include the NT Domain Name, enter it in the username field preceded by a backslash, ie:
Username = NTDOMAIN\Username
Q: Does TunnelBuilder support auto-frame detect for Netware?
A: TunnelBuilder does not support auto-frame detect. Using the Control Panel -> Network Properties, select the IPX protocol bound to the NTS VPN adapter, and set the frame-type to 802.3.
Q: I have an ISDN router - should I install the TunnelBuilder for LAN or Remote?
A: Most ISDN Routers (such as Farallon's Netopia, Cisco's 700, etc.) usually consist of several LAN ports in a hub with 1 BRI port for making ISDN dialout connections. In this case, the router's BRI port manages the dialup connection when it gets an IP packet destined beyond its subnet mask the same way a normal gateway would do. The client does not need any connection-based dialup software to call out. Thus the LAN based TunnelBuilder is sufficient, and the Gateway IP address for the TunnelBuilder client would be the address for the ISDN router.
An ISDN Router is different from an ISDN Modem (such as 3Com Impact or Motorola Bit Surfer Pro). The ISDN Modems connect with a serial port, and require the dialup software to be installed on the client. For these modems you would use TunnelBuilder for Remote.
Q: Should we wait for IPSec instead? Does TunnelBuilder support IPSec?
A: TunnelBuilder does not currently support IPSec. We are currently developing products, both server and client, which will support IPSec as an additional option. Both L2TP and PPTP support encrypted authentication (MS-Chap), so that the user is verified before starting the session. The encryption key is updated with every packet for further security, instead of every 255 packets with the standard Microsoft PPTP.
L2TP is a more secure VPN protocol than PPTP and also easier for the transport method used. PPTP sessions run over a special GRE type IP packet, which is not always supported by firewalls or older routers. L2TP runs over standard UDP packets.
IPSEC is popular with consultants and server vendors who find fault with Microsoft's implementation of PPTP. Most of these experts also have their own solutions in mind to sell you, and few IPSec products are interoperable with other vendors products. If you can find the routers, clients, and server combinations that will support IPSEC, you'll find a very limited and expensive "solution".
Q: Cannot communicate with VPN server (4006)
A: Use PING to verify that the VPN server is reachable. Typically this problem is due to the VPN server being down or unreachable by a firewall. Verify that the user name is configured with the correct password on the NT User configuration. Most importantly, verify that the user name is enabled for dialin access.
Q: Error 691 - User name not found
A: When the user name isn't configured on the same PDC as the RAS service, you might need to include the NT Domain name in front of the user name, followed by a slash. Using the TunnelBuilder Configuration menu, in the username field, enter:
NTDomain\username
Q: Error 648 - Users' Password has Expired
A: The NT User configuration needs to set the User entry's Password configuration to NEVER expire. The NTS Dialer and PPTP authentication doesn't support re-prompting the user for a new password when it detects the password has changed.
Q: Error 649 - User is not configured for Dial-In access
A: The NT User Manager requires that the User be configured for Dialin Access for PPTP to succeed.
Q: I've tunneled using Microsoft's PPTP client, but the packets are not encrypted
A: Microsoft declares this an issue of the users not having taken basic "Routing 101" before they install MS PPTP. When the Microsoft PPTP client builds a tunnel, it routes local packets (those with destinations within its subnet mask) through the clear stack. There's no warning given to the users that they should NOT place their web/ftp/nfs servers on the same subnet as their PPTP service. This limitation almost negates the premise that one NT server can do everything for a small office system.
NTS clients will of course route everything thru the tunnel once it's established. Compare this with the InfoExpress product that only routes 5 types of protocols in a proxy type implementation.
Our recommendation is that if you find performance is amazingly fast using the Microsoft PPTP clients, take a close look with a trace. Chances are you'll find that your system is not as secure as you think it was. Our own Performance tests shows TunnelBuilder is the best performance/most secure PPTP client on the market.
Below the quote from MS VPN Product Mgr :
- >David Eitelbach wrote:
- > on the routing issue, we constantly remind people that this
- >is how routing-101 works, and they still have this problem!
- >(almost every one of us has tripped over this issue ourselves) ;-)
Q: Are upgrades available for TunnelBuilder 6.0?
A: NTS made a significant investment into TunnelBuilder 6.0, for both Mac and Windows platforms. For this reason, we can only offer discounted upgrades for users with 10 or more licenses.
Q: Does TunnelMaster and TunnelBuilder support Microsoft Chap version 2?
A: Currently neither NTS product supports CHAP version 2. This is a recent feature that Microsoft is including in its latest PPTP for NT Service Pack 4 and DUN 1.3 update. TunnelMaster and TunnelBuilder will negotiate successfully down to MS-CHAP version 1, so most users will not notice the difference. Microsoft recommends against requiring only CHAP version 2 because it limits your network's accessibility.
Note for Watchguard users: Watchguard's newer versions of PPTP require Chap V2 only. We've suggested that they support both Chap v1 and v2 so they can support our clients as well. Until this is done (or you use an earlier version of Watchguard pptp), TunnelBuilder will not work with the current version of Watchguard PPTP service.
There are currently no plans to support MS Chap V2.
Q: What exactly is SuperTunnel?
A: "SuperTunnel", or the NTS-Tunneling Protocol (NTS-TP) is essentially L2TP encryption, which is encapsulated over an HTTP tcp port (port 80) instead of the normal GRE or special UDP packets. When used in conjunction with the TunnelMaster VPN server, the user can get around the typical problems that you run into with VPN over firewalls or routers that don't support GRE packets to access your private network.
SuperTunnel is ideal for remote users who need to access their private network from another company's private LAN. Since most company networks enable http packets to flow, you can easily establish a tunnel using NTS-TP and then browse or ftp between networks.
