FlyerTalk Forums

FlyerTalk Forums (https://www.flyertalk.com/forum/index.php)
-   Travel Technology (https://www.flyertalk.com/forum/travel-technology-169/)
-   -   Stupid Question: Are VPN connections bi-directional? (https://www.flyertalk.com/forum/travel-technology/1019353-stupid-question-vpn-connections-bi-directional.html)

PTravel Nov 21, 2009 11:52 am

Stupid Question: Are VPN connections bi-directional?
 
I have a computer at my office that is connected to my home LAN via an IPSEC VPN connection and synchronizes one of its folders with a folder on my home LAN every night. However, I find that my VPN router at home is less than reliable (a Linksys -- is that surprising?). I can also connect the other way, i.e. using one of my home LAN computers to connect via SSL VPN to my office LAN. However, I want my sync software to run on my office computer, not the computer on my home LAN. If my connection is Home -> VPN -> Office, will my home computer be able to "see" the drive on my office computer that contains the folder to which I am syncing?

BTW, "ask your IT manager," isn't a solution -- we are a small company and don't have a full-time IT person, only a consultant who comes in on an as-needed basis. He's also one of those people who think that the company exists to support IT, rather than the other way around -- I had to pull rank to get him to open the office router to pass IPSEC, as well as give me access to the office VPN (which he had set up just for himself). Both computers are thin clients that I own and, of course, I have admin rights on both of them, though not on the office LAN. One runs XPe SP2 and the other run full XP Pro SP3.

mbreuer Nov 21, 2009 1:36 pm

The answer is that it depends on configuration. What you can see, and from where is a factor of permissions and firewall settings. The basic VPN itself is bi-directional - i.e., network traffic flows both ways.

deubster Nov 21, 2009 2:16 pm

Think about a LAN. You have multiple computers tied together by network electronics that are able to share information with each other by virtue of having the same IP scheme and the use of sharing to make information visible on the network (or remote desktop or other means to take control of a device).

A VPN merely creates a virtual, secure LAN across the internet. It puts your home computer on the same local network as the office one, just as if your computer were inside the building of the remote office.

VPN connections from one computer to a remote network (as contrasted with a router to router VPN that ties offices together) are created on the remote network's router or VPN concentrator. These routers issue IP addresses that work on the remote network, but may not be visible in the other direction.

For example, I regularly connect via VPN to a network of a client. The LAN of the client is a 192.168.1.x, yet their PIX issues me a 192.168.99.x address. I can see anything on their network that is shared, and remotely control many computers. But nobody at their end can see me because of the difference in IP schemes.

OTOH, I have a client I connect to that has VPNs created on a Netopia router. They also have a 192.168.1.x scheme and issue me numbers on the same subnet. They can see shares on my computer, if they were to look.

BTW, the Netopia creates problems for connections from locations that also use a 192.168.1.x scheme, so my home router is changed to a 172.16.x.x to be able to connect. This is why the Cisco PIX routers I work with issue PPP addresses on a different subnet from the local LAN.

Back to the original question - if you use a VPN to connect from office to home computer, you will not normally be able to control or copy from your office pc while at home. There may be rare exceptions. However, you mention that you are a very small office, and you are perhaps the person in charge? If so, with the right equipment, you can create a router to router VPN to make your home pc and your office pc's all part of one happy LAN. A pair of Netopia 3386-ENT routers (about $100 each) can handle this nicely, as can many others.

FlyMeToTheLooneyBin Nov 21, 2009 3:55 pm

Unless you did something special, your VPN is probably bi-directional. It's just encryption on each send to prevent the public internet from snooping.

mattk Nov 23, 2009 10:24 am

I agree with mbreuer it's probably your Firewall on your work PC that isn't allowing incoming connections (they normally by default allow all outgoing connections).

The way to check is get someone from home to start the VPN and turn off your work PC firewall (as you have no IT Manager that should be possible) and see if they can see the work PC. If this works then unfortunately you don't have an IT Manager who can configure it for you! Also another way to check is to use another work PC and see if it can connect to your work PC.

PTravel Nov 23, 2009 10:40 am


Originally Posted by mattk (Post 12866963)
I agree with mbreuer it's probably your Firewall on your work PC that isn't allowing incoming connections (they normally by default allow all outgoing connections).

I have an incoming VPN connection. My question is this: if the VPN connection is initiated from my home computer, will my office computer be able to see my home computer.

star_world Nov 23, 2009 11:43 am

Let me recap what you're saying here, as it's slightly confusing. First of all, the actual direction of the VPN usually doesn't matter - it's just a way of encrypting the traffic between the two networks.

