Replacing some Draytek 2900 routers

I posted this on the seg.co.uk Draytek support site but as usual
nobody responds.

I run a couple of sites. Each one has a 2900Gi router. These are used
for normal internet access, with some port forwarding and some packet
filtering to allow SMTP email delivery only from a small number of
Messageslabs IPs. Both have WIFI enabled.

I also run an IPSEC VPN between them, which was an absolute pig to get
working but we finally did it by following some VPN appnotes on
seg.co.uk. This works most of the time but every so often it hangs and
the router has to be turned off and back on. It looks like a memory
leak or something like that. Curiously, to get it going again it is
the OUTgoing router (the one which dials-out the VPN) which needs to
be power cycled, not the receiving one. Encryption is 256 bit AES.

Both also support "teleworker" VPN remote access. This uses PPTP. I
could never get IPSEC working, and anyway it has to work over GPRS/3G
networks of which far from all support PPTP and none AFAICT support
(or work with) IPSEC. The dial-in is a winXP laptop, using the
built-in VPN feature. This VPN access has similar reliability issues.

To make the VPN stuff work properly, I have installed an SMS-triggered
box which can be used to power cycle the remote site!! This works
well, unsuprisingly, but seems a ridiculous solution.

The ADSL modems are a D-Link at one site and a Draytek one at the
other site.

The ISDN fallback dial-up feature is no longer used. We have an ISDN
PBX and had a special (3rd) number for the dial-up but this was lost a
while ago.

I have considered replacing these 2900s with Cisco boxes, which "just
work" but there is no way I would be able to maintain them. I used to
have some Cisco 803 ISDN routers and the config on those was so
complicated I never understood it, and nobody who did understand it
was around for very long. But I can "manage" the 2900s.

Ideally I would like the teleworker VPN to use HTTPS (port 443)
because that will work on any GPRS/3G network. I do appreciate however
there is no built-in windows support for SSH VPN so I would need some
client program which provides a network port under winXP, to enable
PC/Anywhere to work. OK, I know PCA is cr*p too, but it seems to work
most of the time, and has the features I want like nice file transfer.
The VPN features are solely for PCA use.

SEG do not reply to phone calls, which doesn't look good.

Can anybody recommend a way forward? I see Draytek have products like
the 2830 which can run two ADSL lines concurrently, or run ADSL with
3G backup. Otherwise it seems to do the same stuff, not a port 443 VPN
though.

But most of all, the 2900 does all we need - except for the hanging on
VPN operations so I want that completely fixed. We already have the
latest firmware in the 2900s.

Money is not an issue, within reason. I would happily pay £500 per box
which is 100% reliable.

The 2900s have various other bugs, around the anti-hacking features. I
don't recall the details but if you enabled e.g. the Teardrop attack
stuff, the thing just stopped working. Obviously they never tested
these.

The WIFI in the 2900s also contains some bugs which have come to light
only very recently. If an Iphone4 or an Ipad2 (I don't have any other
IOS devices) connects to the router, it works for a bit and then the
data rate goes very very slow (1% of normal) and if the phone
disconnects it won't reconnect. The router has to be power cycled. I
can't say this is a defect in the 2900 however because these phones do
have subtle issues with WIFI, in the way they auto-switch between
GPRS/3G and WIFI and sometimes decide neither is available. But
basically the device crashes the WIFI subsystem in the router.

I would appreciate any tips. I would also pay (Sussex) somebody for
setting up an alternative. But it would have to be rock solid, and
maintainable by me via some sort of GUI.

For all I know, all Draytek routers have these bugs.

Peter wrote:

> I run a couple of sites. Each one has a 2900Gi router.
> I also run an IPSEC VPN between them, which was an absolute pig to get
> working
> Ideally I would like the teleworker VPN to use HTTPS (port 443)
> because that will work on any GPRS/3G network.
> Can anybody recommend a way forward?

openVPN can work over either UDP (preferred) or HTTPS (useful in cases
like yours) client and server ends can be Linux or Windows, setup isn't
really kid gloves, but it far from being a pig, and there are plenty of
guides out there.

Not be ideal unless you have an always-on PC at each site.