SuperTunnel is supported on TunnelMaster 1.3 versions after 11/1/99 and TunnelBuilder 2.01 builds after 9/15/98. SuperTunnel will only work between TunnelBuilder for Windows clients and TunnelMaster servers.
Q: Why does Windows 95/98 report "non-Microsoft Winsock file detected"?
A:TunnelBuilder inserts an NTS "winsock shell" which enhances the functionality of the operating system to allow the user to have simultaneous clear and tunneled path support. Windows 95 and Windows 98 have version checking that will occasionally detect that a non-Microsoft Winsock.dll or Wsock32.dll has been installed. You can ignore this warning when TunnelBuilder is installed.
Q: Does TunnelBuilder work with NATs and proxy servers?
A: VPN protocols typically are not designed to be shared via Network Address Translators (NATs) or Proxy servers. You might have better luck using L2TP instead of PPTP. In either case, NTS cannot provide support for this.
Q: Can I use TunnelBuilder for Win95/98 with AOL?
A: No, unfortunately. AOL requires the use of their own proprietary dialer to access their services.
TunnelBuilder for Windows95/98 uses Windows DUN for remote access.
Q: How do I get support for TunnelBuilder?
A: TunnelBuilder for Windows is no longer supported. It will not work with Windows Me or XP. Use the native Microsoft PPTP instead.
The only support available is through this FAQ. Please do not contact Siemens for support.
Error: TunnelBuilder Dial-On-Demand will be disabled
A: This warning message occurs because the Installer was unable to add the Auto-connect entry in the Dial-Up Networking folder. This is not a serious error, it is informational only. Most TunnelBuilder users will not want the auto-connect feature anyway. To disable this from the Installer, edit the Setup.ini file and add the following statements:
[CustomOptions]
DialupNetworking=0
Q: Will TunnelBuilder work with Norton or McAfee Antivirus software?
A: Yes, if used carefully. The latest versions of Norton and McAfee have a feature for checking on incoming Internet activity. They do this by monitoring the WInsock api in such a manner that it will return errors when using TunnelBuilder and other Winsock shell-based software. This could result in WBHook32 GPFs or Blue screen crashes from my Antivirus software.
You can get around this problem (and improve your performance with minimal risk to security by doing this:
For McAfee 4.0 and later:
Use the VSheild Control Panel to bring up the configuration panel. Leave the
normal System scan and Secirutiy scanning tabs as configured. Select and
modify the following which are set by default.
Email Scan: uncheck "Enable Scanning of Email attachments" Download Scan: uncheck "Enable Internet Download scanning" Internet Filter: uncheck "Enable Java and ActiveX filter"
For Norton 5.0 Antivirus:
Configure Options to not look at the Winsock files. Set exclusions to WINSOC*.DLL
Q: What exactly is SuperTunnel (NTS-TP)?
A: "SuperTunnel", or the NTS-Tunneling Protocol (NTS-TP) is essentially L2TP encryption, which is encapsulated over an HTTP tcp port (port 80) instead of the normal GRE or special UDP packets. When used in conjunction with the TunnelMaster VPN server, the user can get around the typical problems that you run into with VPN over firewalls or routers that don't support GRE packets to access your private network.
SuperTunnel is ideal for remote users who need to access their private network from another company's private LAN. Since most company networks enable http packets to flow, you can easily establish a tunnel using NTS-TP and then browse or ftp between networks.
SuperTunnel is supported on TunnelMaster version 1.04 and TunnelBuilder 6.01. SuperTunnel will only work between TunnelBuilder clients and TunnelMaster servers. It is not currently supported on Mac TunnelBuilder.
Q: Which VPN servers does TunnelBuilder support?
A: Tunnelbuilder supports every PPTP/L2TP server that we're aware of, except for the following:
As described earlier,
Tunnelbuilder does not support the IPSec protocols, which means it won't work with the
following IPsec servers:
| Checkpoint VPN | Redcreek Ravlin |
| Timestep Permit | Raptor |
| Intel Lanrover (shiva) | 3com ipsec |
| SonicWall VPN | VPNet |
| Flowpoint VPN |
You can however install some servers as a firewall
only, without VPN, and then add a PPTP server (like TunnelMaster on your private network)
to work with TunnelBuilder for secure access:
Q: How to enable Packetlogging in TunnelBuilder 6.34?
A: This is a new feature. It's not fully supported yet and is only available on Win95/98, not on NT. To enable this feature, search for the EnterNet.ini file and open it with your editor. Under the section [Configuration], add the following parameter:
PacketLogging=1
When you restart the TunnelBuilder application and click Connect, a warning message will be displayed that the connection will be slower due to the logging. After the connection is established, right-click on the EnterNet icon in the system tray, then click Advanced. You will see a new tab called PacketLogging. This will contain the trace of the connection. Use the File -> Save menu to save the file to text. You may want to send this into your ISP or whoever you have contracted support with when analysing connectivity problems.
In later versions of TunnelBuilder and EnterNet 500, Packet Logging can be turned on using the Connections-> Settings menu.
Q: How to do L2TP Tunnel Authentication from TunnelBuilder?
A: This is done simply by extending the username and password field. Enter the LAC Host name in the User field and the L2TP Tunnel Authentication Secret in the Password field. Use the ^ delimiter to include these values:
Note: when the LACHostName value is not included, the default value that is sent in the L2TP Control Connect Request is the value "LOCALHOST". Also, when using TunnelBuilder for Windows 6.34 and earlier, use the "@" instead of the "^" for a delimiter.
Q: Does TunnelBuilder support WIndows 2000 or Dual Processor (SMP support)?
A: Starting with version 6.34, TunnelBuilder supports both Windows 2000 and SMP support.