Vpnmanual 5320

PacketiX VPN 2.
0 Online Manual 1/685 ページ
Introduction>
PacketiX VPN 2.0 Manual
PacketiX VPN 2.0 Wellcom to PacketiX VPN 2.0 Online

Manual
Introduction
Welcome to PacketiX VPN 2.0.
Before Reading the Manual
Content
Chapter 1: Overview
1.1 What is PacketiX VPN?
1.2 Software of which PacketiX VPN is composed
1.3 PacketiX VPN 2.0 Product Configuration and License
1.4 VPN Operation Principle and Communication Method
1.5 Bolstering Security
1.6 VPN Communication Details
1.7 Handling Large Environments by Clustering
1.8 Multiple Language Support
1.9 VoIP / QoS Support Function
Chapter 2: PacketiX VPN 2.0 Overall Manual

2.1 VPN Communications Protocol
2.2 User Authentication
2.3 Server Authentication
2.4 VPN Server Manager
2.5 VPN Client Manager
2.6 VPN Command Line Management Utility (vpncmd)
Chapter 3 PacketiX VPN Server 2.0 Manual

3.1 Operating Environment
3.2 Operating Modes
3.3 VPN Server Administration
3.4 Virtual HUB Functions
file://C:¥html¥all.htm 2007/11/20
PacketiX VPN 2.0 Online Manual 2/685 ページ
3.5 Virtual HUB Security

3.6 Local Bridges
3.7 Virtual NAT & Virtual DHCP Servers
3.8 Virtual Layer 3 Switches
3.9 Clustering
3.10 Logging Service
3.11 Day-to-Day Management
Chapter 4 PacketiX VPN Client 2.0 Manual

4.2 Operating the VPN Client
4.3 Virtual Network Adapter
4.4 VPN Server Connection Method
4.5 Connecting to VPN Server
4.6 Using and Managing Smart Cards
4.7 Management in a Large-Scale Environment
4.8 Measuring Effective Throughput
4.9 Other Functions
Chapter 5 PacketiX VPN Bridge 2.0 Manual

5.2 Operating Modes
5.3 Differences between VPN Server and VPN Bridge
Chapter 6 Command Line Management Utility Manual

6.1 Overview of vpncmd
6.2 General Usage of vpncmd
6.3 VPN Server / VPN Bridge Management Command Reference (For
Entire Server)
Virtual HUB)
6.5 VPN Client Management Command Reference
6.6 VPN Tools Command Reference
Chapter 7 Installing PacketiX VPN Server 2.0

7.1 Installation Precautions
7.2 Installing to Windows and Configuring the Default Settings
7.3 Installing to Linux and Configuring the Default Settings
7.4 Default Settings
7.5 Installing to Other Unix Systems

7.6 Uninstalling PacketiX VPN Server 2.0
Chapter 8 Installing PacketiX VPN Client 2.0

8.3 Uninstalling PacketiX VPN Client 2.0
Chapter 9 Installing PacketiX VPN Bridge 2.0

9.5 Uninstalling PacketiX VPN Bridge 2.0
Chapter 10 Instructions and Examples For Configuring a

VPN
10.1 Types of VPNs
10.2 Common Elements
10.3 Setting Up a PC-to-PC VPN
10.4 Setting Up a Generic Remote Access VPN
10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)
10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)
10.7 Combining a LAN-to-LAN VPN and a Remote Access VPN
10.8 Setting Up a Large Scale Remote Access VPN Service
10.9 Setting Up a Large Scale Virtual HUB Hosting Service
10.10 Using Remote Access as a Single User
10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights
10.12 Using Public Networks Like Public Wireless Access Safely
Chapter 11 Troubleshooting and Supplementary

Information
11.1 Troubleshooting
11.2 Useful Information
11.3 General Supplementary Information
11.4 Additional Security Information
11.5 Additional Information Regarding Communication Protocols
11.6 Additional Compatibility Information
11.7 Future Plans for PacketiX VPN
Chapter 12 PacketiX VPN Software Specification

12.1 PacketiX VPN Server 2.0 Specs
12.2 PacketiX VPN Client 2.0 Specs
12.3 PacketiX VPN Bridge 2.0 Specs
12.4 PacketiX VPN Protocol Specification
12.5 Error Codes
Chapter 13 Support
13.1 About Support
13.2 Technical Information and Updates From softether.com
Change Log
Introduction>
< PacketiX VPN 2.0 Manual Welcome to PacketiX VPN 2.0.>
Introduction
Thank you for using the PacketiX VPN 2.0 official manual.
The official manual contains detailed descriptions of how to use PacketiX VPN 2.0,
technical information on the software, almost all functions, troubleshooting and
supplementary information. You should read the official manual before attempting to use
PacketiX VPN 2.0.

Targets of the Manual
Required Advance Knowledge
Getting the Latest Information and Update Versions
Description of Icons in Illustrations
Notes
Reporting Defects or Faults
Content
< PacketiX VPN 2.0 Manual Welcome to PacketiX VPN 2.0.>
< Introduction Before Reading the Manual>
PacketiX VPN 2.0 is the latest release of next-generation VPN communications software
provided by SoftEther Corporation that offers stability, flexibility and expandability.
PacketiX VPN 2.0 enables the user to safely create a high-performance Virtual Private
Network (VPN) using an IP communications network, of which the Internet is the
representative example. VPN technology can be taken maximum advantage of in fields
ranging from communication for business applications to networks oriented toward
individual and home use.
You should read the PacketiX VPN 2.0 official manual to use the PacketiX VPN 2.0 to its
full potential for VPN communications.
< Introduction Before Reading the Manual>
< Welcome to PacketiX VPN 2.0. Content>
You should be aware of the following before reading the manual:
The PacketiX VPN 2.0 official manual contains an overview of and information on how to
use the latest release of next-generation VPN communications software provided by
SoftEther Corporation, how to construct a VPN, and how to solve problems. The manual
is designed for network administrators, system administrators, system instructors, IT
professionals and end users with detailed knowledge of computers who require
information about the specifications of PacketiX VPN 2.0 software.
If you want to get a detailed understanding of PacketiX VPN 2.0 and peripheral
technologies, you should carefully read the entire manual. If not, you may also read just
the required sections and skip the unnecessary ones.
One of the most important features of PacketiX VPN 2.0 is that, when utilizing the
advanced and efficient VPN functions, the end user is able to use VPN communications
without a detailed knowledge of VPN. In other words, the software is easy to use and
sufficient security is maintained even when in the initial state.
In order to use the various functions of PacketiX VPN 2.0 properly, we recommend you
read the entire manual. If using VPN of ordinary scale, all you need is some knowledge
of TCP/IP and VPN. In this case, you may not have to read the entire manual.
The following knowledge is necessary to fully understand the contents of the manual. If
you recognize that you do not have a sufficient understanding of the following, you
should get the required technical information from books or from the Internet and use it
in combination with the manual.
Ethernet, principle communication system features of communications devices

(network adapter, switching HUB, etc.) for Ethernet and specific method of
constructing a network using Ethernet
Internet Protocol (IP), principle communication system features of communications

devices (router, layer 3 switch, etc.) for IP and specific method of constructing a
network using IP.
Knowledge of various types of gateways such as NAT proxy server firewall used
together with IP.
How to use several important network tools used for TCP/IP (ping, telnet, etc.)
Basic way to use computer systems and operating systems that use PacketiX VPN and
basic information on network implementation of system.
Basic knowledge of PKI and certificate RSA code for using certificate authentication
function (PKI).
Although not required, in some cases software functions may be used more effectively
by learning about the following items as well as those given above.
Concept of user mode and kernel mode for ordinary operating systems.
Information concerning technologies frequently used in computers these days such as

hardware interrupt, software interrupt and system call.
Implementation and architecture of TCP/IP for ordinary operating systems.
Information concerning old VPN protocol (PPTP, IPSec, etc.)
Detailed knowledge of features and phenomena that occur when using TCP/IP
protocol on an actual network.
Knowledge concerning communications protocol for commonly used applications.
Knowledge concerning computers and programming required for advanced IT

professionals and developers.
Getting such supplementary knowledge not only enables you to master PacketiX VPN
2.0, but facilitates troubleshooting when problems occur, stable operation and
constructing and efficient system in fields not related to VPN as well.
The information contained in the manual was the latest information at the time the
manual was written. Information may however subsequently be updated, circumstances
may change, an updated version of the software may be released or specifications may
be changed.
In such cases, you must get the latest information from SoftEther Corporation's official
website. The latest online version of the manual is available at the following official
website and can be downloaded free of charge.
If you purchased PacketiX VPN 2.0 in media format and received it together with the
manual, you should check the website if updated versions of the software and manual
are available.
http://www.softeter.com/
The manual contains numerous illustrations containing icons such as the following.
Icons that appear in illustrations in the manual
Notes
The specifications of PacketiX VPN 2.0 software and the contents of the manual are
subject to change without notification. If you find any inconsistencies in descriptions of
software functions or limitations in this manual and other documents released by
SoftEther Corporation, those that appear most frequently generally apply. Unless
otherwise specified, the names of companies, organizations, products, people,
characters or data that appear in the manual as examples are fictitious and bear no
resemblance to actual companies, organizations, products, people, characters or data.

The software and manual may only be used as specified in the users' agreement. No part
of the software or manual may be reproduced or transferred to another party or parties
for any propose without the written permission of SoftEther Corporation (does not apply
in cases where expressly permitted by the users' agreement or where exempt by
copyright law).
SoftEther Corporation may possess patents, patent pending, trademark, copyright or

other property rights concerning the contents of the manual which shall not be licensed
to the customer.
Copyright (C) 2004-2007 SoftEther Corporation. All Rights Reserved.
PacketiX is a trademark of SoftEther Corporation for which application for registration

has been filed. Names of companies, products and services that appear in the manual
may be registered trademarks or trademarks of those companies.
z This product includes software developed by OpenSSL.