Andy Burns <(E-Mail Removed)> wrote:

>Peter wrote:
>
>> I run a couple of sites. Each one has a 2900Gi router.
>> I also run an IPSEC VPN between them, which was an absolute pig to get
>> working
>> Ideally I would like the teleworker VPN to use HTTPS (port 443)
>> because that will work on any GPRS/3G network.
>> Can anybody recommend a way forward?
>
>openVPN can work over either UDP (preferred) or HTTPS (useful in cases
>like yours) client and server ends can be Linux or Windows, setup isn't
>really kid gloves, but it far from being a pig, and there are plenty of
>guides out there.
>
>Not be ideal unless you have an always-on PC at each site.

That's right. I have been aware of various 443 VPN solutions which
would work but all of them run on a unix server.

We actually do have a FreeBSD box at each site but I don't want to put
*anything* on there which isn't there already.

Basically they are just email server + backup, receiving emails from
Messagelabs and providing a POP box, with webmail. Prior to ML, they
used to run an increasingly complicated TMDA-based antispam system
which eventually got out of hand.

So for the VPN I want standalone boxes.

Peter <(E-Mail Removed)> wrote:

> I have considered replacing these 2900s with Cisco boxes, which "just
> work" but there is no way I would be able to maintain them. I used to
> have some Cisco 803 ISDN routers and the config on those was so
> complicated I never understood it, and nobody who did understand it
> was around for very long. But I can "manage" the 2900s.
>
Doesn't really help you, but we had Draytek routers at work which were
on the whole reliable but did crash more often than one would have
liked. They were replaced with Cisco 1800 routers (with the ADSL module)
which have been much much much better (probably about ten times less
crashes!). In our case the serivce is managed so the routers are not
configured by us. Because of this, I've not been able to have a look at
the interface on the 1800 but on our other newer Cisco ASA devices, they
are much more user friendly with the web based config.

Mark Ingle wrote:
> Peter <(E-Mail Removed)> wrote:
>
>> I have considered replacing these 2900s with Cisco boxes, which "just
>> work" but there is no way I would be able to maintain them. I used to
>> have some Cisco 803 ISDN routers and the config on those was so
>> complicated I never understood it, and nobody who did understand it
>> was around for very long. But I can "manage" the 2900s.
>>
> Doesn't really help you, but we had Draytek routers at work which were
> on the whole reliable but did crash more often than one would have
> liked. They were replaced with Cisco 1800 routers (with the ADSL module)
> which have been much much much better (probably about ten times less
> crashes!). In our case the serivce is managed so the routers are not
> configured by us. Because of this, I've not been able to have a look at
> the interface on the 1800 but on our other newer Cisco ASA devices, they
> are much more user friendly with the web based config.

I have never ever had a problem I couldn't solve on a Cisco. Eventually.
Sometimes with the help of the guy who wrote the software.


I would say that the pain of getting one to work is less than
supporting other makes that don't, if the money you spend on buying them
is not too much of an issue.

I would have nothing BUT Cisco if I could justify the cost.

