General Questions
Q: Will TunnelMaster run on Unix, Windows NT or DOS?
A: No. TunnelMaster requires a dedicated Intel-compatible PC, and loads it's own operating system for faster performance. It will not run on a Windows NT or Unix system. TunnelMaster simply requires DOS in order to install its software, with one of the required LAN interface controllers mentioned below.
Q: Why doesn't the system reboot when I hit Control-Alt-Delete?
A: TunnelMaster loads its own operating system (WindRiver VxWorks). It does not respond to Control-Alt-Delete. Control-X can be used to restart the TunnelMaster system, however, there is no returning to the DOS command prompt without rebooting the system.
Q: What are the Hardware requirements for TunnelMaster?
A: TunnelMaster requires a dedicated system running DOS 6.0 or later. As encryption/decryption is fairly CPU intensive, the faster the machine is, the better the performance you can expect. Since most of the management is handled via the Java-enabled browser, a keyboard and monitor are required only for the initial installation.
Because TunnelMaster loads
its own operating system at bootload, it supports a limited number of Network
Interface Cards (LAN adapters). This is expected to grow as more drivers
become available.
| System Requirements | Minimum | Recommended |
| Processor | Pentium 75 | Pentium II 333 |
| Memory | 16 MB | 64 MB |
| Disk | 5 MB | 10 MB |
| Network Card | Eagle/Novell NE2000 compatible | Intel EtherExpress(TM) PRO/100+ |
The Intel Pro/100B cannot be combined with a second Intel card. You can however include other supported ethernet cards.
The standard settings for the TunnelMaster hardware are as follows:
Standalone configuration (no second ethernet card):
Firewall configuration (using a second ethernet card):
- Intel Pro 10/100B for internet connection. IO Address of 0x300 (IRQ is dynamic)
There is no reason that the 3com cannot be used for the Intranet (private) network. We merely suggest this because most internet router connections tend to be 10BaseT (which the 3C509B supports), and many private intranets are moving to 100BaseT (which the Intel Pro supports).
- 3Com 3C509B for the internet connection. IO Address of 0x320, IRQ = 5
- Intel Pro 10/100B for intranet connection. IO Address of 0x300 (IRQ is dynamic)
In the TunnelMaster hardware, the Intel Pro is on the left side from the rear. The 3Com NIC is in the middle.
Q: Which browsers are required to manage TunnelMaster?
A: TunnelMaster has two modes for management: HTML and JAVA support. HTML is recommended for easiest and quickest access. In the future NTS may be retiring the Java support from TunnelMaster.
Java mode requires a Java-enabled browser with the latest JDK 1.1.5 extensions to be installed on a separate system for management and monitoring.
Windows NT/ Windows 95:
Macintosh Browser Support:
Error: "Install has detected the presence of an incompatible driver" (The driver is listed after the dialog).
A: This usually means that you have an additional TSR loaded that takes up more memory than TunnelMaster can handle. Examples that are commonly found on systems are DRVSPACE, DBLSPACE, EMM386, etc. Remove these from the Config.sys or Autoexec.bat before running the Install program. DBLSPACE.INI can be deleted to prevent the DBLSPACE.BIN TSR from loading.
Q: Why use 2 ethernet cards
on TunnelMaster?
Q: What is the difference
between the INTERNET and INTRANET IP Address?
A: You may need to use a second ethernet card for the following reasons:
When using 2 ethernet controllers, it's likely you will need to do special routing considerations.
Q: What is an NBNS IP Address?
A: A NetBIOS Name Server IP Address (Microsoft calls this the Windows Internet Name (NT-WINS) Service) is required only when Windows Networked File and Print Sharing is used to access the private network using NetBIOS system calls. A NetBIOS Name Server can be used to help applications find one another without resorting to broadcasts. See the NT 4.0 WINS documentation for details.
Q: What IPX Network Address Should I Use?
A:Use the 4-byte IPX Network Address where the Netware server resides on your private LAN.
The IPX Client Address is a logical 12 digit address that represents the TunnelMaster server. It can be any address as long as it's a unique address on your network. Often it's safe to use the address of the NIC controller for this address.
Q: How do I manage TunnelMaster with my browser?
A: Just point your browser to the IP Address of the TunnelMaster VPN server. If using more than 1 Network Interface Card (as in a firewall implementation), always use the secure Intranet Address, not the Internet Address, to manage TunnelMaster.
You will be prompted with a user name and password to login into the TunnelMaster server. Initially, you can login using the lowercase value of "admin" for the user and password. Once logged in, the first thing you should do is delete the admin user and create your own Super User name to manage the TunnelMaster server.
Q: Does TunnelMaster provide (or seed) its own Appletalk zones?
A: No, TunnelMaster will only route between zones, not create its own zone as some routers do. Most routers provide this function, and NT Appletalk services has an entry for seeding a zone.
Shiva supports a Fastpath propreitary seed router. There are reports that we don't work when the Shiva is using multiple Network cable ranges. When this is the case, try adding a Cisco or NT seed router as the intermediary between the Shiva and the TunnelMaster.
Q: What kind of Authentication should I use?
A: All PPTP and many L2TP clients support Microsoft CHAP Authentication Plus Data Encryption (MPPE). This is by far the most widely-used secure method for authentication.