This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
z This product includes software developed by WinPcap.

Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy). All rights reserved.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
z This product includes software developed by zlib.

(C) 1995-2004 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event
will the authors be held liable for any damages arising from the use of this software.
If you discover any defects in the software or manual, or any contents of the manual
which do not correspond accurately with the operation results of the software, contact us
as follows.
z If software was purchased from PacketiX VPN partner (dealer):

Contact the person in charge of support at the place of purchase.
z If software was purchased directly from SoftEther Corporation, or if the

software is a version that was provided by SoftEther Corporation free of
charge:
Contact SoftEther Corporation hrough the official website at
http://www.softeter.com/ .
< Welcome to PacketiX VPN 2.0. Content>
< Before Reading the Manual Chapter 1: Overview >
Content
It is complete contents of PacketiX VPN 2.0 online manual.
Introduction
Notes
Content
Chapter 1: Overview
1.1.1 SoftEther VPN and PacketiX VPN
1.1.2 Structure and Operating Principle of VPN
1.1.3 Limitations of old VPN Solution
1.1.4 VPN Communication by PacketiX VPN
1.1.5 NAT, Proxy Server and Firewall Pass

1.1.6 Stability and Security
1.1.7 High-speed Communications Throughput
1.1.8 Advanced Function and Expandability
1.1.9 Platform Independence and Interchangeability
1.1.10 Addition of Functions by Option Pack
1.2.1 PacketiX VPN Server
1.2.2 PacketiX VPN Client
1.2.3 PacketiX VPN Bridge
1.2.4 PacketiX VPN Server Manager
1.2.5 PacketiX VPN Command Line Management Utility (vpncmd)
1.2.6 Other Included Utilities
1.3.1 Types of Editions According to Usage Objective
1.3.2 Functions and Features of the Various Editions
1.3.3 PacketiX VPN Server 2.0 Standard Edition
1.3.4 PacketiX VPN Server 2.0 Enterprise Edition
1.3.5 PacketiX VPN Server 2.0 Carrier Edition
1.3.6 PacketiX VPN Server 2.0 Embedded Edition
1.3.7 PacketiX VPN Server 2.0 Academic Edition
1.3.8 64-bit version of PacketiX VPN Server 2.0
1.3.9 Connection Licenses
1.3.10 Client Connection Licenses
1.3.11 Bridge Connection License
1.3.12 PacketiX VPN Client and PacketiX VPN Bridge
1.3.13 Demo Version License
1.3.14 License Expiration Date
1.3.15 Server ID of License
1.3.16 License ID and License Key
1.3.17 License Validity and Information Check Method
1.3.18 Additional Purchase of Licenses
1.3.19 PacketiX VPN 2.0 Option Pack
1.3.20 PacketiX VPN 2.0 Administration Pack
1.4.1 Conventional Ethernet Configuration
1.4.2 Virtual HUB
1.4.3 Virtual Network Adapter
1.4.4 Cascade connection and virtual layer 3 switch
1.4.5 Bridge Connection of Virtual Network and Physical Network

1.4.6 Computer-to-computer VPN
1.4.7 Remote Access VPN
1.4.8 Base-to-Base VPN of Ordinary Scale
1.4.9 Base-to-Base VPN of Large Scale
1.5.1 Abundant User Authentication Options
1.5.2 Robust Encryption
1.5.3 Server Certificate Verification
1.5.4 Use with Smart Cards
1.6.1 VPN Sessions
1.6.2 Accepting Connection by VPN Server
1.6.3 Connecting to Virtual HUB
1.6.4 TCP/IP Communication of Session Data
1.6.5 Association with MAC Address
1.6.6 Session from other VPN Server / VPN Client / VPN Bridge
1.6.7 VPN Session Connection Modes
1.6.8 Client Mode Session
1.6.9 Bridge/Router Mode Session
1.6.10 Monitoring Mode Session
1.6.11 Local Bridge Session
1.6.12 Cascade Connection Session
1.6.13 SecureNAT Session
1.6.14 Virtual Layer 3 Switch Session
1.7.1 Necessity of Clustering
1.7.2 Applications of Clustering
1.7.3 Large Scale Remote Access VPN Server
1.7.4 Large Scale Virtual HUB Hosting VPN Server
1.7.5 Product License and Connection License when Clustering
1.8.1 Unicode Support
1.8.2 User Interface that Supports Multiple Languages
1.8.3 Limitations
1.9.1 What is VoIP / QoS Support Function?
1.9.2 Applying to Extension System by Connecting Bases by Layer 2 VPN Using IP
Telephone Equipment
1.9.3 If VoIP / QoS Support Function can be Used

1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support Function

2.1.1 Communication Speed
2.1.2 Flexibility
2.1.3 Communication Efficiency and Stability
2.1.4 Encrypted Communication Security
2.1.5 Support for VoIP / QoS
2.2.1 Anonymous Authentication
2.2.2 Password Authentication
2.2.3 RADIUS Authentication
2.2.4 NT Domain and Active Directory Authentication
2.2.5 Individual Certificate Authentication
2.2.6 Signed Certificate Authentication
2.3.1 Necessity of Server Authentication
2.3.2 Server Individual Certificate Authentication
2.3.3 Server Signed Certificate Authentication
2.4.1 What is VPN Server Manager
2.4.2 VPN Server Manager Support System
2.4.3 Connecting to VPN Server and VPN Bridge
2.4.4 Installing VPN Server Manager Alone
2.4.5 Setup Wizard
2.4.6 Limitations
2.5.1 What is VPN Client Manager?
2.5.2 System that Supports VPN Client Manager
2.5.3 Integrating with VPN Client
2.5.6 Limitations
2.6.1 What is vpncmd?
2.6.2 Displaying Command Help

3.1.1 Support for Windows

3.1.2. Support for Linux
3.1.3 Support for FreeBSD
3.1.4 Support for Solaris
3.1.5 Support for Mac OS X
3.1.6 Support for Embedded Devices
3.1.7 Limitations
3.2 Operating Modes
3.2.1 Service Mode
3.2.2 User Mode
3.3.1 Administration without the need for System Stop
3.3.2 PacketiX VPN Server and Virtual HUBs
3.3.3 Administration Tools & Remote Administration
3.3.4 Administration Authority
3.3.5 SSL Certificates
3.3.6 Listener Ports
3.3.7 Configuration File
3.3.8 Configuration Version Numbers
3.3.9 Configuration History
3.3.10 Administration of Statistical Information
3.3.11 Automatic Adjustment when Disk Space is Insufficient
3.3.12 Failure Recovery
3.3.13 Keep Alive Internet Connection Function
3.3.14 Obtaining Server Information
3.3.15 Selecting Encryption Algorithms for use in SSL Transmission
3.3.16 Initializing the VPN Server Service Reboot & Configuration Information
3.3.17 Syslog Transmission Function
3.3.18 Restricting IP Address Remote Administration Connection Sources
3.4.1 Creating Virtual HUBs
3.4.2 Online & Offline Status
3.4.3 Maximum Simultaneous Connections
3.4.4 Connection Mode
3.4.5 Session Management
3.4.6 MAC Address Tables
3.4.7 IP Address Table
3.4.8 Confirming the Existence of IP Addresses with Poll Packets
3.4.9 Communicating in Bridge / Router Mode Session
3.4.10 Communicating in Monitoring Mode Session

3.4.11 Cascade Connection Functions
3.4.12 Server Authentication in Cascade Connections
3.4.13 Local Bridge
3.4.14 Administrator Connection
3.4.15 Obtaining Information on the Virtual HUBs
3.5.1 Delegating Virtual HUB Administration Authority
3.5.2 Virtual HUB Anonymous Enumeration Settings
3.5.3 External Authentication Server Settings
3.5.4 Users and Groups
3.5.5 Trusted Certification Authority Certificates
3.5.6 Certificates Revocation List
3.5.7 Setting CN & Serial Number on Signed Certificate Authentication
3.5.8 Setting an Alias in RADIUS Authentication or NT Domain & Active Directory
Authentication
3.5.9 Security Policies
3.5.10 Packet Filtering with the Access List
3.5.11 Limiting Connections with the IP Access Control List
3.5.12 Virtual HUB Administration Options
3.6 Local Bridges
3.6.1 What is a Local Bridge?
3.6.2 Local Bridge Settings & Operation
3.6.3 Preparing the Local Bridge network adapter
3.6.4 Local Bridge Sessions
3.6.5 Supported Network Adapter Types
3.6.6 Use of network adapters not supporting Promiscuous Mode
3.6.7 Tagged VLAN Frames
3.6.8 Outputting all Communication Data in the Virtual HUB to the Network
Adapter
3.6.9 Using Tap Devices
3.6.10 Points to Note when Local Bridging in Windows
3.6.11 Points to Note when Local Bridging in Linux
3.6.12 Points to Note when Local Bridging in Solaris
3.7.1 What is SecureNAT?
3.7.2 Setting the Virtual Host Network Interface
3.7.3 Virtual NAT
3.7.4 Points to Note when using Virtual NAT Function
3.7.5 Virtual DHCP Server

3.7.6 Points to Note when using the Virtual DHCP Server
3.7.7 SecureNAT Sessions
3.7.8 Logging SecureNAT Status
3.8.1 What is a Virtual Layer 3 Switch?
3.8.2 Difference between Bridging & IP Routing
3.8.3 Defining Virtual Layer 3 Switches
3.8.4 Adding Virtual Interfaces to connect to Virtual HUBs
3.8.5 Editing the Routing Table
3.8.6 Starting and Stopping Virtual Layer 3 Switches
3.8.7 Limitations
3.9 Clustering
3.9.1 What is Clustering?
3.9.2 Cluster Controllers
3.9.3 Cluster Member Servers
3.9.4 Load Balancing
3.9.5 Load Balancing using Performance Standard Ratio
3.9.6 Fault Tolerance
3.9.7 Static Virtual HUBs
3.9.8 Dynamic Virtual HUBs
3.9.9 Connecting to Arbitrary Servers in Static Virtual HUBs
3.9.10 Collectively Administering the Entire Cluster
3.9.11 Cluster Configuration Licenses
3.9.12 Functions not Available Simultaneously with Clustering
3.10.1 Log Save Format & Save Cycle
3.10.2 Server Log
3.10.3 Virtual HUB Security Log
3.10.4 Virtual HUB Packet Log
3.10.6 Obtaining Log Files on a Remote Administration Terminal
3.10.17 Syslog Transmission function
3.11.1 Auditing the Server Log
3.11.2 Checking Usage Status
3.11.3 Backing Up Configuration Information
3.11.4 Recovering from Failure
3.11.5 Rolling Back the Configuration
3.11.6 Confirming Hard Disk Availability
3.11.7 Network Administration Support Tools