Peter wrote:
> I posted this on the seg.co.uk Draytek support site but as usual
> nobody responds.
>
> I run a couple of sites. Each one has a 2900Gi router. These are used
> for normal internet access, with some port forwarding and some packet
> filtering to allow SMTP email delivery only from a small number of
> Messageslabs IPs. Both have WIFI enabled.
>
> I also run an IPSEC VPN between them, which was an absolute pig to get
> working but we finally did it by following some VPN appnotes on
> seg.co.uk. This works most of the time but every so often it hangs and
> the router has to be turned off and back on. It looks like a memory
> leak or something like that. Curiously, to get it going again it is
> the OUTgoing router (the one which dials-out the VPN) which needs to
> be power cycled, not the receiving one. Encryption is 256 bit AES.
>
> Both also support "teleworker" VPN remote access. This uses PPTP. I
> could never get IPSEC working, and anyway it has to work over GPRS/3G
> networks of which far from all support PPTP and none AFAICT support
> (or work with) IPSEC. The dial-in is a winXP laptop, using the
> built-in VPN feature. This VPN access has similar reliability issues.
>
> To make the VPN stuff work properly, I have installed an SMS-triggered
> box which can be used to power cycle the remote site!! This works
> well, unsuprisingly, but seems a ridiculous solution.
>
> The ADSL modems are a D-Link at one site and a Draytek one at the
> other site.
>
> The ISDN fallback dial-up feature is no longer used. We have an ISDN
> PBX and had a special (3rd) number for the dial-up but this was lost a
> while ago.
>
> I have considered replacing these 2900s with Cisco boxes, which "just
> work" but there is no way I would be able to maintain them. I used to
> have some Cisco 803 ISDN routers and the config on those was so
> complicated I never understood it, and nobody who did understand it
> was around for very long. But I can "manage" the 2900s.
>
> Ideally I would like the teleworker VPN to use HTTPS (port 443)
> because that will work on any GPRS/3G network. I do appreciate however
> there is no built-in windows support for SSH VPN so I would need some
> client program which provides a network port under winXP, to enable
> PC/Anywhere to work. OK, I know PCA is cr*p too, but it seems to work
> most of the time, and has the features I want like nice file transfer.
> The VPN features are solely for PCA use.
>
> SEG do not reply to phone calls, which doesn't look good.
>
> Can anybody recommend a way forward? I see Draytek have products like
> the 2830 which can run two ADSL lines concurrently, or run ADSL with
> 3G backup. Otherwise it seems to do the same stuff, not a port 443 VPN
> though.
>
> But most of all, the 2900 does all we need - except for the hanging on
> VPN operations so I want that completely fixed. We already have the
> latest firmware in the 2900s.
>
> Money is not an issue, within reason. I would happily pay £500 per box
> which is 100% reliable.
>
> The 2900s have various other bugs, around the anti-hacking features. I
> don't recall the details but if you enabled e.g. the Teardrop attack
> stuff, the thing just stopped working. Obviously they never tested
> these.
>
> The WIFI in the 2900s also contains some bugs which have come to light
> only very recently. If an Iphone4 or an Ipad2 (I don't have any other
> IOS devices) connects to the router, it works for a bit and then the
> data rate goes very very slow (1% of normal) and if the phone
> disconnects it won't reconnect. The router has to be power cycled. I
> can't say this is a defect in the 2900 however because these phones do
> have subtle issues with WIFI, in the way they auto-switch between
> GPRS/3G and WIFI and sometimes decide neither is available. But
> basically the device crashes the WIFI subsystem in the router.
>
> I would appreciate any tips. I would also pay (Sussex) somebody for
> setting up an alternative. But it would have to be rock solid, and
> maintainable by me via some sort of GUI.
>
> For all I know, all Draytek routers have these bugs.

Curious.

I've used all versions of Vigor routers since the 2600 and never had any
problems with setting up a VPN and getting reliable operation.

But:

1) Ideally, you must have a static IP address at both ends of the VPN.
Exceptions to this require some manual intervention.

2) Configure the routers so you have remote management. You must have a
static IP address at your management location to achieve this.

If ADSL sync fails or the PPP session gets stuck you will have to
manually reboot the remote router; but I've only seen this where
lightning strikes cause the local mains to twitch. But it has happened
with every ISP I've used and every router I've used, so in your
application this is why you need the SMS power resetter. Even that
isn't reliable - no phone operator I've talked to will guarantee the
(timely) delivery of an SMS message. Is it in fact the lack of internet
connection that causes your VPN to fail? You must distinguish between
the two.

3) Where possible I use the LAN-to-LAN option. Depending on the
application I might use dial-in/dial-out or both call directions. IPSec
tunnel only; this forces the IKE Pre-shared key. Security method =
High(ESP), AES with Authentication. I specify the remote network IP
range + mask and the local network IP (the local router itself) and
mask. RIP off. Route to remote subnet.

The VPN can be brought up by any network traffic for an IP address at
the other end. Where I want the VPN to be nailed-up I set it one-way
only and add the "always on" and "ping to keepalive" setting.

4) Given that I have a static address, if I have to connect to a client
with a dynamic address I set my router to dial-out only and equip the
remote client with a DDNS setting. At the client end his router is
configured as dial-in only. It follows that I can bring up the VPN but
he cannot.

You cannot make a LAN-to-LAN VPN if both ends have dynamic addresses.

The problem with this is that quite often network traffic is not enough
to bring up the VPN. I find it necessary to open a browser on the
management of the remote router - this is sufficient, don't even have to
log in - ping something on the remote network - then close the browser.

The LAN-to-LAN VPN is very sensitive to the transit time from one site
to another. If the ADSL or cable service is very congested the VPN will
drop. Changing to a professional ISP usually resolves this.

------------

I tried these settings with a satellite link (ping times over half a
second!) - total failure. However - use PPTP (simple username &
password, VJ compression, set remote site to dial-out and my management
site for dial-in, configure as always-on. If the satellite connection
fails (which it does, far more frequently than you would blame on power
failures at the remote site - a quarry in the middle of nowhere) the
remote router reconnects to mine as soon as the satellite link comes up.

Using this VPN is a different matter - it does require real patience -
but it saves a 50-mile trip to the site!

