MultipleNat

back to http://scratchpad.wikia.com/wiki/Sasecurity

End-to-end VPN via a Repeater?
Russell I have had this problem to and from my understanding it is not that Mesh that will not support PPTP but PPTP can not handle the multiple NAT's. I have some clients using Cisco VPN client and one that uses IPSEC "I think, would have to verify the IPSEC" on the standard mesh software. One client is one hop away form the gateway and the other is two hops away. The PPTP gets encapsulated by the NAT and this messes up the return part of the PPTP tunnel. This is an over simplified explanation but to get deeper I would have to dig up my old notes. I would be interested to hear if the pro version resolves this problem some how, please keep us informed.

> I will see what happens if I swap the Gateway and Repeater nodes. > > If it's a problem that Build25 doesn't support PPTP then the problem should move to the (new) Gateway, thus eliminating the possibility of it being related to going through a repeater.

> > > * Gateway is running MeshAP Pro (Version: 1798 - Build: 32) > > > * Repeater is running MeshAP Free (Version: 1256 - Build: 25) > > I'm guessing this is your problem. From my experiences trying to run a > > VPN client over the mesh, MeshAP Free doesn't support PPTP, but I've > > heard a rumour that MeshAP Pro does. > > Can you use L2TP? That's supposed to work.

=
============

With vpn you need to authorise by username and password this is the nature of VPN

Im trying to setup a VPN connection to MeshAP. In the realm if the VPN Account is set too MAC Auth or Username+Password then it connects no problem. But if the account is set to MAC Auth + Username+Password then it will not connect.

Is anyone using a VPN account in this way? Any reason why it won't work with Mac+Username?

Client to mesh-node VPN is quite easy to set up if you're using Windows. In Windows 200 and XP, a VPN client is native; your customer just needs to download an RSA certificate (one is available on the Wiana login page and from many other sources) and under IE options, run the certificate install wizard. Then using the "make new connections" wizard under networking, add the vpn client interface using the vpn name and password you entered into your realm for your vpn customers, and the host name "vpnhost." (including the period at the end of vpnhost), or if you only want them on a specific mesh-node, that node's 1.x.x.x address. That's it, they'll be able to connect to the mesh with 2048 bit security, and it's not much more difficult than enabling 128 bit wep, but with far better results and a more manageable environment.

If you use 152bit or 256 bit wep with each user having a unique key it is not perfect security but better than nothing. Since each user has a unique key it is easier to regularly change keys and one user being compromised doesn’t compromise other users. This long key makes dictionary attacks take a lot longer. If I have to deploy a mesh at each location might as well use Alverion, Trango or some other more robust and secure solution for about same price. VPN is almost unworkable for the average user. Lots of problems.

to clarify the situation We have a couple of users who are trying to establish VPN connections via the standard LocustWorld Mesh Boxes and a Aramiska Satellite backhaul the Satellite was set to accept IPSEC and the 192.168.x.x IP address that the satellite allocated to the gateway mesh box was specified as the IPSEC server ? In Wiana Realm Manager we set up VPN user class ( in addition to their existing Member class) each with a different password pair authentication is set to password pair and MAC I was asked the Q how can I switch to the Mesh VPN user class and back? Or is it the case that they only need the VPN class for 'normal' and VPN use any comments would be appreciated Maybe I am missing something, but a VPN connection (via Mesh at least) isn’t going to go through the Mesh login screen. It would go through Microsoft VPN connections or something else. Once the VPN connection is established, it bypasses the normal login authentication process. If they are coming off of a VPN connection, just bookmark the login screen for the customer and have them re-authenticate. I may not understand what you are trying to accomplish. We have client who has a VPN as well as a member user class both with same MAC address but different password pair, authorisation setting is 'MAC address and password pair' in both cases  Is there a way for a client to end a session and force a logon screen without waiting for the lease to expire, so they can switch to VPN or back ?