Hands on: Troubleshooting remote access

How to solve problems with VPNs, and a round-up of power line networking tools

Remote Lan access can be tricky to get right, so I thought I’d share one problem I came across recently which could cause a lot of head scratching, especially if you’re not familiar with networks and addressing schemes.

It involved a company wanting to enable staff to work from home, using a very simple virtual private network (VPN) solution. To this end the company had purchased and installed a Draytek ADSL router with a built-in VPN server.

Like others, the Draytek router supports a variety of tunnelling protocols, but to keep things as simple as possible the company had opted for a basic PPTP (Point to Point Tunnelling Protocol) implementation. Not the most secure, admittedly, but easy to set up and it was working well with several users configured on the router, connecting from home using the client software in Windows XP.

Another benefit was the ease with which new users could be added, with the network administrator simply creating a new account on the router then talking the user through the configuration work required to connect on their home PC or laptop.

One new user, however, couldn’t get it to work, so I was asked to investigate. She confirmed that she had internet access and had configured a VPN connection in Windows XP, using the same parameters as everyone else. On the face of it, all seemed to be working correctly. Windows XP was reporting a successful connection when she selected the icon on her desktop, but she couldn’t see her files on the company server. Neither was she able to work on her email held in an Imap folder on the office mail server.

Naturally, we went through all the settings again, but found everything as it should be. We made sure the VPN server was up and working and that a suitable account had been configured on the router to enable her to connect remotely. Again, everything was in order and, when we checked the active connections, the router reported her as successfully attached using a PPTP tunnel.

I started to suspect it was the way the home network was configured, and that’s when we discovered the true cause of the problem.

Like a lot of small companies, the office network involved was protected using Network Address Translation (Nat) on the router with a single local subnet in the 192.168.0.0 range. VPN users were set up to be assigned an IP address between 192.168.0.50 and 192.168.0.100 using the host DHCP server, also provided by the router. Unfortunately, the router on the home network was also Nat protected and configured to use the same 192.168.0.0 subnet internally.

This didn’t stop the tunnel being successfully established. However, because the subnets were the same at each end, the Windows PC on the home network was unable to distinguish between packets that needed to be sent down the tunnel to the remote Lan and those addressed to other devices on the local network.

There were several ways in which we could have solved this, including switching to a more complex IPSec VPN or tweaking routing tables. However, to minimise the amount of work involved, we felt it better to change either the subnet on the office network or the user’s home router.

Changing the office network would also have involved a fair amount of work because of the servers and several network printers with fixed addresses. So, at the risk of encountering the problem again, we opted to change the user’s home router to use the 192.168.1.0 subnet and assign addresses in that range to her PC and any others she might connect to the Lan.

The only slight hiccup was that she couldn’t remember the router password. It turned out to be the default for the model involved, so it didn’t hold us up for long. And, of course, once we’d made the change and confirmed that she had VPN access I made sure we also changed the administrator password to something less obvious.

Too much protection
Another user at the same company also came up with a weird problem which took a lot longer to resolve, this time migrating email to a newly purchased notebook.

The user here was using Outlook as his client, pulling messages down from the company mail server to a local personal folders (.pst) file using Pop3.

However, because he wanted to access his mail from home as well, we needed to switch him over to an Imap account, where messages are left on the server.

So, we configured a new install of Outlook on the notebook, then took the option to import existing Pop3 messages from the old one. That’s a process which should have taken just a few minutes over the 100Mbits/sec Lan connection involved, but which dragged on for over an hour before I stopped it.

The same happened when I tried a second time, so I switched tack and simply copied over the .pst file from the old PC, the idea being that we could then drag and drop into the new Imap folder. However, Outlook then struggled to open the copied .pst, with a lot of disk and processor activity but nothing much happening on the screen.

It looked as though there was something wrong with the .pst file itself, but compacting it had no effect. Moreover, the same version of Outlook was being used on both PCs to open the same .pst file.

The cause turned out to be the free anti-virus software which came pre-installed on the new notebook. Because this hadn’t ‘seen’ any of the hundreds of messages in the Outlook personal folders file, it was furiously trying to scan each one on the fly when I either tried to import them or open the file directly.

Turning it off solved the problem, after which I installed the normal anti-virus client used by this company, and all was well. It just goes to show that sometimes free software can cause problems that are hard to track down.

Lan over power
I’ve been playing with some more Homeplug/Powerline kit and was impressed by how easy it is to build or extend a network using these products, and the level of compatibility when using devices from different vendors.

The products I was sent this time were from a company called Vesenet, distributed in the UK by Solwise. I looked at a single-port Vesenet PLA-85-E (£27.45 inc Vat) and a 3-port switch, the PLA-84-3E, which sells for £40.19 inc Vat. Both offer up to 85Mbits/sec Ethernet networking over ordinary domestic AC wiring with optional 56-bit DES encryption, for those worried that someone might be able to hack into their networks over the National Grid.

At least two Homeplug devices are required to create a network, but all you have to do is plug them into a mains socket and they will locate each other and establish a connection automatically. Unfortunately they are quite bulky, which can cause problems with other devices. For example, it can be difficult to operate the on/off switch and there’s not much room left over for things like AC adapters.

However, the PLA-84-3E is particularly nice in this respect in that it comes with a plug-in lead, rather than being inserted directly into the socket. I’ve also experimented with extension leads. According to most vendors, you’re not supposed to be able to plug Homeplug adapters into them, but in my tests they worked fine.

LEDs light up when other devices are found and a connection has been established over the AC wiring. The adapters can also be on different cabling rings and you can have either fuses or miniature circuit breakers in the consumer unit. Moreover I was able to mix the Vesenet products with others I was already using from Netgear and was more than pleasantly surprised when they simply found each other and started working.

Given that there are agreed standards covering Powerline networks, I guess I shouldn’t be that surprised when products from different companies work together. Still it’s refreshing when they do. I could even manage the adapter encryption using the software provided from either vendor, which turned out to be based on more or less the same code from the Homeplug Alliance.

The only bugbear was a lack of performance. Just as with wireless networking, the maximum bandwidth claimed (85Mbits/sec) simply isn’t delivered. I also got varying results depending on where the adapters were plugged into the mains. However, I did manage an average of around 50-60Mbits/sec which isn’t bad, and it’s a lot better than most wireless setups. For internet connection sharing it’s more than adequate and it also enabled me to share a Nas server with no problems.

I’m also looking forward to trying out adapters based on the Homeplug AV specification. These support a maximum bandwidth of 200Mbits/sec and have additional QoS (Quality of Service) facilities, specifically to handle streaming of high-definition video to remote TVs. I’ll let you know how they perform when I get them.