




_|_|_|_|_|                                          _|          _|    _|_|
    _|      _|    _|  _|_|_|    _|_|_|      _|_|    _|        _|    _|    _|
    _|      _|    _|  _|    _|  _|    _|  _|_|_|_|  _|      _|          _|
    _|      _|    _|  _|    _|  _|    _|  _|        _|    _|          _|
    _|        _|_|_|  _|    _|  _|    _|    _|_|_|  _|  _|          _|_|_|_|



                                       Isn't the public Internet just great!





  TUNNEL/2                     Version 1.20                   April 1, 1998




==========================================================================
 F R E Q U E N T L Y    A S K E D    Q U E S T I O N S
===========================================================Solutions======


QUESTION: What is Tunnel/2 and how do I find out more?

   Tunnel/2 connects two or more sites via the Internet--securely--as if 
   they were at the same geographical location. The home page is a good 
   place to find more information:

	http://www.fx.dk/tunnel



QUESTION: Why use Tunnel/2?

   Tunnel/2 provides a tunnel over normal socket connections and is,
   unlike many other Tunnel solutions, not dependant on hardware.

   Most important features of Tunnel/2 are two-way dial-on-demand, 
   the ability to have a static IP address that is always reachable,
   powerful RSA-1024 key sync-up and DES-56 real-time encryption,
   filtering and compression.

   Additionally, Tunnel/2 provides some features that are not found 
   in any other tunneling software. E.g. the ability to plugin new 
   user-exits, using the Plugin Development Kit.



QUESTION: Is Tunnel/2 targeted at businesses or private users?

   Both - Businesses can use Tunnel/2 to build a Virtual Net with
   superior connectivity. Private users can use it to:

      * get behind the company firewall (from home), 
      * go through the company firewall and have FULL access to another
        place on net, such as the home LAN (from work)
      * reach hosts behind a Masqueraded PC.



QUESTION: Quick start?

   The absolute minimal setup to run Tunnel/2 is:

        Tunnel Master 

           1.Setup the password.txt file in the Tunnel Master 'root' directory 
           2.Run TM.EXE with default values

        Tunnel Slave 

           1.Connect InJoy dialer to the Internet with the /D command line 
             option 
           2.Copy 'connect.txt' from the InJoy directory to Slave directory 
           3.Run TS.EXE /M:masterIPaddr /S:password /F

   Continue here: http://www.fx.dk/tunnel/vpn_life.htm



QUESTION: Where are the easy step-by-step setup instructions?

   An updated online version can be found at:

	http://www.fx.dk/tunnel/vpn_life.htm



QUESTION: My ISP gateway's address changes at each connect, what can I do?

   It is possible to grab the 'ISP Gateway Address' from the InJoy file 
   'connect.txt' instead of providing the address on the command line. 

   It requires TS to have the file in the working directory, so either just 
   install TS on top of InJoy (not a problem) or let InJoy copy the file 
   to the TS directory when connected. 

   If the ISP Gateway address never changes, just copy 'connect.txt' to the 
   slave directory in a one time operation.

   The Tunnel Slave needs the ISP Gateway address in order to add a host 
   route through it, to the Master.


QUESTION: Do you have a customer provided setup guide? You know, one
          that was actually used to get up and working.   

   This setup guide has not been checked for accuracy by F/X.
  
   -->MASTER

   * install the Tunnel/2 package on the machine you want as the Master.
   * configure TCP for IP forwarding via the TCP configuration or execute
     ipgate ON each time you start the Tunnel/2 master.
   * It is ok to use default TM start up parameters unless your company is 
     already using 10.2 for the internal net, then specify a new Tunnel/2
     subnet on the start up (using the /r parameter) TM /r:10.3.1.1 
   * add a route on EACH machine on your local net that will route packets 
     for the TM machine (10.2.0.0 or 10.3.0.0 if example above) to the 
     machine on your local net.

     For example: if the Tunnel/2 master lives on machine 10.1.1.45 on your 
     local net, and you want to reach the machine at 10.1.1.55 from the 
     Tunnel/2 slave you will have to add a route on 10.1.1.55 that points 
     the Tunnel/2 subnet to 10.1.1.45, 

             route add -net 10.3.0.0   10.1.1.45     255.255.0.0   1
                            Tm subnet  TM location   subnet mask   hops

   * In other words, if you are at the slave and you want to ping 10.1.1.55 
     you need to add a route on 10.1.1.55 that points back to the Tunnel/2 
     Master machine for the Tunnel/2 subnet.