3.11.8 Checking Sufficiency of Required Resources
3.11.9 Measuring Effective Throughput

4.1.1 Windows Support
4.1.2 Linux Support
4.1.3 Support for Other Systems
4.1.4 Limitations
4.2.1 VPN Client Manager
4.2.2. Command Line Management Utility (vpncmd)
4.2.3 Task Tray Icon
4.3.1 Support for Multiple Virtual Network Adapters
4.3.2 Virtual Network Adapter Creation and Setup
4.3.3 Managing the Version of the Virtual Network Adapter Device Driver
4.3.4 Bridge Connection Between a Virtual Network Adapter and Physical Network
Adapter
4.4.1 Selecting the Proper Connection Method
4.4.2 Direct TCP/IP Connection
4.4.3 Connection Via HTTP Proxy Server
4.4.4 Connection Via SOCKS Proxy Server
4.4.5 Server-Certificate Verification
4.4.6 Selecting a Virtual Network Adapter
4.4.7 User Authentication Setting
4.4.８ Use of the Smart Card Authentication
4.4.9 Automatic Reconnection Function
4.4.10 Connection Status and Error Message Displays
4.4.11 Advanced Communication Settings
4.4.12 Number of TCP/IP Connections for VPN Session Communications
4.4.13 Interval Between TCP Connections and Length of TCP Connection
4.4.14 Half-Duplex Mode Option
4.4.15 SSL Encryption Option
4.4.16 Data Compression Option
4.4.17 Selecting the Connection Mode
4.4.18 Routing Table Rewrite Process
4.4.19 Startup Connection

4.4.20 Exporting and Importing Connection Settings
4.4.21 Creating a Shortcut for a Connection Setting
4.4.22 VPN Server and VPN Bridge Cascade Connection Setting
4.5.1 Starting a VPN Connection
4.5.2 Checking the Connection Status
4.5.3 Terminating a VPN Connection
4.5.4 Operations When an Error Occurs
4.6.1 Smart Card Device Driver
4.6.1 Selecting a Smart Card
4.6.3 Listing and Obtaining Smart Card Objects
4.6.4 Deleting Smart Card Objects
4.6.5 Changing a PIN Code
4.6.6 Using Smart Card Authentication to Connect to VPN Server
4.6.8 Limitations
4.7.1 Remote Management of VPN Client
4.7.2 Distributing Configuration Files
4.7.3 Distributing a Connection Setting File to Users
4.8.1 Using the Communication Throughput Measurement Tool
4.8.2 Configuring the Communication Throughput Measurement Tool
4.8.3 Communication Throughput Measurement Precautions
4.9 Other Functions
4.9.1 Changing the User Password Registered to VPN Server
4.9.2 Internet Connection Maintenance Function
4.9.3 Voice Guide Function
4.9.4 Translucent Window Function
4.9.5 Setting Lock Function
4.9.6 Simple Mode and Normal Mode


5.1.7 Limitations
5.2 Operating Modes
5.2.1 Service Mode
5.2.2 User Mode
5.3.1 Features and Usage of VPN Bridge
5.3.2 Virtual HUB on VPN Bridge
5.3.3 Cascade Connection Function on VPN Bridge
5.3.4 Receiving a Connection on VPN Bridge
5.3.5 Local Bridge Function on VPN Bridge
5.3.6 SecureNAT Function on VPN Bridge
5.3.7 Virtual Layer 3 Switch Function on VPN Bridge
5.3.8 Coexistence of VPN Bridge and VPN Server

6.1.1 vpncmd
6.1.2 vpncmd Management Mode
6.2.1 Command Input Rules
6.2.2 Command Help Display
6.2.3 Command Line Parameters When Starting a vpncmd Command
6.2.4 Batch Processing Mode
6.2.5 Saving a Log
6.2.6 vpncmd Process Return Values
6.2.7 Character Encoding
6.2.8 Calling vpncmd in Windows
6.2.9 Stand-Alone Installation of vpncmd
Entire Server)
6.3.1 About - Display the version information
6.3.2 ServerInfoGet - Get server information
6.3.3 ServerStatusGet - Get Current Server Status
6.3.4 ListenerCreate - Create New TCP Listener
6.3.5 ListenerDelete - Delete TCP Listener
6.3.6 ListenerList - Get List of TCP Listeners
6.3.7 ListenerEnable - Begin TCP Listener Operation
6.3.8 ListenerDisable - Stop TCP Listener Operation

6.3.9 ServerPasswordSet - Set VPN Server Administrator Password
6.3.10 ClusterSettingGet - Get Clustering Configuration of Current VPN Server
6.3.11 ClusterSettingStandalone - Set VPN Server Type as Standalone
6.3.12 ClusterSettingController - Set VPN Server Type as Cluster Controller
6.3.13 ClusterSettingMember - Set VPN Server Type as Cluster Member
6.3.14 ClusterMemberList - Get List of Cluster Members
6.3.15 ClusterMemberInfoGet - Get Cluster Member Information
6.3.16 ClusterMemberCertGet - Get Cluster Member Certificate
6.3.17 ClusterConnectionStatusGet - Get Connection Status to Cluster Controller
6.3.18 ServerCertGet - Get SSL Certificate of VPN Server
6.3.19 ServerKeyGet - Get SSL Certificate Private Key of VPN Server
6.3.20 ServerCertSet - Set SSL Certificate and Private Key of VPN Server
6.3.21 ServerCipherGet - Get the Encrypted Algorithm Used for VPN
Communication.
6.3.22 ServerCipherSet - Set the Encrypted Algorithm Used for VPN
Communication.
6.3.23 KeepEnable - Enable the Keep Alive Internet Connection Function
6.3.24 KeepDisable - Disable the Keep Alive Internet Connection Function
6.3.25 KeepSet - Set the Keep Alive Internet Connection Function
6.3.26 KeepGet - Get the Keep Alive Internet Connection Function
6.3.27 SyslogEnable - Set syslog Send Function
6.3.28 SyslogDisable - Disable syslog Send Function
6.3.29 SyslogGet - Get syslog Send Function
6.3.30 ConnectionList - Get List of TCP Connections Connecting to the VPN Server
6.3.31 ConnectionGet - Get Information of TCP Connections Connecting to the VPN
Server
6.3.32 ConnectionDisconnect - Disconnect TCP Connections Connecting to the VPN
Server
6.3.33 BridgeDeviceList - Get List of Network Adapters Usable as Local Bridge
6.3.34 BridgeList - Get List of Local Bridge Connection
6.3.35 BridgeCreate - Create Local Bridge Connection
6.3.36 BridgeDelete - Delete Local Bridge Connection
6.3.37 Caps - Get List of Server Functions/Capability
6.3.38 Reboot - Reboot VPN Server Service
6.3.39 ConfigGet - Get the current configuration of the VPN Server
6.3.40 ConfigSet - Write Configuration File to VPN Server
6.3.41 RouterList - Get List of Virtual Layer 3 Switches
6.3.42 RouterAdd - Define New Virtual Layer 3 Switch
6.3.43 RouterDelete - Delete Virtual Layer 3 Switch

6.3.44 RouterStart - Start Virtual Layer 3 Switch Operation
6.3.45 RouterStop - Stop Virtual Layer 3 Switch Operation
6.3.46 RouterIfList - Get List of Interfaces Registered on the Virtual Layer 3
Switch
6.3.47 RouterIfAdd - Add Virtual Interface to Virtual Layer 3 Switch
6.3.48 RouterIfDel - Delete Virtual Interface of Virtual Layer 3 Switch
6.3.49 RouterTableList - Get List of Routing Tables of Virtual Layer 3 Switch
6.3.50 RouterTableAdd - Add Routing Table Entry for Virtual Layer 3 Switch
6.3.51 RouterTableDel - Delete Routing Table Entry of Virtual Layer 3 Switch
6.3.52 LogFileList - Get List of Log Files
6.3.53 LogFileGet - Download Log file
6.3.54 HubCreate - Create New Virtual HUB
6.3.55 HubCreateDynamic - Create New Dynamic Virtual HUB (For Clustering)
6.3.56 HubCreateStatic - Create New Static Virtual HUB (For Clustering)
6.3.57 HubDelete - Delete Virtual HUB
6.3.58 HubSetStatic - Change Virtual HUB Type to Static Virtual HUB
6.3.59 HubSetDynamic - Change Virtual HUB Type to Dynamic Virtual HUB
6.3.60 HubList - Get List of Virtual HUBs
6.3.61 Hub - Select Virtual HUB to Manage
6.3.62 LicenseAdd - Add License Key Registration
6.3.63 LicenseDel - Delete Registered License
6.3.64 LicenseList - Get List of Registered Licenses
6.3.65 LicenseStatus - Get License Status of Current VPN Server
6.3.66 MakeCert - Create New X.509 Certificate and Private Key
6.3.67 TrafficClient - Execute Communication Throughput Measurement Tool
Client
6.3.68 TrafficServer - Execute Communication Throughput Measurement Tool
Server
6.3.69 Check - Check if PacketiX VPN Operation is Possible
Virtual HUB)
6.4.1 Online - Switch Virtual HUB to Online
6.4.2 Offline - Switch Virtual HUB to Offline
6.4.3 SetMaxSession - Set the Max Number of Concurrently Connected Sessions
for Virtual HUB
6.4.4 SetHubPassword - Set Virtual HUB Administrator Password
6.4.5 SetEnumAllow - Allow Enumeration by Virtual HUB Anonymous Users
6.4.6 SetEnumDeny - Deny Enumeration by Virtual HUB Anonymous Users
6.4.7 OptionsGet - Get Options Setting of Virtual HUBs
6.4.8 RadiusServerSet - Set RADIUS Server to use for User Authentication