Note the encryption key is derived from the the Microsoft CHAP authentication. If you require encryption, you need to use the Microsoft CHAP authentication plus Data Encryption settings.
Q: Does TunnelMaster and TunnelBuilder support Microsoft Chap version 2?
A: Currently NTS products do NOT support CHAP version 2. This is a recent feature that Microsoft is including in its latest PPTP for NT Service Pack 4 update. TunnelMaster and TunnelBuilder will negotiate successfully down to MS-CHAP version 1, so most users will never notice the difference.
Q: What version of L2TP does TunnelMaster support?
A: NTS's L2TP supports Version 11 of the RFC L2TP standard. NTS' L2TP has successfully tested with many different L2TP implementations including Cisco, Ascend, Bay, 3Com, and IBM.
Q: How can I obtain the 128-bit (strong) encryption version?
A: You must be a citizen of the US or Canada.
Q: What Network Interface Cards are supported for Appletalk?
A: AppleTalk routing is supported only over the Intel EE Pro/100B and 3Com Etherlink III (3C509) network cards.
Q: What IPX frame-types are supported?
A: TunnelMaster 1.02 now supports all four frame-types. It does not auto-detect frame types. TunnelBuilder clients need to ensure that they set their frame-type to the proper type in the IPX/SPX -> NTS VPN protocol configuration in order to connect with TunnelMaster.
Q: What do I need to access TunnelMaster through a firewall?
A: For SuperTunnel (NTS-TP), you should be able to get through any firewall, since they usually enable the http port 80 on most firewalls. If you're unable to access TunnelMaster at first, try setting your TunnelBuilder client to NTS-TP and then trying it.
For PPTP, you need to enable your firewall to pass GRE packets (these are not UDP, not TCP packets). GRE are packet type 47 (decimal). You also need to enable TCP Port 1723 (decimal) packets to flow in both directions.
Note: Some firewalls or routers (usually older models) are not able to pass GRE packets at all. In this case we recommend you use the L2TP protocol for your VPN.
For L2TP, you need to enable your firewall to pass UDP Port 1701 (decimal) packets in both directions.
Q: How and where are the users defined in TunnelMaster?
A: The TunnelMaster VPN Server authenticates each user from any of three different methods:
Error: Value <256> for NumberLineDevices is invalid, setting to default: <25>
A: This is not really an error. The Evaluation and 25 user versions of TunnelMaster are built from the same codebase. You'll get this warning once after installing, when the new value is saved for later use. It will not occur again unless you re-install the software.
Error loading file: errno = 0x0 - Can't load boot file
A: This is usually caused
by the WindRiver Operating System not supporting a feature on the motherboard
or controller. WindRiver doesn't support IDE on the slave or secondary
controller (the hard disk must be IDE master). It also doesn't support
SCZI or plug and play. Go thru the system BIOS settings to turn off
any unusual settings, like boot from LAN card, etc.
Q: Using TunnelMaster as a PPPoe and VPN server
A: Using both VPN and
PPPoe together are usually incompatible, unless you select encryption on
the PPPoE client. Most VPN clients assume Microsoft CHAP authentication
and data encryption, whereas PPPoE clients (like EnterNet) normally assume
clear text (PAP) and no data encryption. If you set the clients'
authentication and encryption settings to match the TunnelMaster server
requirements, you should have no problem.
Q: Evaluation period has expired
A: The 30 day evaluation
period requires reformatting the disk before you can re-install the TunnelMaster
evaluation again. Installing the purchased version will solve this
problem also.
Q: L2TP Tunnel Authentication: What's the deal?
A: Adding L2TP tunnel authentication enables the server to not only authenticate the user, but also the host. Usually you should only configure this if you have clients that support the feature. To enable this at the TunnelMaster server, configure the following:
Q: What kind of authentication to use for RADIUS or SecurID?
A:
Q: What's the best way to apply updates to TunnelMaster?
A: When you recieve an update, back up your current files using the following DOS commands.
The TunnelMaster update zip file will unzips into 2 floppies. Before installing, copy the current Tmaster folder and subfolders to a backup folder, ie Tmaster.old:
XCOPY \Tmaster \Tmaster.old /S /E
Xcopy will prompt for a File or Directory copy, chose Directory (D).
Then install the new version with the binaries only option. This will save your current configuration. If you ever need to go back to the previous version, save the current Tmaster directory and copy the old one back.
XCOPY \Tmaster \Tmaster.new /S /E
XCOPY \Tmaster.old \Tmaster /S /E
To delete any old directories, use Deltree.
Q: After connecting, Chooser (Appletalk) doesn't show all the zones and servers for a connection
A: This is often due to the Seed Router (or zone controllers) sending stale cached information to the TunnelMaster. Every time a new VPN connection is made, the appletalk cache on the TunnelMaster is updated. However the Seed Router normally uses information from it's Appletalk Arp Cache to retrieve the ethernet addresses for each device. This has been found to be particularly true when using Cisco routers as Seed routers.
The solution is to reduce the Appletalk Arp cache timeouts on the seed router. The default for a Cisco router is normally 4 hours. We recommend changing it to 5 minutes.