   --> SLAVE
 
   * Install the Tunnel/2 package on the machine
   * Configure TCP for IP forwarding
   * Delete default route   (route delete default)
   * Start Internet connection
   * Start Tunnel/2 slave 

   TS /G:123.456.789.123  /M:101.123.456.11      /F       /S:password
         ISP gateway      Internet address      Force     Password set up
         address          of your remote net    Connect   in connect.txt    
                          gateway. The real               in the master
                          address the Internet            directory
                          sees to access your
                          remote net, NOT a
                          Tunnel/2 address

   * If you started Tunnel/2 master with the defaults that's all you need for
     the slave. If you used the /R parameter on the Master you need the /R
     parameter on the slave TS /G:123.456.789.123 /M:101.123.456.11 
     /R:10.3.2.1



QUESTION: How do I get the plugins?

   Plugins are not part of the Tunnel/2 demo version, but are separately
   available from F/X Communications, see www.fx.dk/tunnel/order.htm



QUESTION: Is Tunnel/2 secure without the DES-56 Security Plugin?

   The Tunnel/2 standard installation uses password checking to authenticate
   remote clients. This is done via a 3-way authentication protocol that is
   known to be secure.

   Data being transferred through the tunnel is NOT encrypted.



QUESTION: How secure is the DES-56 Security Plugin?

   The security plugin uses RSA-1024 for key sync-up and DES-56 for 
   real-time encryption of packets.

   RSA-1024 is known as 'military grade' security and with todays
   hardware it is literally impossible to hack.

   DES-56 has been used for encryption in many areas and is generally
   considered to be safe. With real-time encryption of data, an 
   implementation must choose the best compromise regarding key-bit-size 
   and sheer processing power. Today DES-56 serves as the best compromise.



QUESTION: How fast is the Security Plugin - DES-56?

   DES-56 is secure, thus not fast. On a Pentium 133Mhz Slave computer F/X
   typically experiences a maximum. of ~11 Kbit per second. The F/X Tunnel 
   uses multiple threads and would therefore benefit from SMP architecture.

   Compressing data before they are encrypted will in many cases dramatically
   improve the transfer rate.



QUESTION: What does the Compression Plugin offer?

   The compression plugin is based on the same successful algorithm as 
   PKZip (tm). Use it to compress data before going through a leased line, 
   a modem, or even encryption.

   The compression is fast and offers a great bandwidth use reduction.



QUESTION: What does the Filter Plugin offer?

   The filter plugin allows you to optionally discard packets matched on IP
   address (combined with netmask), TCP port number, protocol, a hex-string, 
   a bit-value, or advanced compound filters.

   There is no byte within a packet that cannot be addressed using the
   filter plugin.



QUESTION: How many Slaves can a Tunnel Master support?

   The biggest real-life Tunnel installation has about 400 Tunnel Slaves 
   installed and that has been running without problems since March 1996.

   Notice that the use of plugins will dramatically increase the CPU load.

   The theoretical limitation for one Tunnel Master would be just below 2000
   Slaves.



QUESTION: Where does the Tunnel Master store information about slaves?

   When a Slave connects to the Master it tells the Master characteristics
   about itself. That information is stored in the file 'connect.dat' which
   is updated at every Slave connect.

   Over time, you will see that 'connect.dat' records information about more
   and more slaves as you periodically change your setup. To clean up that
   information, simply delete the file.



QUESTION: Routing - what is PROXY ARP used for?

   The Tunnel Master uses the 'ARP.EXE' program to add PROXY ARP entries at 
   the TM location. PROXY ARP entries automatically updates the LAN routing 
   of any LAN PC with information on how to reach the Tunnel Slaves.

   PROXY ARP has a history of being a source of many problems and you 
   should always verify the ARP table, using the 'arp -a' command. 
   
   F/X suggests that you update your router with new routes to make sure 
   packets for the Tunnel subnet is routed properly to the Tunnel Master.

   With some versions of TCP/IP the output window is likely to show 
   ARP caused problems. These errors can be ignored and are very
   likely to be triggered on only some versions of the TCP/IP stack.
   Use 'arp -a' to verify your own PROXY ARP entries at any time.



QUESTION: How does two-way Dial-On-Demand work?

   In order for Tunnel/2 to provide two-way Dial-On-Demand, you must 
   equip the Tunnel Master with one or more modems. TM uses these modems 
   to quickly call the modem at the Slave PC, in order to trigger that 
   (remote) dialer to dial the local ISP. 
   
   This requires the dialer at the Slave PC to support dialing at an 
   incoming "RING". The InJoy dialer (also from F/X Communications)
   can do that.

   When Dial-On-Demand is triggered by Slave activity, then it simply sends
   out a packet on the IP stack and leaves it to the dialer to dial-out.



QUESTION: In what order should I start the software?

   Order shouldn't matter. However, if packets don't seem to take the 
   right route, try this: Make at least one Internet connection before you 
   bring up the Tunnel. If you have routing problems, be sure to try this 
   cure.



QUESTION: Starting TS/TM gives message: "ACTION: TUNNEL UP", why?

   The message is caused by an auto-generated command, similar to using 
   'settun /A'.

   The command causes the Tunnel to create the TCP/IP stack interface and 
   routes. It does NOT mean that a tunnel connection is actually established.