6.4.9 RadiusServerDelete - Delete Setting to Use RADIUS Server for User
Authentication
6.4.10 RadiusServerGet - Get Setting of RADIUS Server Used for User
Authentication
6.4.11 StatusGet - Get Current Status of Virtual HUB
6.4.12 LogGet - Get Log Save Setting of Virtual HUB
6.4.13 LogEnable - Enable Security Log or Packet Log
6.4.14 LogDisable - Disable Security Log or Packet Log
6.4.15 LogSwitchSet - Set Log File Switch Cycle
6.4.16 LogPacketSaveType - Set Save Contents and Type of Packet to Save to
Packet Log
6.4.17 CAList - Get List of Trusted CA Certificates
6.4.18 CAAdd - Add Trusted CA Certificate
6.4.19 CADelete - Delete Trusted CA Certificate
6.4.20 CAGet - Get Trusted CA Certificate
6.4.21 CascadeList - Get List of Cascade Connections
6.4.22 CascadeCreate - Create New Cascade Connection
6.4.23 CascadeSet - Set the Destination for Cascade Connection
6.4.24 CascadeGet - Get the Cascade Connection Setting
6.4.25 CascadeDelete - Delete Cascade Connection Setting
6.4.26 CascadeUsernameSet - Set User Name to Use Connection of Cascade
Connection
6.4.27 CascadeAnonymousSet - Set User Authentication Type of Cascade
Connection to Anonymous Authentication
6.4.28 CascadePasswordSet - Set User Authentication Type of Cascade Connection
to Password Authentication
6.4.29 CascadeCertSet - Set User Authentication Type of Cascade Connection to
Client Certificate Authentication
6.4.30 CascadeCertGet - Get Client Certificate to Use for Cascade Connection
6.4.31 CascadeEncryptEnable - Enable Encryption when Communicating by
Cascade Connection
6.4.32 CascadeEncryptDisable - Disable Encryption when Communicating by
Cascade Connection
6.4.33 CascadeCompressEnable - Enable Data Compression when Communicating
by Cascade Connection
6.4.34 CascadeCompressDisable - Disable Data Compression when
Communicating by Cascade Connection
6.4.35 CascadeProxyNone - Specify Direct TCP/IP Connection as the Connection
Method of Cascade Connection
6.4.36 CascadeProxyHttp - Set Connection Method of Cascade Connection to be
via an HTTP Proxy Server

6.4.37 CascadeProxySocks - Set Connection Method of Cascade Connection to be
via an SOCKS Proxy Server
6.4.38 CascadeServerCertEnable - Enable Cascade Connection Server Certificate
Verification Option
6.4.39 CascadeServerCertDisable - Disable Cascade Connection Server Certificate
Verification Option
6.4.40 CascadeServerCertSet - Set the Server Individual Certificate for Cascade
Connection
6.4.41 CascadeServerCertDelete - Delete the Server Individual Certificate for
Cascade Connection
6.4.42 CascadeServerCertGet - Get the Server Individual Certificate for Cascade
Connection
6.4.43 CascadeDetailSet - Set Advanced Settings for Cascade Connection
6.4.44 CascadePolicySet - Set Cascade Connection Session Security Policy
6.4.45 PolicyList - Display List of Security Policy Types and Settable Values
6.4.46 CascadeStatusGet - Get Current Cascade Connection Status
6.4.47 CascadeRename - Change Name of Cascade Connection
6.4.48 CascadeOnline - Switch Cascade Connection to Online Status
6.4.49 CascadeOffline - Switch Cascade Connection to Offline Status
6.4.50 AccessAdd - Add Access List Rules
6.4.51 AccessList - Get Access List Rule List
6.4.52 AccessDelete - Delete Rule from Access List
6.4.53 AccessEnable - Enable Access List Rule
6.4.54 AccessDisable - Disable Access List Rule
6.4.55 UserList - Get List of Users
6.4.56 UserCreate - Create User
6.4.57 UserSet - Change User Information
6.4.58 UserDelete - Delete User
6.4.59 UserGet - Get User Information
6.4.60 UserAnonymousSet - Set Anonymous Authentication for User Auth Type
6.4.61 UserPasswordSet - Set Password Authentication for User Auth Type and Set
Password
6.4.62 UserCertSet - Set Individual Certificate Authentication for User Auth Type
and Set Certificate
6.4.63 UserCertGet - Get Certificate Registered for Individual Certificate
Authentication User
6.4.64 UserSignedSet - Set Signed Certificate Authentication for User Auth Type
6.4.65 UserRadiusSet - Set RADIUS Authentication for User Auth Type
6.4.66 UserNTLMSet - Set NT Domain Authentication for User Auth Type
6.4.67 UserPolicyRemove - Delete User Security Policy

6.4.68 UserPolicySet - Set User Security Policy
6.4.69 UserExpiresSet - Set User's Expiration Date
6.4.70 GroupList - Get List of Groups
6.4.71 GroupCreate - Create Group
6.4.72 GroupSet - Set Group Information
6.4.73 GroupDelete - Delete Group
6.4.74 GroupGet - Get Group Information and List of Assigned Users
6.4.75 GroupJoin - Add User to Group
6.4.76 GroupUnjoin - Delete User from Group
6.4.77 GroupPolicyRemove - Delete Group Security Policy
6.4.78 GroupPolicySet - Set Group Security Policy
6.4.79 SessionList - Get List of Connected Sessions
6.4.80 SessionGet - Get Session Information
6.4.81 SessionDisconnect - Disconnect Session
6.4.82 MacTable - Get the MAC Address Table Database
6.4.83 MacDelete - Delete MAC Address Table Entry
6.4.84 IpTable - Get the IP Address Table Database
6.4.85 IpDelete - Delete IP Address Table Entry
6.4.86 SecureNatEnable - Enable the Virtual NAT and DHCP Server Function
(SecureNat Function)
6.4.87 SecureNatDisable - Disable the Virtual NAT and DHCP Server Function
6.4.88 SecureNatStatusGet - Get the Operating Status of the Virtual NAT and
DHCP Server Function (SecureNat Function)
6.4.89 SecureNatHostGet - Get Network Interface Setting of Virtual Host of
SecureNAT Function
6.4.90 SecureNatHostSet - Change Network Interface Setting of Virtual Host of
SecureNAT Function
6.4.91 NatGet - Get Virtual NAT Function Setting of SecureNAT Function
6.4.92 NatEnable - Enable Virtual NAT Function of SecureNAT Function
6.4.93 NatDisable - Disable Virtual NAT Function of SecureNAT Function
6.4.94 NatSet - Change Virtual NAT Function Setting of SecureNAT Function
6.4.95 NatTable - Get Virtual NAT Function Session Table of SecureNAT Function
6.4.96 DhcpGet - Get Virtual DHCP Server Function Setting of SecureNAT Function
6.4.97 DhcpEnable - Enable Virtual DHCP Server Function of SecureNAT Function
6.4.98 DhcpDisable - Disable Virtual DHCP Server Function of SecureNAT Function
6.4.99 DhcpSet - Change Virtual DHCP Server Function Setting of SecureNAT
Function
6.4.100 DhcpTable - Get Virtual DHCP Server Function Lease Table of SecureNAT
Function
6.4.101 AdminOptionList - Get List of Virtual HUB Administration Options
6.4.102 AdminOptionSet - Set Values of Virtual HUB Administration Options
6.4.103 CrlList - Get List of Certificates Revocation List
6.4.104 CrlAdd - Add a Revoked Certificate
6.4.105 CrlDel - Delete a Revoked Certificate
6.4.106 CrlGet - Get a Revoked Certificate
6.4.107 AcList - Get List of Rule Items of IP Access Control List
6.4.108 AcAdd - Add Rule to IP Access Control List
6.4.109 AcDel - Delete Rule from IP Access Control List
6.5.2 VersionGet - Get Version Information of VPN Client Service
6.5.3 PasswordSet - Set the password to connect to the VPN Client service.
6.5.4 PasswordGet - Get Password Setting to Connect to VPN Client Service
6.5.5 CertList - Get List of Trusted CA Certificates
6.5.6 CertAdd - Add Trusted CA Certificate
6.5.7 CertDelete - Delete Trusted CA Certificate
6.5.8 CertGet - Get Trusted CA Certificate
6.5.9 SecureList - Get List of Usable Smart Card Types
6.5.10 SecureSelect - Select the Smart Card Type to Use
6.5.11 SecureGet - Get ID of Smart Card Type to Use
6.5.12 NicCreate - Create New Virtual Network Adapter
6.5.13 NicDelete - Delete Virtual Network Adapter
6.5.14 NicUpgrade - Upgrade Virtual Network Adapter Device Driver
6.5.15 NicGetSetting - Get Virtual Network Adapter Setting
6.5.16 NicSetSetting - Change Virtual Network Adapter Setting
6.5.17 NicEnable - Enable Virtual Network Adapter
6.5.18 NicDisable - Disable Virtual Network Adapter
6.5.19 NicList - Get List of Virtual Network Adapters
6.5.20 AccountList - Get List of VPN Connection Settings
6.5.21 AccountCreate - Create New VPN Connection Setting
6.5.22 AccountSet - Set the VPN Connection Setting Connection Destination
6.5.23 AccountGet - Get Setting of VPN Connection Setting
6.5.24 AccountDelete - Delete VPN Connection Setting
6.5.25 AccountUsernameSet - Set User Name of User to Use Connection of VPN
Connection Setting
6.5.26 AccountAnonymousSet - Set User Authentication Type of VPN Connection
Setting to Anonymous Authentication
6.5.27 AccountPasswordSet - Set User Authentication Type of VPN Connection