Some questions / observations:

- Home computer is sitting on a privately-addressed LAN, behind a Linksys VPN router. Subnet will be 192.168.x.x or 10.x.x.x or similar.

- The Linksys VPN router initiates an IPSec VPN connection to... what? A VPN router at your office? A firewall? The office PC directly?

- If you're at home, with the VPN connected, can you reach devices on your office LAN? Servers / printers / your work PC? If so, the connection will work in both directions. If you can reach some but not others, is there a firewall enabled on any of the PCs? Also, try to see if you can "see" the other computer by its IP address, rather than hostname. Eg: Start / Run and then type \\x.x.x.x where the Xs are the IP address of the computer you're trying to reach.

- You have a shared drive on your work PC that has files / folders that you need to be able to access from home.

- You have some sync software (what software?) running on the office PC. What does this do? Is it proactively trying to replicate the shared folder on your work PC with shared folders that it can see elsewhere (ie: your home PC)?

See if you can answer these - it will help a lot to figure out what's going on.

PTravel Nov 23, 2009 11:56 am


Originally Posted by star_world (Post 12867427)
Let me recap what you're saying here, as it's slightly confusing. First of all, the actual direction of the VPN usually doesn't matter - it's just a way of encrypting the traffic between the two networks.

Some questions / observations:

- Home computer is sitting on a privately-addressed LAN, behind a Linksys VPN router. Subnet will be 192.168.x.x or 10.x.x.x or similar.

Correct.


- The Linksys VPN router initiates an IPSec VPN connection to... what? A VPN router at your office? A firewall? The office PC directly?
No. Right now, my office computer initiates an IPSEC VPN connection to my Linksys VPN router. I can also initiate an SSL VPN connection from any computer on my home LAN to our office router. These are two separate and unrelated connections.


- If you're at home, with the VPN connected, can you reach devices on your office LAN? Servers / printers / your work PC?
When I'm at home with the home-to-office VPN connection active, I can reach my office LAN and the computer I need to hit (at least with respect to VNC -- I haven't tried hitting its drives). My question, however, is whether my office computer can, using the home-to-office VPN connection, only, reach computers on my home LAN.


If so, the connection will work in both directions. If you can reach some but not others, is there a firewall enabled on any of the PCs?
Configuration of the relevant computers isn't an issue. I understand firewalls well.


Also, try to see if you can "see" the other computer by its IP address, rather than hostname. Eg: Start / Run and then type \\x.x.x.x where the Xs are the IP address of the computer you're trying to reach.
The problem is, to do that I would have to take down my ipsec VPN connection (office-to-home), and I need it maintained if the home-to-office connection won't permit my office machine to see the computers on my home LAN.


- You have a shared drive on your work PC that has files / folders that you need to be able to access from home.
No. I have a dedicated computer (a thin client) that acts as a mini-file server (and a few other things). I use sync software to mirror some of its folders to my home file server so I have a full backup of various datat that is maintained off-site.


- You have some sync software (what software?)
GoodSync.


running on the office PC. What does this do? Is it proactively trying to replicate the shared folder on your work PC with shared folders that it can see elsewhere (ie: your home PC)?
It is synchronizing a set of folders containing data that is important enough that I want it backed up offsite and, in the event of a communications failure, accessible both in my office and at home.


See if you can answer these - it will help a lot to figure out what's going on.
Done. Thanks.

star_world Nov 23, 2009 12:09 pm


Originally Posted by PTravel (Post 12867487)
No. Right now, my office computer initiates an IPSEC VPN connection to my Linksys VPN router. I can also initiate an SSL VPN connection from any computer on my home LAN to our office router. These are two separate and unrelated connections.

Ok - "office to home" = a PC-initiated IPSec VPN where the Linksys VPN router is the "host" it's connecting to.

"home to office" is an SSL VPN initiated from a specific PC at home, to an office "host", which is a router.

Correct?

Originally Posted by PTravel (Post 12867487)
When I'm at home with the home-to-office VPN connection active, I can reach my office LAN and the computer I need to hit (at least with respect to VNC -- I haven't tried hitting its drives). My question, however, is whether my office computer can, using the home-to-office VPN connection, only, reach computers on my home LAN.

You will most likely only be able to see the computer that initiated the SSL connection in this situation. Not anything else that sits behind that.

Is it possible to work with the consultant in your office to configure a site to site VPN between the router in your office and your Linksys at home? This would almost definitely solve the issue you're having here.