QUESTION: But what if I already have a default route when I launch TS?

   Be sure NOT to have a default route when bringing up the Tunnel Slave.
   TS.EXE will NOT automatically do this for you.

   If you use InJoy as your dialer, use the /D option to avoid having a
   default route. /D is supported by InJoy version 1.1 and later.



QUESTION: Why does the Tunnel Slave create a default route?

   TS will create a default route and accordingly route all packets through 
   the tunnel, to the Master.

   TS does give you a handle to avoid this. If you start the Slave with 
   the /D parameter, then it won't create a default route. This allows
   you to route your corporate traffic through the Tunnel and the 
   remaining traffic directly through the dialer.



QUESTION: What platforms are supported?

   So far Tunnel/2 only runs on OS/2.

   F/X is actively seeking to provide Tunnel/2 on the Windows platform,
   but so far we cannot commit to a release date for this project.



QUESTION: Can I connect Tunnel/2 clients to other Tunnel software?

   Standards for tunneling has been a moving target and none of the current
   standards provide the functions that F/X is seeking to provide. 

   Remember, Tunnel/2 is supporting advanced features such as a two-way
   dial-on-demand, real-time compression, DES encryption, filtering and
   hardware independence.
   
   Accordingly, Tunnel/2 uses a proprietary protocol and can therefore
   not connect to other tunnel types. However, by adding an OS/2 
   gateway PC to the Master LAN, Tunnel/2 can easily coexist with 
   other tunnel solutions.

   F/X is keeping an eye on the new standards as they appear and when
   we find one that allows us to use it, we'll definitely support it.


QUESTION: Is Tunnel/2 100% stable and ready for commercial use?

   Yes, Tunnel/2 is stable and ready for commercial use.

   Check out this interview with the Saskatchewan Wheat Pool (SWP). SWP is 
   Canada's largest publicly traded agricultural co-operative. SWP now has 
   annual total sales of more than $4.1 billion.

   Interviewed perform January, 1998 by ComputerWorld in Denmark.

   Q: How many locations are connected to the VPN now? How many will be 
      (supposing that the project isn't completed yet)? 

   A: The number will go up over time, but we have about 300 stations 
      right now. 

   Q: How does the cost of setting up an Internet-based VPN compare to 
      leased lines and/or Frame Relay services? I suppose that it is 
      cheaper, but how much? 

   A: Our VPN sites cost somewhere between $100 and $200 per month for 
      sites which do not maintain TCPBEUI connections. Sites with TCPBEUI 
      connections cost us $300-400 per month. Having the ability to filter 
      NetBIOS keep-alive frames in a future version of Tunnel/2 will 
      reduce our cost significantly. 

      We also use Frame Relay connections for many of our sites. Frame costs 
      us about $1000 per month at each site. 

      With Tunnel/2 we can route IP to an entire subnet at each site. Sites 
      have a Warp Server along with at least one Windows 95 machine which 
      is used for office automation as well as at least one machine used 
      for point of sale. I would guesstimate that we average 1.5 OA machines 
      and 2.5 POS machines per site. 

      Whether frame or Tunnel/2, all sites have equivalent functionality. We 
      use 33.6kbps modems to connect to our ISP and 56kbps DSUs at Frame 
      Relay sites. The speed is similar, but frame is about 25% faster when 
      transferring uncompressible data. 

   Q: As I understand it, security currently is based on encryption of data 
      and a password scheme. Are you planning to add additional security 
      measures later? 

   A: No. 

   Q: Would you recommend Internet-based VPN's as a WAN solution for other
      companies? Are there special factors that should be taken into 
      account when considering the technology? Was it easier or harder to 
      implement than you had imagined? 

   A: I would definitely recommend VPN technology. It provides an important 
      link to sites which would not be economically connected with any other 
      way. Situations which involve long periods of inactivity really 
      perform well with the VPN. For us, the speed is comparable to 56k 
      Frame Relay. I would consider reliability to be similar to frame as
      well, but we have a particularly good ISP. 

      At some sites, we have a permanent Internet connection. With these 
      sites, we use Tunnel/2 (without InJoy) to provide a permanent 
      connection into our Intranet. It works very well and provides the 
      security and connectivity we need. 

      As long as some form of Internet connectivity exists, Tunnel/2 will 
      provide full intranet connectivity. In addition, it provides a way 
      to assign permanent addresses to given machines. Even a roaming lap 
      top could have a static IP address regardless of the ISP being 
      connected to. We consider Tunnel/2 to be a key component in our global
      connectivity strategy. 

      Tunnel/2 demands a decent understanding of IP routing, although I'm 
      sure that future versions of the product will make this less so. 



QUESTION: Does Tunnel/2 support the OS/2 utilities: IPTRACE and IPFORMAT?

   Yes.



QUESTION: Is Tunnel/2 year 2000 compliant?

   Yes.









     Copyright (c) 1998, F/X Communications. All rights reserved.