Setting to Password Authentication
6.5.28 AccountCertSet - Set User Authentication Type of VPN Connection Setting
to Client Certificate Authentication
6.5.29 AccountCertGet - Get Client Certificate to Use for Cascade Connection
6.5.30 AccountEncryptDisable - Disable Encryption when Communicating by VPN
Connection Setting
6.5.31 AccountEncryptEnable - Enable Encryption when Communicating by VPN
Connection Setting
6.5.32 AccountCompressEnable - Enable Data Compression when Communicating
by VPN Connection Setting
6.5.33 AccountCompressDisable - Disable Data Compression when Communicating
6.5.34 AccountProxyNone - Specify Direct TCP/IP Connection as the Connection
Method of VPN Connection Setting
6.5.35 AccountProxyHttp - Set Connection Method of VPN Connection Setting to be
6.5.36 AccountProxySocks - Set Connection Method of VPN Connection Setting to
be via an SOCKS Proxy Server
6.5.37 AccountServerCertEnable - Enable VPN Connection Setting Server
Certificate Verification Option
6.5.38 AccountServerCertDisable - Disable VPN Connection Setting Server
6.5.39 AccountServerCertSet - Set Server Individual Certificate for VPN
Connection Setting
6.5.40 AccountServerCertDelete - Delete Server Individual Certificate for VPN
Connection Setting
6.5.41 AccountServerCertGet - Get Server Individual Certificate for VPN
Connection Setting
6.5.42 AccountDetailSet - Set Advanced Settings for VPN Connection Setting
6.5.43 AccountRename - Change VPN Connection Setting Name
6.5.44 AccountConnect - Start Connection to VPN Server using VPN Connection
Setting
6.5.45 AccountDisconnect - Disconnect VPN Connection Setting During Connection
6.5.46 AccountStatusGet - Get Current VPN Connection Setting Status
6.5.47 AccountNicSet - Set Virtual Network Adapter for VPN Connection Setting to
Use
6.5.48 AccountStatusShow - Set Connection Status and Error Screen to Display
when Connecting to VPN Server
6.5.49 AccountStatusHide - Set Connection Status and Error Screen to be Hidden
6.5.50 AccountSecureCertSet - Set User Authentication Type of VPN Connection
Setting to Smart Card Authentication

6.5.51 AccountRetrySet - Set Interval between Connection Retries for Connection
Failures or Disconnections of VPN Connection Setting
6.5.52 AccountStartupSet - Set VPN Connection Setting as Startup Connection
6.5.53 AccountStartupRemove - Remove Startup Connection of VPN Connection
Setting
6.5.54 AccountExport - Export VPN Connection Setting
6.5.55 AccountImport - Import VPN Connection Setting
6.5.56 RemoteEnable - Allow Remote Management of VPN Client Service
6.5.57 RemoteDisable - Deny Remote Management of VPN Client Service
Client
Server
6.6.3 TrafficClient - Execute Communication Throughput Measurement Tool Client
Server

7.1.1 Checking the Operating Environment
7.1.2 Hard Disk Space
7.1.3 CPU Processing Speed
7.1.4 Conflicting Software
7.2.1 Selecting the Installation Mode
7.2.2 Installation Procedure Using the Installer
7.2.3 Optimizing the TCP/IP Communication Settings
7.2.4 Precautions After Installation
7.2.5 Managing VPN Server with VPN Server Manager

7.2.6 Managing with vpncmd
7.2.7 Starting and Stopping Service
7.2.8 Adding and Deleting the Service
7.2.9 Limitations When Starting with General User Rights
7.3.1 Recommended System
7.3.3 Checking the Required Software and Libraries
7.3.4 Extracting the Package
7.3.5 Creating an Executable File
7.3.6 VPN Server Location
7.3.7 Using the vpncmd Check Command to Check Operations
7.3.8 Registering a Startup Script
7.3.10 Limitations when Starting with General User Rights
7.4.1 Changing the Manager Password
7.4.2 Registering the License
7.4.3 Checking the Current License Status and the Usage Status of the Number of
Connections
7.4.4 Creating a Virtual HUB
7.6.1 Uninstallation in Windows
7.6.2 Uninstallation in Linux

8.1.2 Network Connection Environment
8.2.4 VPN Client Manager Operations
8.2.5 Operating with vpncmd
8.2.6 Creating a Virtual Network Adapter
8.2.7 Configuring a Virtual Network Adapter

8.2.8 Creating a Connection Setting
8.3.1 Uninstallation

9.2.5 Managing VPN Bridge with VPN Server Manager
9.3.6 VPN Bridge Location
9.4.2 Creating a Cascade Connection with a Local Bridge

VPN
10.1 Types of VPNs
10.1.1 PC-to-PC VPN
10.1.3 LAN-to-LAN VPN
10.2.2 Deciding the VPN Server / Virtual HUB Administrator
10.2.3 Changing Existing NAT/Firewall Configurations
10.2.4 Selecting a User Authentication Method
10.2.5 Selecting what Functionality to Use
10.2.6 Virtual Layer 3 Switching
10.2.8 Virtual NAT
10.2.9 Advice about Protocol Conflicts when Making a LAN-to-LAN Connection
10.3.1 Configuring VPN Server
10.3.2 Network Layout
10.3.3 Calculating the Number of Required Licenses
10.3.4 Connecting to the VPN Remotely/Performing a Communication Test
10.4.1 Connecting to a LAN Remotely
10.4.2 Using Local Bridging
10.4.3 Examining User Authentication Methods
10.4.6 Installing VPN Server On a LAN
10.4.7 Configuring the Local Bridge
10.5.1 About Bridge-Connected LAN VPNs
10.5.2 Local Bridge and Cascade Connection Functionality
10.5.3 Pros and Cons of Bridging
10.5.6 Installing VPN Server On the Main LAN
10.5.7 Installing VPN Bridge to the Sub-LAN
10.5.8 Configuring the Local Bridges

10.5.9 Configuring Cascade Connections
10.5.10 Connecting to the LAN-to-LAN VPN/Performing a Communication Test
10.5.11 Supplementary Information
10.6.1 Combining Bridge Connections and IP Routing
10.6.2 IP Routing Via Virtual Layer 3 Switching
10.6.3 Pros and Cons of IP Routing
10.6.7 Installing VPN Bridge on the Other LANs
10.6.8 LAN-to-LAN VPN Connection
10.7.1 Using LAN-to-LAN Communication and Remote Access Together
10.8.1 VPN Server's Processing Limit
10.8.2 Increase Network Scalability By Using Clustering
10.8.3 Using Static Virtual HUBs
10.8.6 Installing and Configuring the Cluster Controller
10.8.7 Installing and Configuring the Cluster Member Servers
10.8.8 Creating Static Virtual HUBs
10.8.9 Making a Local Bridge between the Existing LAN and the Virtual HUBs
10.8.10 Managing VPN Sessions on a Clustered VPN
10.9.1 The Necessity of a Virtual HUB Hosting Service
10.9.3 Using Dynamic Virtual HUBs
10.9.8 Creating Dynamic Virtual HUBs
10.9.9 Assigning Virtual HUB Administrator Rights

10.9.11 Automating the Creation and Management of a Large Quantity of Virtual
HUBs or Users
10.9.12 User's Usage Status and Billing
10.9.13 Limiting Administrator Rights by Configuring the Virtual HUB Management
Options
10.10.1 Dangers of the Internet and the Need for VPN
10.10.2 Installing the VPN Server at Home
10.10.3 Assigning IP Addresses and the DDNS Service
10.10.4 Adjusting Settings For Broadband Routers or Other Networking Hardware
10.10.5 Determining the Necessity of Local Bridging
10.10.6 Accessing Your Home Network From a Remote Network Safely
10.10.7 Using Electronic Devices that can only Communicate over the same
Network
10.11.1 Utilizing SecureNAT to Make Things More Convenient
10.11.2 Using SecureNAT For Amazingly Simple, Secure Remote Access With No
10.11.3 A Practical Example Network
10.11.4 Starting Up VPN Bridge on the Remote LAN
10.11.5 Using Remote Access
10.11.6 SecureNAT and Security
10.11.7 The Dangers of Misusing SecureNAT
10.12.1 The Dangers of Public Network Services
10.12.2 Utilizing VPN for Safer Public Network Usage
10.12.3 Installing VPN Server at Home or at Work
10.12.4 Accessing the Internet Via a VPN Server's Local Bridge
10.12.5 About SoftEther's Secure Access Service