The DDNS presents a problem - the satallite IP address doesn't actually
change, but the supplier says it is dynamic. So the DDNS supplier sends
reqular emails warning that the service hasn't been used, which have to
be responded to. Paying for a DDNS service would solve that.

------------

These LAN-to-LAN VPNs work from any model of Vigor router to any other,
provided that they have the current firmware.

When setting up a new VPN I have sometimes found it necessary to reboot
one or other router - not often enough to form a view as to which
actually resolves the problem.

If I can get a management connection to the router I can always get the
VPN up - even where the VPN is between sites A and B and I am at site C
- but as above, if the address (of A or B) is resolved through DDNS then
it may be necessary at C to open a browser on either router A or router B.

------------

How are your routers connected to the internet? You mentioned 3G/GPRS -
in my experience this won't work with IPSec, but (as with my satellite
link) might work with PPTP. There are 3G services which assign static
IP addresses.

My remote management is done either with VNC or Remote Desktop - or
simply with a browser where the remote device is a printer or the like
with a web management page. Telnet will also work - the beauty of the
LAN-to-LAN configuration is that it connects your LAN to the remote LAN,
so anything that would work locally will work to the remote site. All
devices must have the router set as the default gateway.

A Windows PC at one site connected to a Windows Domain Controller at
another site must have its DNS pointed to the DC. This is a potential
performance bottleneck and I haven't found a good solution to it ....

The remote LAN's IP address must of course be different to your local
one; and most older Vigor routers only support 32 concurrent LAN-LAN
profiles. I'm running out ....



-- Graham J

Graham J wrote:
[snip]

One other point:

At one end of the VPN I try to have an always-on computer which
regularly pings the other router to confirm that the VPN is up - and
emails me if it isn't. Checking once per hour is usually good enough to
allow me to forestall complaints from the customer, but your
circumstances might vary.

--
Graham J

Graham J <graham@invalid> wrote

Many thanks for your comments everyone.
>
>Curious.
>
>I've used all versions of Vigor routers since the 2600 and never had any
>problems with setting up a VPN and getting reliable operation.
>
>But:
>
>1) Ideally, you must have a static IP address at both ends of the VPN.
>Exceptions to this require some manual intervention.

Have that.

>2) Configure the routers so you have remote management. You must have a
>static IP address at your management location to achieve this.

The routers have external admin ports but they are disabled. One can
access the router config only from one of the PCs on the internal LAN;
I am happy with that.

Oddly enough, the 2900 still responds to port 443 packets on its admin
port, even when remote management is disabled, facilitating dictionary
attacks (which get nowhere but "somebody" out there keeps running
them) One way around this we found is to port-forward port 443
packets to an internal IP which has nothing listening on it. Draytek
never fixed this, despite it having been reported.

>If ADSL sync fails or the PPP session gets stuck you will have to
>manually reboot the remote router; but I've only seen this where
>lightning strikes cause the local mains to twitch. But it has happened
>with every ISP I've used and every router I've used, so in your
>application this is why you need the SMS power resetter. Even that
>isn't reliable - no phone operator I've talked to will guarantee the
>(timely) delivery of an SMS message. Is it in fact the lack of internet
>connection that causes your VPN to fail? You must distinguish between
>the two.

I am aware that if the ADSL is interrupted then the router may need
resetting, and that alone is a good reason for the SMS-triggered
remote power cycle facility, but I am sure this is not the cause of
the vast majority of the very regular router crashes during VPN usage.

>3) Where possible I use the LAN-to-LAN option. Depending on the
>application I might use dial-in/dial-out or both call directions. IPSec
>tunnel only; this forces the IKE Pre-shared key. Security method =
>High(ESP), AES with Authentication. I specify the remote network IP
>range + mask and the local network IP (the local router itself) and
>mask. RIP off. Route to remote subnet.

I think this is what I have, though the config was opaque to me.

>The VPN can be brought up by any network traffic for an IP address at
>the other end. Where I want the VPN to be nailed-up I set it one-way
>only and add the "always on" and "ping to keepalive" setting.

The VPN sets up in a few secs so I am not keeping it alive.

