tinc - Jul 2010 - FW: New issue, configuring 2 Vista nodes behind Norton Internet Security 2010 Firewalls

Finally resolved the problem, I'm actually impressed with the throughput
over the tinc VPN!

I encountered & resolved two problems during this installation.

First, the config files need to go in different places, depending on whether
you run tinc as a service or in the foreground from a Command Prompt running
as Administrator (C:\Program Files\tinc\...) or if you are running tinc in
the foreground from a Command Prompt running as a normal user, even if the
user has administrative privileges (C:\User\AppData\Local\Virtual
Store\Program Files\tinc\...).  It does not seem to matter to tinc which
environment it runs under - you just have to make sure that the VPN & Host
files are in the right place for the environment you choose.

Second, even after tinc was properly configured, the Norton Internet
Security 2010 (NIS 2010) Firewall prevented proper communication in both
directions over the VPN.  We resolved this problem by establishing 'Full
Trust' in the NIS 2010 Network Security Map, both over the Office LAN (for
when both nodes are connected to the Office LAN) and also over the VPN (for
when both nodes are connected to different LANs).  *** NOTE: This did not
start working until we brought down the VPN at each end and started it up
again at both ends.

There were several misleading clues that I came across during the debugging
process - one suggested that the 'Stealth Blocked Packets' feature
needed to
be turned off, which turned out to have no effect; the other was a
suggestion from Norton Tech Support (before I was escalated to the software
engineering group) to set up a top-priority rule to allow all traffic in
both directions between two nodes on a local subnet  (There would be up to 2
subnets: The VPN, and the LAN when the remote node attached to the office
LAN.)

Thanks to Peter & Guus for their help along the way.  My next challenge is
to set tinc up on my Windows 7 notebook.

Kind regards to all,
Alan

On Wed, Jul 21, 2010 at 05:58:47PM -0400, Alan S. Lawee wrote:
> Finally resolved the problem, I'm actually impressed with the
throughput
> over the tinc VPN!
Great!
> First, the config files need to go in different places, depending on
whether
> you run tinc as a service or in the foreground from a Command Prompt
running
> as Administrator (C:\Program Files\tinc\...) or if you are running tinc in
> the foreground from a Command Prompt running as a normal user, even if the
> user has administrative privileges (C:\User\AppData\Local\Virtual
> Store\Program Files\tinc\...).  It does not seem to matter to tinc which
> environment it runs under - you just have to make sure that the VPN &
Host
> files are in the right place for the environment you choose.
Aha. When install tinc, it sets a registry key, storing the installation
directory there. On XP, I believe tinc could always find that key, whether it
was installed/run as admin, normal user or normal user with administrator
rights. However, your observations suggest that an application gets a different
registry view depending on how it is started. I think I will have to mention
very clearly in the documentation that you should always install and start as
the same user, with administrator rights.
> Second, even after tinc was properly configured, the Norton Internet
> Security 2010 (NIS 2010) Firewall prevented proper communication in both
> directions over the VPN.  We resolved this problem by establishing
'Full
> Trust' in the NIS 2010 Network Security Map, both over the Office LAN
(for
> when both nodes are connected to the Office LAN) and also over the VPN (for
> when both nodes are connected to different LANs).  *** NOTE: This did not
> start working until we brought down the VPN at each end and started it up
> again at both ends.
Thanks for reporting what the solution for your problem was. This will
certainly help others encountering a similar problem.
> My next challenge is to set tinc up on my Windows 7 notebook.
I think this should be easy now :)

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20100722/6ad84de0/attachment.pgp>