Information
11.1.1 Programs Suddenly Terminate during Normal Operation.
11.1.2 I am unable to communicate with the IP address of the Virtual Network
Adapter used for local bridging from within the VPN.
11.1.3 A [Protocol Error] is occurring.
11.1.4 I am getting the message [The time on the server and the client does not
match.].
11.1.5 I am getting slow transfer speeds when using Windows file sharing on the
VPN.
11.1.6 There is a large number of broadcast packets constantly being sent over
the network. What should I check?
11.1.8 The CPU load increases after enabling Virtual NAT for SecureNAT.
11.1.9 Protocols that use many broadcast packets are not working properly.
11.1.10 Multicast packets are being dropped.
11.1.11 Even though I have installed VPN Server and connected to it from outside
the network, I still can not connect to the local network.
11.1.12 I forgot my VPN Server's administrator password.
11.1.13 What do I do if I lost my license key?
11.1.14 RADIUS authentication is not functioning properly. What should I check?
11.1.15 NT Domain or Active Directory authentication is not functioning properly.
What should I check?
11.1.16 Setting the listener port to port 443 always gives an error.
11.1.17 I added a local bridge but it is always offline or showing an error.
11.1.18 The local bridge to my wireless network adapter is not functioning
properly.
11.1.19 I created a Virtual Layer 3 Switch but it is always offline or showing an
error.
11.1.20 I have set up a cluster but I can not communicate between Virtual HUBs
on the cluster.
11.1.21 I am not performing any communication over the VPN, but packets are
being sent to the Internet periodically.
11.1.22 After I have created a Virtual Network Adapter I get the message, [No
network cable is connected.].
11.1.23 I forgot my password for VPN Client.
11.1.24 My Windows 98 Second Edition or Windows Millennium Edition system
becomes unstable when I use a Virtual Network Adapter.
11.1.25 I uninstalled VPN Client but my Virtual Network Adapter is still there.
11.1.26 I am having trouble when using a smart card.
11.1.27 I am unable to create a Virtual Network Adapter with VPN Client under
Linux.
11.1.28 My VPN connection is disconnected when I designate the Virtual Network
Adapter as the default gateway in VPN Client under Linux.
11.1.29 I forgot my VPN Bridge's administrator password.
11.1.30 I have connected LANs together with bridge connections using VPN Server
and VPN Bridge, but I still can not communicate between computers on the LANs.
11.1.31 I am getting a warning message in syslog stating that ARP packets are
being received from the IP address "0.0.0.0" when using local bridging under
FreeBSD.
11.2.1 Installing VPN Server With a Variable Global IP Address
11.2.2 Making a VPN Connection to a LAN Consisting of Only Private IP Addresses
11.2.4 Using an IPv6 over IPv4 Tunnel
11.2.5 About Wake On Lan (WOL)
11.2.6 Installing VPN Server 2.0 Behind a NAT Enabled Router
11.2.7 Using an IDS to View Packets Going In/Out of a Virtual HUB
11.2.8 Recreating a Switch's Port VLAN Functionality
11.2.9 Accepting Connections from SoftEther 1.0 Virtual Network Adapter
Software
11.2.10 Performing Administration Via TELNET as Supported in SoftEther 1.0
11.2.11 Increasing Cluster Controller Redundancy
11.2.18 Connecting to Multiple VPN Servers or Virtual HUBs at Once
11.2.19 Using SecureNAT to Provide Remote Access to an Otherwise Inaccessible
Network.
11.3.1 Using This Software Together With Anti-Virus Software or a Personal
Firewall
11.3.2 About the 1/1000th of a Second Delay Encountered When Communicating
Over a VPN
11.3.3 NTLM Authentication Support for Connections Via Proxy Server
11.3.4 How Far Away Can You Establish a VPN Session Connection From?
11.3.5 I measured the throughput of traffic through my VPN with my usual
measurement utilities, and they are showing very low transfer speeds. What's
wrong?
11.3.6 The Difference Between VPN Bridge's SecureNAT and VPN Server's
SecureNAT
11.3.7 Can a single user open multiple VPN sessions?
11.3.8 According to the Windows end user license agreement, is it OK to use a
client based operating system such as Windows XP as a VPN server?
11.3.9 Things to Consider When Using Windows 98. 98 SE, or ME as a VPN Server
11.3.10 I have more connections to my VPN than I have licenses for. What
happened?
11.3.11 About MAC Addresses Starting With "00:AE"
11.3.12 How MAC Addresses Are Assigned to Virtual HUBs
11.3.13 Naming Computers Running VPN Server
11.3.14 Differences Between the Academic Edition and the Standard Production
Edition
11.3.15 VPN Server Computer Specifications and the Number of Possible

Simultaneous Connections
11.3.16 Determining When to Use Clustering and Load Balancing
11.3.17 When Using a Special PPPoE Connection Tool to Connect to the Internet
11.3.18 Things to Consider When Using Your Operating System to Make a Bridged
Connection Between a Virtual Network Adapter and a Physical Network Adapter
11.3.19 What if the Virtual Network Adapter and the physical network adapter
both have the same network address?
11.3.20 How is the Virtual Network Adapter's MAC address generated?
11.3.21 Are Virtual Network Adapters' MAC addresses unique?
11.3.22 Things to be aware of when using SSH port forwarding software to
connect to a VPN server
11.3.23 Concerning the priority of default gateways when one exists on both the
Virtual Network Adapter network and on the physical network
11.3.25 If you are unable to create a Virtual HUB with VPN Bridge...
11.3.26 If you are unable to use local bridging in FreeBSD, Solaris, or Mac OS X...
11.3.27 Connecting to a VPN Bridge Listener Port From VPN Client
11.4.1 Dealing With Viruses or Worms on Your VPN
11.4.3 Is there any danger of my VPN Client service being controlled remotely
immediately after installing VPN Client before I have configured it?
11.5.1 Usable Protocols Other than TCP/IP
11.5.2 Using NetBEUI, IPX/SPX, AppleTalk, etc.
11.5.3 Sending Multicast Packets Within the VPN
11.5.4 Using IP Phone Protocols
11.5.5 Using NetMeeting or Other Video Conferencing Protocols
11.5.6 Using PacketiX VPN to Communicate on an Existing VPN Tunnel
11.6.1 Coexistence With SoftEther 1.0
11.6.2 Relationship With Mitsubishi Materials Corporation's SoftEther CA
11.6.3 Compatibility With SoftEther 1.0 Protocols
11.6.4 Compatibility With Other VPN Products
11.7.1 Localization Plans
11.7.3 About VPN Client for Windows CE
11.7.4 About VPN Client for Platforms Other than Windows or Linux

12.1.1 Supported Operating Systems (Recommended)

12.1.2 Supported Operating Systems (All)
12.1.3 Hardware Requirements
12.1.4 Software Specs
12.1.5 Program File Structure
12.2.6 List of Supported Smart Cards and Hardware Security Devices
12.4.1 Protocol Specs
12.4.2 Packets Sendable Over a VPN
12.4.3 How to Detect the PacketiX VPN Protocol
12.5 Error Codes
Chapter 13 Support
13.1 About Support
13.1.1 Support Bundled with Commercial Software Licenses
13.2.1 Technical Information/Manual
13.2.2 Downloading the Latest Version Updates
Change Log
< Before Reading the Manual Chapter 1: Overview >
< Content 1.1 What is PacketiX VPN?>
Chapter 1: Overview
PacketiX VPN 2.0 is revolutionary VPN software that offers many features not found in
older VPN software or hardware. This chapter contains an overview of the software
contained in PacketiX VPN 2.0, plus a description of its functions and supplementary
information.


1.4.2 Virtual HUB
1.6.1 VPN Sessions

1.8.3 Limitations
1.9.2 Applying to Extension System by Connecting Bases by Layer 2 VPN Using IP
Telephone Equipment
1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support Function
< Content 1.1 What is PacketiX VPN?>
< Chapter 1: Overview 1.2 Software of which PacketiX VPN is composed>
PacketiX VPN is next-generation VPN software that offers stability, flexibility and
expandability, and is compatible with all advanced networks that produce wide
bandwidth an high load required by large corporations and Internet providers as well as
networks for individuals and homes and networks for small and medium size businesses.
This section contains an overview of PacketiX VPN, a comparison with older VPN
protocol, and a description of its advanced functions.
SoftEther Corporation previously developed and distributed VPN software called

SoftEther 1.0. SoftEther 1.0 is software that enabled users to construct a simple layer 2
VPN by installing a Virtual Network Adapter and Virtual HUB on Windows, and was
distributed as freeware.
PacketiX VPN 2.0 is VPN software that is the next version of SoftEther 1.0. When
developing PacketiX VPN 2.0, however, SoftEther Corporation did not use even a single
line of the source code of the SoftEther 1.0 program. It was designed and developed
from scratch. With PacketiX VPN 2.0, therefore, the company was able to release
software that does not contain any of the defects contained in SoftEther 1.x (CA 1.x) or
the lack of interchangeability and limited expandability.
At the beta version stage the name for PacketiX VPN 2.0 was not yet decided and was
tentatively called SoftEther VPN 2.0, but the name was changed to PacketiX VPN 2.0
with the official version release with a new brand name that includes network and
security product of SoftEther Corporation called PacketiX.
The names SoftEther VPN 2.0 that currently appears on the Internet and in articles in
some magazines and books and PacketiX VPN 2.0 are one and the same product.
Fig. 1-1-1. Correlation of SoftEther 1.0 and PacketiX VPN 2.0
Virtual Private Network (VPN) is a technology that started to spread around 1998. VPN
technology allows users to construct a virtual network that maintains security in an
existing IP network such as the Internet and communicate freely within the virtual
network.
The following is a description of common VPN structure.
Tunneling and Encapsulating

VPN is a solution for constructing a virtual network. A technique called "tunneling" that
enables users to construct a virtual network between two remote points on an existing
public IP network and communicate freely is used with VPN.
With tunneling technology, packets transmitted on a physical communications medium

such as conventional network cable or optical fiber are encapsulated as data of another
protocol such as TCP/IP packets without directly transmitting on a physical network.
Encryption and electronic signature can be added simultaneously when encapsulating.
Encapsulated data is transmitted through a session called a "tunnel" between the start
and end point of VPN communication. The other party who receives the encapsulated
data removes the original packets from the capsules. If the data is encrypted when
encapsulated, it must be decrypted. If an electronic signature has been added, the user
can check whether the contents of the packet have been tampered with during
transmission by testing the integrity of the electronic signature.
When VPN communication is to be carried out, because the data transmitted between
the computer sending the data and the computer receiving the data travels through the
tunnel is sent encapsulated, unprotected data is never exposed on the network.
Fig. 1-1-2. Structure and operating principle of common VPN
Ensuring Security of Transmitted Data by Encryption
One of the advantages of using VPN is enhanced security by encryption.
An IP network that can be accessed by anyone such as the Internet is always exposed to
danger of eavesdropping and masquerading. Even if expensive transmission services and
infrastructure such as dedicated line service or satellite links are used, the lines could be
physically bugged or data could be surreptitiously viewed by communications company
technicians maliciously or out of curiosity, or could be tapped and analyzed by the
government, etc. When sending and receiving data over such WAN, it is therefore
recommended that data by encrypted by some means.
Fig. 1-1-3 Danger of sending and receiving data over the Internet
The fact that not all existing communication applications and protocols support
encryption is a possible problem. For example, HTTP protocol includes a protocol called
HTTPS which is encrypted by SSL. SSH protocol is encrypted from the beginning.
Numerous Internet based applications however either do not have an encryption
function, or if they do, they might have a problem with packaging or encryption
strength.
Fig. 1-1-4 Encrypted packets and packets that are not encrypted
If these conventional communications protocols with insufficient security are used as

they are on WAN such as dedicated lines or the Internet, the data can be intercepted or
altered by hacking.
Security can be dramatically enhanced by automatically encrypting communication of

almost all applications using IP or Ethernet by utilizing VPN.
Better Connectivity and Network Independence