>4) Given that I have a static address, if I have to connect to a client
>with a dynamic address I set my router to dial-out only and equip the
>remote client with a DDNS setting. At the client end his router is
>configured as dial-in only. It follows that I can bring up the VPN but
>he cannot.
>
>You cannot make a LAN-to-LAN VPN if both ends have dynamic addresses.
>
>The problem with this is that quite often network traffic is not enough
>to bring up the VPN. I find it necessary to open a browser on the
>management of the remote router - this is sufficient, don't even have to
>log in - ping something on the remote network - then close the browser.
>
>The LAN-to-LAN VPN is very sensitive to the transit time from one site
>to another. If the ADSL or cable service is very congested the VPN will
>drop. Changing to a professional ISP usually resolves this.

Interesting. I wonder if that's it. One is Eclipse and the other is
ZEN. ZEN is the better of the two but I can't have the same ISP for
both locations. But both ADSL services come off the same (rural)
exchange; the sites are only 2 miles apart.

>------------
>
>I tried these settings with a satellite link (ping times over half a
>second!) - total failure. However - use PPTP (simple username &
>password, VJ compression, set remote site to dial-out and my management
>site for dial-in, configure as always-on. If the satellite connection
>fails (which it does, far more frequently than you would blame on power
>failures at the remote site - a quarry in the middle of nowhere) the
>remote router reconnects to mine as soon as the satellite link comes up.
>
>Using this VPN is a different matter - it does require real patience -
>but it saves a 50-mile trip to the site!
>
>The DDNS presents a problem - the satallite IP address doesn't actually
>change, but the supplier says it is dynamic. So the DDNS supplier sends
>reqular emails warning that the service hasn't been used, which have to
>be responded to. Paying for a DDNS service would solve that.
>
>------------
>
>These LAN-to-LAN VPNs work from any model of Vigor router to any other,
>provided that they have the current firmware.
>
>When setting up a new VPN I have sometimes found it necessary to reboot
>one or other router - not often enough to form a view as to which
>actually resolves the problem.
>
>If I can get a management connection to the router I can always get the
>VPN up - even where the VPN is between sites A and B and I am at site C
>- but as above, if the address (of A or B) is resolved through DDNS then
>it may be necessary at C to open a browser on either router A or router B.
>
>------------
>
>How are your routers connected to the internet? You mentioned 3G/GPRS -
>in my experience this won't work with IPSec, but (as with my satellite
>link) might work with PPTP. There are 3G services which assign static
>IP addresses.

One has a D-link something-300 modem (now quite old but once very
popular) and the other has a Draytek Vigor 120, but used to have a
D-link before that.

I am not using 3G fallback at all at present.

>My remote management is done either with VNC or Remote Desktop - or
>simply with a browser where the remote device is a printer or the like
>with a web management page. Telnet will also work - the beauty of the
>LAN-to-LAN configuration is that it connects your LAN to the remote LAN,
>so anything that would work locally will work to the remote site. All
>devices must have the router set as the default gateway.
>
>A Windows PC at one site connected to a Windows Domain Controller at
>another site must have its DNS pointed to the DC. This is a potential
>performance bottleneck and I haven't found a good solution to it ....
>
>The remote LAN's IP address must of course be different to your local
>one; and most older Vigor routers only support 32 concurrent LAN-LAN
>profiles. I'm running out ....

I think none of this is an issue, but the VPN crashing (and the WIFI
crashing with Apple clients) remain.

Good point in another post about using a separate WIFI AP... I have a
WRT54GC at home, used this way. One can also set up port range
blocking in that, and blocking ports 138 etc stops windoze networking
working which can be very handy because visitors can use the WIFI but
can't even see your PCs.

Peter wrote:
>
> Graham J<graham@invalid> wrote
>
> Many thanks for your comments everyone.
>>
>> Curious.
>>
>> I've used all versions of Vigor routers since the 2600 and never had any
>> problems with setting up a VPN and getting reliable operation.
>>
>> But:
>>
>> 1) Ideally, you must have a static IP address at both ends of the VPN.
>> Exceptions to this require some manual intervention.
>
> Have that.
>
>> 2) Configure the routers so you have remote management. You must have a
>> static IP address at your management location to achieve this.
>
> The routers have external admin ports but they are disabled. One can
> access the router config only from one of the PCs on the internal LAN;
> I am happy with that.

Why do you do this? Remote admin from a static IP address would seem to
be secure enough ...