PTravel Nov 23, 2009 12:29 pm


Originally Posted by star_world (Post 12867582)
Ok - "office to home" = a PC-initiated IPSec VPN where the Linksys VPN router is the "host" it's connecting to.

Correct.


"home to office" is an SSL VPN initiated from a specific PC at home, to an office "host", which is a router.
Correct.


You will most likely only be able to see the computer that initiated the SSL connection in this situation. Not anything else that sits behind that.
I'd be okay with that -- the machine that will initiate the SSL connection is the file server on which home-based folders reside.


Is it possible to work with the consultant in your office to configure a site to site VPN between the router in your office and your Linksys at home? This would almost definitely solve the issue you're having here.
Two problems there:

1. Our consultant is one of those old-fashioned IT guys whose attitude is that no one should have access to anything but him. I'm an officer of my company and I've had to go to our CEO to get him to do things.

2. My Linksys router only supports IPSEC. We have, I think, a Cisco router here at the office and it only SSL. I haven't found a cost-effective, reliable SSL router for home.

star_world Nov 23, 2009 12:47 pm

The complication here could be SSL related. SSL VPNs can work in several different ways, and some of those are designed for one-way connections - ie: accessing resources on a central host in a secure way.

It is very possible that the PC at your office will have no way of accessing the remote PC by connecting to the Windows file sharing port numbers. This will depend on how the SSL VPN has been configured - I'm not completely familiar with the Cisco solution, but have worked extensively on the Juniper one which bears some similarities. Perhaps someone more experienced with this solution can comment on whether it is an easy configuration change to allow a more traditional tunnel to be set up to allow devices on the LAN side of the SSL host to connect to the initiating client?

PTravel Nov 23, 2009 12:52 pm


Originally Posted by star_world (Post 12867821)
The complication here could be SSL related. SSL VPNs can work in several different ways, and some of those are designed for one-way connections - ie: accessing resources on a central host in a secure way.

It is very possible that the PC at your office will have no way of accessing the remote PC by connecting to the Windows file sharing port numbers. This will depend on how the SSL VPN has been configured - I'm not completely familiar with the Cisco solution, but have worked extensively on the Juniper one which bears some similarities. Perhaps someone more experienced with this solution can comment on whether it is an easy configuration change to allow a more traditional tunnel to be set up to allow devices on the LAN side of the SSL host to connect to the initiating client?

Interesting. If, indeed, it's a configuration issue on the company's end, I can address it directly with our consultant (meaning, I'll speak to our CEO and get another "do this or else" directive ;) ).

star_world Nov 23, 2009 12:56 pm


Originally Posted by PTravel (Post 12867851)
Interesting. If, indeed, it's a configuration issue on the company's end, I can address it directly with our consultant (meaning, I'll speak to our CEO and get another "do this or else" directive ;) ).

:) It could be slightly more complicated than that. How do you initiate the SSL connection to your office at the moment? Do you have a standalone client installed on your home computer that you run, or is there a web page you go to that initiates the connection? When you're connected via SSL, on the home computer try running ipconfig from a command prompt - see if it mentions an IP address for the SSL connection. Then, from the work computer see if you can connect to this IP address - that's a quick check to see if it will work.

swanscn Nov 23, 2009 1:20 pm

I am not certain this would apply
 
You mentioned a Cisco router, Cisco also makes a VPN client that you could use on your home PC. I use this every day I then connect to the network via the "Secure Tunnel" created between the Cisco Router and my PC. After that I have access to all the machines I have authorization to see. In effect this places my PC on the network.

And as to the original question yes they are all bi-directional (Full Duplex) capable. But most of the time in a situation like you are describing traffic flows in one direction mostly with only "ACKs" (acknowledgements positive and negative) being sent from the other side.

star_world Nov 23, 2009 1:25 pm


Originally Posted by swanscn (Post 12868028)
You mentioned a Cisco router, Cisco also makes a VPN client that you could use on your home PC. I use this every day I then connect to the network via the "Secure Tunnel" created between the Cisco Router and my PC. After that I have access to all the machines I have authorization to see. In effect this places my PC on the network.

And as to the original question yes they are all bi-directional (Full Duplex) capable. But most of the time in a situation like you are describing traffic flows in one direction mostly with only "ACKs" (acknowledgements positive and negative) being sent from the other side.

This is different though - this is most likely the IPSec client. And the SSL client will allow you to do the same thing - what the OP is asking is whether devices at the far (office) end of the connection can connect back to this home PC when the tunnel is open. This is pretty straightforward on the IPSec client, but on the SSL client it appears to be more complicated.


All times are GMT -6. The time now is 7:17 pm.


This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.