Another significant advantage of using VPN is that it enhances connectivity and offers
network independence.
Because with public IP networks such as the Internet, as a rule, any IP packet can be
transmitted from a computer of any IP address to another computer of any IP address, if
data is to be transmitted over the Internet, when communication is to be conducted
between a client computer and server computer, the server computer may actually
receive packets from a different computer with malicious intent. Nowadays vulnerable
operating systems and worms that open security holes in transmission software and
server software on the Internet are going around and there is possibility of infection.
Because the computer directly connected to the Internet is substantially unsafe, it is not
recommended that computers that process important communications data for business,
etc., be allotted direct Internet global IP addresses and connected to the Internet.
However when sending and receiving data between remote bases via public IP network
such as the Internet as a rule at least one global IP address port must be open and
standing by for communications. This is necessary along with using TCP/IP protocol.
Thus when sending and receiving data between computers at remote bases if VPN is not
used attainability must be secured for IP packets of both computers in which case
problems may occur with the previously mentioned security.
Fig. 1-1-5 When carrying out TCP/IP connection on

the Internet as a rule at least one must have a global
IP address and the port must be open to the public.
By using VPN these problems can be easily and reliably solved. The fact that VPN carries
out communication with the structure whereby encapsulated packets flowing in the
tunnel established between computers at remote bases as was previously mentioned
when establishing the tunnel user authentication is mutually conducted between the
computers and the tunnel is established only if successful. Also once the tunnel is
established, as long as physical network communication is not cut off, it is constantly
maintained and all the data flowing through the tunnel is encrypted and if electronic
signature is added, other computers on the Internet not related to the tunnel can no
longer interrupt communications of that tunnel.
With this tunneling technology, multiple computers at remote bases, computers,

computer network, by connecting using VPN, a safe virtual network built by VPN can
theoretically be made independent of WAN lines such as the Internet with security
problems.
Fig. 1-1-6 Prevention of eavesdropping/tampering by third party with

malicious intent using VPN
Inexpensive Internet Connection can be Used Instead of Dedicated Line

By utilizing the structure of VPN such as previously described, without using dedicated
line services that used to charge high usage fees, with more robust security that
dedicated line services, communications can be conducted between computers of any
base via the Internet.
Especially recently, for several thousand yen per month, because Internet services using
optical fiber or ADSL are available, such inexpensive services can be used for same or
safer communications purpose.
By using VPN, public networks whereby any computers can communicate freely by IP
Internet can establish a company dedicated virtual communications network within that
network, and a safe and stable independent network can be constructed without
worrying about danger of Internet.
Fig. 1-1-7 Using inexpensive and fast Internet connection instead of

dedicated line
Several VPN software and hardware solutions have existed for some time, and since
1998 VPN technology and technologies employing it have been used at various sites. For
example the following VPN protocols are currently incorporated into several network
products and used.
PPTP
L2TP / IPSec
vtun
OpenVPN
Port transmission by SSH
Other minor VPN standards
However many older VPN protocols have the following limitations, and under various
circumstances, use must be restricted or cannot be used.
Difficulty of Pass of Network Gateway Devices
With many business networks as some home networks, company networks are
separated from the Internet by measures such as NAT (IP masquerade) proxy servers
and firewalls, number of IP addresses is limited and security is bolstered. Devices that
conduct this processing are called network gateway devices. In some cases network
gateway device is a dedicated device (appliance) and in some cases is a high-
performance computer on which Linux, etc., is installed.
However many older VPN protocols cannot communicate via this network gateway
device. One reason for this is many VPN protocols headers of special protocol that is not
ordinary TCP/IP protocol may be added when encapsulating communications packets.
For example a VPN protocol called PPTP uses an extremely minor protocol called Generic
Routing Encapsulation (GRE). A VPN protocol called L2TP furthermore requires use of
IPSec, whereby a header is added because it is an IPSec packet.
The majority of conventional VPN protocols such as in these examples, because VPN
communications is realized by an approach unlike ordinary TCP/IP connection-oriented
communication model, cannot carry out VPN communications transcending many
network gateway devices, especially NAT (IP masquerade), almost all proxy servers and
firewalls.
Therefore when used, the majority of conventional VPN protocols require a global IP
address be allotted to both the VPN connection source client computer and connection
destination VPN server computer or installation of network gateway devices customized
so special packets can be processed.
Fig. 1-1-8 Many older VPN protocols have difficulty

passing NAT router firewalls, etc.
Limitations of Protocol that can Communicate within VPN
Many conventional VPN protocols are limited to layer 3 protocol (IP layer, etc) and
furthermore upper layer protocol (TCP layer, application layer, etc.) and communication
is conducted by encapsulated tunneling. With this system however VPN protocol cannot
be made to individually communicate via VPN with protocols that do not comply.
For example in many cases legacy protocols such as special protocol for control, IPX/SPX
and NetBEUI currently used by general purpose equipment cannot be used via VPN and
it is difficult to transmit existing system communications using Internet VPN instead of a
dedicated line.
Fig. 1-1-9 VPN protocol that encapsulates older IP

cannot send and receive packets other than IP
packets
IP Routing is Necessary
Of older VPN protocols, if VPN is realized using types of protocols that encapsulate layer
3 (IP layer), basically one of the following must be selected.
1. Install VPN client software on all computers participating in VPN and connect.
2. Connect existing network of base to VPN and conduct IP routing.
If constructing VPN by method 1, if installing VPN client software on all computers that
might be connected to VPN and carrying out VPN communications, by conducting
connection operation for the VPN server, communications can be freely carried out only
between computers installed with VPN client software. With this method however the
more computers there are that want to carry out VPN communications the more
administration is necessary, computers for which VPN client software cannot be installed
or devices for networks such as other network appliances or digital electrical appliances
cannot participate in VPN.
If VPN is constructed by method 2, computers in the network of the base connected to

VPN can send and receive data to/from each other, and computers for which VPN client
software cannot be installed and devices for networks such as other network appliances
and digital electrical appliances automatically participate in VPN. This method is however
disadvantageous in that it requires IP routing between existing networks connected to
VPN and virtual networks by VPN.
Therefore if remote access VPN or VPN connected between bases is realized by old VPN
protocol, it requires large scale setting modification for existing networks such as routing
table setting modification for existing IP network routers, etc.
Fig. 1-1-10 Devices that do not support routing

cannot communicate via VPN of old IP base
Dependence on Certain Platform
For many old VPN protocols there is a problem if the range of platforms that support the
various VPN protocols is not very wide, and even if they can be used among multiple
platforms, differences in respective implementation have caused resulted in trouble in
practical application in some cases.
Some VPN protocols furthermore require hardware of certain network device vendors
and compatibility of protocols among vendors has declined.
Fig. 1-1-11 Communication among VPN products of different vendors cannot

be carried out
High Cost, Low Performance
Price of network devices and security software is generally extremely high, including
network security solutions other than VPN solutions. Realistically however network
security products introduced at high cost often do not satisfy performance and function
requirements.
Particularly concerning function and performance, the most important factor of

conventional VPN is providing security; network permeability and communications
performance are not considered as important. The reason for this is, when old VPN
protocol began to appear, broadband was not yet very popular but was the fastest
Internet connection line available for average businesses and homes whereby speed
increased from several Mbps to tens of Mbps.
Currently, even for ordinary homes, with the backbone of broadband line businesses of
several tens to 100Mbps, Internet connection lines of gigabit scale are available at an
extremely low price compared to several years ago. There is not that much VPN
hardware and VPN products that can use these fast physical lines efficiently enough, and
the ones that do exist are mostly installed on extremely expensive network dedicated
devices.
Need for new VPN System to Compensate for Shortcomings in old VPN
Protocol
Old VPN protocol includes the problems described above and various other problems. A
high function, reliable, highly flexible VPN system that solves the problems and
limitations is therefore necessary.
Along with solving various limitations of old VPN solutions such as those previously
described, PacketiX VPN 2.0 is VPN software with many new innovative functions.
Features of PacketiX VPN 2.0
By just using PacketiX VPN 2.0, many of the matters such as those whereas in the past
problems could not be solved unless you combined multiple network security products or
software, and programming or developed original tools can be realized by a simple
operation.
As for PacketiX VPN 2.0, encapsulated and tunneling communications, layer 2, in other
words, set to Ethernet, if PacketiX VPN 2.0 is used, network devices such as
conventional network adapter switching HUB and layer 3 switch are realized by software,
and by connecting by tunnel called PacketiX VPN protocol based on TCP/IP protocol
among them, the user can construct highly flexible VPN that was not possible with
products up to now.
The operation principle of PacketiX VPN and specifications are explained by 「1.4 VPN
Operation Principle and Communication Method」 . The method of actually
designing/constructing and applying various networks by PacketiX VPN is also explained
in 「Chapter 10 Instructions and Examples For Configuring a VPN」 .
Fig. 1-1-12 Making various types of hardware devices

on Ethernet virtual for PacketiX VPN
Advantages of Making Ethernet Virtual

Unlike old many VPN protocols, PacketiX VPN targets layer 2 (Ethernet) for VPN
communications. In other words, with VPN that targeted old layer 3, encapsulated IP
packets flowed through the tunnel, but with PacketiX VPN, encapsulated Ethernet
packets flow though the tunnel.
Fig. 1-1-13 Comparison of old VPN protocol and