> Oddly enough, the 2900 still responds to port 443 packets on its admin
> port, even when remote management is disabled, facilitating dictionary
> attacks (which get nowhere but "somebody" out there keeps running
> them) One way around this we found is to port-forward port 443
> packets to an internal IP which has nothing listening on it. Draytek
> never fixed this, despite it having been reported.
>
>> If ADSL sync fails or the PPP session gets stuck you will have to
>> manually reboot the remote router; but I've only seen this where
>> lightning strikes cause the local mains to twitch. But it has happened
>> with every ISP I've used and every router I've used, so in your
>> application this is why you need the SMS power resetter. Even that
>> isn't reliable - no phone operator I've talked to will guarantee the
>> (timely) delivery of an SMS message. Is it in fact the lack of internet
>> connection that causes your VPN to fail? You must distinguish between
>> the two.
>
> I am aware that if the ADSL is interrupted then the router may need
> resetting, and that alone is a good reason for the SMS-triggered
> remote power cycle facility, but I am sure this is not the cause of
> the vast majority of the very regular router crashes during VPN usage.

Why are you sure? Without either being at the site or having remote
management access you don't know. You should be able to demonstrate
that the ADSL connection is good before worrying about the VPN ...

>> 3) Where possible I use the LAN-to-LAN option. Depending on the
>> application I might use dial-in/dial-out or both call directions. IPSec
>> tunnel only; this forces the IKE Pre-shared key. Security method =
>> High(ESP), AES with Authentication. I specify the remote network IP
>> range + mask and the local network IP (the local router itself) and
>> mask. RIP off. Route to remote subnet.
>
> I think this is what I have, though the config was opaque to me.
>
>> The VPN can be brought up by any network traffic for an IP address at
>> the other end. Where I want the VPN to be nailed-up I set it one-way
>> only and add the "always on" and "ping to keepalive" setting.
>
> The VPN sets up in a few secs so I am not keeping it alive.
>
>> 4) Given that I have a static address, if I have to connect to a client
>> with a dynamic address I set my router to dial-out only and equip the
>> remote client with a DDNS setting. At the client end his router is
>> configured as dial-in only. It follows that I can bring up the VPN but
>> he cannot.
>>
>> You cannot make a LAN-to-LAN VPN if both ends have dynamic addresses.
>>
>> The problem with this is that quite often network traffic is not enough
>> to bring up the VPN. I find it necessary to open a browser on the
>> management of the remote router - this is sufficient, don't even have to
>> log in - ping something on the remote network - then close the browser.
>>
>> The LAN-to-LAN VPN is very sensitive to the transit time from one site
>> to another. If the ADSL or cable service is very congested the VPN will
>> drop. Changing to a professional ISP usually resolves this.
>
> Interesting. I wonder if that's it. One is Eclipse and the other is
> ZEN. ZEN is the better of the two but I can't have the same ISP for
> both locations. But both ADSL services come off the same (rural)
> exchange; the sites are only 2 miles apart.

Why can't you have the same ISP at both locations?

If they are on the same exchange, have you thought about a LES10 or
similar link between the two sites? Do they actually need an internet
connection? See for example:

http://www.westlake.co.uk/SHDS_LES10_LES100_LES1000.htm

[snip]

> Good point in another post about using a separate WIFI AP... I have a
> WRT54GC at home, used this way. One can also set up port range
> blocking in that, and blocking ports 138 etc stops windoze networking
> working which can be very handy because visitors can use the WIFI but
> can't even see your PCs.

I try never to use wireless - I don't see it as a professional solution
to a business problem.

Having said that I do support two separate point-to-point wireless links
each over about 2km, using Tranzeo kit. In each case the internet end
has a static IP address and remote management of a Vigor router, so I
monitor the state of the wirless link on a once-a-minute basis. So far
every failure I've seen in about 5 years has been when the mains power
has been cut.

--
Graham J

On Mon, 5 Sep 2011 13:42:38 UTC, Peter <(E-Mail Removed)> wrote:

<snip>

> Ideally I would like the teleworker VPN to use HTTPS (port 443)
> because that will work on any GPRS/3G network. I do appreciate however
> there is no built-in windows support for SSH VPN so I would need some
> client program which provides a network port under winXP, to enable
> PC/Anywhere to work. OK, I know PCA is cr*p too, but it seems to work
> most of the time, and has the features I want like nice file transfer.
> The VPN features are solely for PCA use.
>

I disovered only recently that there is a "pro", ie chargable, version
of VNC and that too has file transfer amongst other things. Has the
advatage that it is not OS specific. ie you can run a Win desktop on
*nix and t'other way around.

I use VNC a lot and it is very good. I *think* its basic transfer is
encrypted but I usually tunnel it through SSH.
HTH.
<snip>

--
Regards
Dave Saville