VPN bi-directional access

I set up a VPN connection between home and the office. This works fine.
I can remote desktop and ping machines on the corporate LAN (by IP
address not name oddly). What I want to be able to do is to control a
process (via TCP) on my home machine from an application at work.

When I establish the VPN, I get a 192.168.X.X IP address assigned to
the virtual adapter. From work, I cannot ping this IP address. I can't
even ping it from home. I get no response however I try to talk to it.

I thought that VPN was like a secure piece of wire. It appears as if I
need to do more than I am doing.

Any help gratefully received.

Better now, but still not working. I had a personal firewall enabled.
Disabled this. Now can ping from local machine and corprate machines.

The application on the server tries to contact the client on a
nominated port and I get a
"java.net.ConnectException: Connection refused: connect" exception.

Netstat -a shows the port as there and LISTENING.

What does "control a process (via TCP) on my home machine from an
application at work" mean? It sounds like one of those things where the
most direct answer is that you can not do such a thing.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



"DGClarke" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Better now, but still not working. I had a personal firewall enabled.
> Disabled this. Now can ping from local machine and corprate machines.
>
> The application on the server tries to contact the client on a
> nominated port and I get a
> "java.net.ConnectException: Connection refused: connect" exception.
>
> Netstat -a shows the port as there and LISTENING.
>

What this means is that I have a process running at home and it is
listening on a certain TCP port for a message. The application at the
office knows the IP address and the port and tries to connect. On the
XP implementation of VPN, I believe that the virtual adapter created
when ther VPN is established rejects connection attempts over the VPN.
I think that this is because it is a unidirectional circuit intended
for client-server use. However I need a server-server i.e. site-site
VPN. This simply connects 2 networks via the Internet. In this case,
the virtual adapter would not reject the connection attempt because
there is not a client-server relationship.

I hope I explained that well enough. I want my VPN to look just like a
secure piece of wire. If it can be set up like this (and I now believe
it can) then my application will be able to connect to the VPN
connected machine.

The point is that XP is really an operating system for client machines.
This is why Microsoft are still selling Windows Server to meet the
needs of the Server side of the connection. I need a Server-Server VPN
and these exist.

Phillip Windell wrote:
> What does "control a process (via TCP) on my home machine from an
> application at work" mean? It sounds like one of those things where the
> most direct answer is that you can not do such a thing.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------

"DGClarke" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> for client-server use. However I need a server-server i.e. site-site
> VPN.

That can only be done natively in Windows by running RRAS which runs only on
the Server edition.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Philip,

Thanks for this. It is the conclusion I came to too. XP cannot do
this, so I have 2 obvious options:

1) Run the process to which the connection is attempted on Server 2003
(ISA?), and use this to establish a site-site VPN.

2) Buy a VPN router and connect the XP machine to it. The router can
establish the site-site VPN, and then the XP client is just running on
its own LAN. The tunnelling will be done by the local and remote
routers. XP is not involved in establishing the VPN. It talks only over
a physical adapter and so will accept inbound connections.

What do you think?

Thanks for the ISA links. I'll give these a read.

Hi,
You might try starting the routing and remote access service on the XP box
and it should route the requests to your LAN card for you. Remember you have
to be able to ping its address from work so some routing rules may have to be
added to the RRAS server. You could rebind the application to the IP address
of the Ras connection when it comes up or bind it to 127.0.0.1 which should
bind to all adaptors when active.

"DGClarke" wrote:

> Philip,
>
> Thanks for this. It is the conclusion I came to too. XP cannot do
> this, so I have 2 obvious options:
>
> 1) Run the process to which the connection is attempted on Server 2003
> (ISA?), and use this to establish a site-site VPN.
>
> 2) Buy a VPN router and connect the XP machine to it. The router can
> establish the site-site VPN, and then the XP client is just running on
> its own LAN. The tunnelling will be done by the local and remote
> routers. XP is not involved in establishing the VPN. It talks only over
> a physical adapter and so will accept inbound connections.
>
> What do you think?
>
> Thanks for the ISA links. I'll give these a read.
>
>

"DGClarke" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> 1) Run the process to which the connection is attempted on Server 2003
> (ISA?), and use this to establish a site-site VPN.
>
> 2) Buy a VPN router and connect the XP machine to it. The router can
> establish the site-site VPN, and then the XP client is just running on
> its own LAN. The tunnelling will be done by the local and remote
> routers. XP is not involved in establishing the VPN. It talks only over
> a physical adapter and so will accept inbound connections.

Either would work.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

There is a way to get it to work with XP as the router at one end
(although it is limited), as long as you have RRAS at the other end.

XP cannot support demand-dial interfaces, which gives you the ability to
add the necessary routing to the "other" site. If the server side has this
ability, you can rely on default routing at the other end if it is a simple
LAN.

So you configure RRAS at the server end as if it was a site to site VPN,
with a demand-dial interface linked to a subnet route back to the home LAN.
You then connect from the XP, using the demand-dial interface name as the
username. The XP connects to the dd interface and the server sets up the
route for the home network subnet through the VPN link (just as it does when
a RRAS router connects).

If you enable IP routing on the XP, you can connect to any machine on
the home LAN which has a route to the "work" site via the XP router (because
the XP has a default route across the VPN connection). So if the XP is the
default gateway for the LAN, it just works. If it isn't, you need extra
routing on each host (or on the gateway router) to get traffic for the
"work" private LAN to the XP.

Phillip Windell wrote:
> "DGClarke" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
>> 1) Run the process to which the connection is attempted on Server
>> 2003 (ISA?), and use this to establish a site-site VPN.
>>
>> 2) Buy a VPN router and connect the XP machine to it. The router can
>> establish the site-site VPN, and then the XP client is just running
>> on its own LAN. The tunnelling will be done by the local and remote
>> routers. XP is not involved in establishing the VPN. It talks only
>> over a physical adapter and so will accept inbound connections.
>
> Either would work.

Bill

Thanks for this. It sounds really interesting. I wonder if I can do it
though. The VPN at the server end is established by Zywall 10 VPN
router hardware. So there is no RRAS to be seen. However, there may be
some equivalent machanism available on the router.