PacketiX VPN when base-to-base connection VPN is
constructed
PacketiX VPN conducts VPN communications by establishing a VPN session called a

tunnel between VPN Server and VPN Client or VPN Bridge.
Packets that virtually flow in VPN session which is an Ethernet network are actually
encapsulated and flow through a physical IP network. At this time however PacketiX VPN
encapsulates random Ethernet frames to TCP/IP protocol. This point is a feature not
present in the majority of old VPN protocols.
Also with PacketiX VPN, any TCP/IP port number can be designated and used for VPN
communications. The default port numbers are 8888 and 443 (for HTTPS) and 992. For
details concerning TCP/IP port number designation, see 「3.3.6 Listener Ports」 .
By conducting all VPN communication by TCP/IP, PacketiX VPN can conduct VPN
communication via the majority of network gateway devices. VPN can be easily
established through almost all types of NAT proxy servers and firewalls.
If PacketiX VPN is used, VPN communications can be easily and safely conducted even in
environments that used to be hard to use VPN because of NAT, proxy server and firewall
settings.
Because it is no longer necessary to open a hole in existing firewall settings to introduce

VPN, the burden on the network administrator is reduced and it helps prevent
deterioration of network security due to firewall setting modifications.
Users can also safely access company LAN via free Internet connection spots such as
destination stations and airport hotels if they take along a laptop computer installed with
VPN Client. Because many free Internet connection spots have introduced NAT or firewall
transparent proxy servers, VPN protocol cannot be used in many cases. If equipped with
PacketiX VPN however they can be used without worry.
Fig. 1-1-14 Passage through NAT proxy server or

firewall by PacketiX VPN
As was previously mentioned, PacketiX VPN uses TCP/IP protocol only for VPN
communications and any Ethernet frames can be tunneled. When VPN communication is
carried out, PacketiX VPN encrypts all data by Internet standard encryption protocol
called Secure Socket Layer (SSL). At this time the system administrator can use any
encryption algorithm of electronic signature algorithm he chooses. For details see
「3.3.15 Selecting Encryption Algorithms for use in SSL Transmission 」 .
With PacketiX VPN, not only is communications encrypted, but security concerning user
authentication and server authentication is bolstered. PacketiX VPN supports user
authentication using RADIUS servers used by companies, NT domain / Active Directory
and certificate authentication using X509 and RSA. Also supports some smart cards used
for purposes deemed necessary for high security. For details see 「1.5 Bolstering
Security」 .
Protocol used for transmitting VPN communications packets and security checks such as
user authentication actually flowing through a physical IP network during VPN
communications is called PacketiX VPN protocol. PacketiX VPN protocol not only encrypts
all communication contents by SSL, but it establishes several simultaneous SSL
connections established between VPN Server and VPN Client or with VPN Bridge, and by
altering the timing by a certain interval and reconnecting, is able to stably communicate
through some special network devices whereby TCP/IP connection is lost for a certain
time interval. Stable VPN communication can also be carried out with telephone lines
with high packet loss rate, some ADSL, PHS, wireless LAN, etc. For details see 「4.4.11
Advanced Communication Settings」 .
Fig. 1-1-15 User authentication by PacketiX VPN protocol
Many older VPN protocols focused only on providing security, but it appears that
communications throughput does not tend to be high when VPN communications are
carried out.
PacketiX VPN is optimized to exhibit high performance for any line from low speed lines
such as ISDN and PHS to high speed lines such as 100Mbps and 1.0Gbps. For example,
it can exhibit throughput of several hundred Mbps for a computer with a Pentium 4
2.8GHz processor currently available for a low price even if using a VPN Server.
Problems such as decline or marked delay in throughput due to re-transmission if TCP/IP

protocol previously discussed in several theses is used for tunnel communications for
VPN are improved by technology to establish multiple parallel TCP/IP connections
between VPN Server and VPN Client or with VPN Bridge. For details see 「4.4.12
Number of TCP/IP Connections for VPN Session Communications」 .
Many older VPN products only realized VPN communications. For example, advanced
function such as logging all packets flowing inside VPN, conducting packet filtering inside
VPN communications, or applying a highly flexible security policy are extremely rare.
With PacketiX VPN, software of VPN Server, VPN Client, etc., is equipped with extremely
advanced functions. For example, the following functions can be easily set and used, and
can be used for limiting VPN communications, network administration or other purposes.
Flexible adjustment of communication parameters of PacketiX VPN protocol
Logging VPN operation log or the contents of some packets
Advanced security functions
VPN communications monitoring
Handling large environments by clustering
Flexible user authentication
Layer 3 switching function, virtual NAT and virtual DHCP server function
Administration automation
Others
Details concerning these functions are provided in other sections of this chapter and
「Chapter 2: PacketiX VPN 2.0 Overall Manual」「Chapter 3 PacketiX VPN Server 2.0
Manual」「Chapter 4 PacketiX VPN Client 2.0 Manual」 , etc.
With PacketiX VPN, the majority of these functions are provided in software rather than
certain hardware. The internal program structure is meticulously formed into modules
thus facilitating addition of new functions in the future, and is much more expandable
than hardware-based VPN solutions.
PacketiX VPN currently supports various types of operating systems and CPU
combinations so it can run on various platforms. With the exception of a few limitations,
PacketiX VPN works the same without dependency on CPU type or platform such as
Windows, Linux, FreeBSD, Solaris and Mac OS X.
The PacketiX VPN program code is written in highly interchangeable C and is

programmed so as not to be dependent on a certain operating system. PacketiX VPN
currently supports the operating environment indicated in 「Chapter 12 PacketiX VPN
Software Specification」 , but will support even more operating systems and CPU
hardware in the future. Also facilitates integration of network appliances such as routers
and firewalls.
PacketiX VPNs that operate in various environments can also be reliably connected with
each other via the Internet. Thus if a VPN is constructed using PacketiX VPN, if the
number of systems or devices that support PacketiX VPN increased, mutual connect
ability is technically maintained with the systems.
SoftEther Corporation is constantly developing new functions for VPN software.
With conventional software products, to use new functions that appear for products after
shipment, you have to purchase a new version of the software to upgrade which involves
cost.
If new functions are developed, by introducing Option Pack of the new version, you can
use PacketiX VPN software right away without purchasing the new functions by
upgrading (limited to case whereby newly developed functions correspond to PacketiX
VPN software for same major version). Option Pack can be downloaded free of charge. If
you have an Option Pack license, you can install and use any time, thus eliminating the
need to pay additional cost each time new functions come out and purchase a software
license for new major version upgrade.
For more information on Option Pack, see #1.3.21#.
< Chapter 1: Overview 1.2 Software of which PacketiX VPN is composed>
< 1.1 What is PacketiX VPN? 1.3 PacketiX VPN 2.0 Product Configuration and
License>
PacketiX VPN is composed of VPN Server, VPN Client, VPN Bridge and several common
software components. When using PacketiX VPN, depending on what software is installed
on your computer, it is necessary to understand VPN construction and whether or not it
can be operated. A list of software and a description of the functions and roles are
provided here.
Role of PacketiX VPN Server
PacketiX VPN Server is the most important software for the PacketiX VPN system. Just
as the name suggests, PacketiX VPN Server plays the role of VPN server to accept
connections from remotely located VPN Client and VPN Bridge through the network.
Installation of PacketiX VPN Server is necessary no matter what form VPN is realized.
The reason for this is because only PacketiX VPN Server accept connection from VPN
Client and VPN Bridge.
Multiple Virtual HUBs can be created for PacketiX VPN Server and Ethernet frames can
be exchanged within Virtual HUB. For more information on Virtual HUB, see 「1.4.2
Virtual HUB」 .
If a new VPN session is connected to Virtual HUB for other VPN Server, concerning
Ethernet frames flowing through user authentication function Virtual HUB, the majority
of the functions required for network administration such as packet filtering by access
list of security policy are provided. For more information on these functions, see
「Chapter 3 PacketiX VPN Server 2.0 Manual」 .
If multiple Virtual HUBs are created within PacketiX VPN Server, a virtual layer 3 switch
function is provided to conduct IP routing among Virtual HUBs. A detailed description of
virtual the layer 3 switch function is provided in 「3.8 Virtual Layer 3 Switches」 .
Fig. 1-2-1 Multiple Virtual HUBs and virtual layer 3

switches can be created for a single PacketiX VPN
Server.
Local Bridge
PacketiX VPN Server can perform bridge connection by layer 2 with Ethernet segment of
network adapter connected to computer operating any Virtual HUB and its PacketiX VPN
Server. This is called a local bridge. A detailed description of local bridges is provided in
「3.6 Local Bridges」 . A PacketiX VPN Server in local bridge status can connect to the
PacketiX VPN Server from a remote location and access the bridge destination network.
For specific configuration method, see 「10.4 Setting Up a Generic Remote Access
VPN」 .
VPN among hubs can be easily realized by cascade connection of from Virtual HUB
connected by local bridge to a hub at a remote location to Virtual HUB connected by local
bridge on PacketiX VPN Server side. For specific configuration method, see 「10.5
Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」 .
Fig. 1-2-2 Bridge connection between Virtual HUB and

physical network adapter by local bridge function
Cascade Connection
Virtual HUB operated by PacketiX VPN Server can be connected with Virtual HUB
operated by PacketiX VPN Server on same or separate computer by cascade connection.
Cascade connection can also be a accepted from PacketiX VPN Bridge operating on a
separate computer. By connecting two or more different Ethernet segments using
cascade connection, you can use the two LANs, which were originally separate of each
other as LAN of a single segment. A detailed description of cascade connection is
provided in 「3.4.11 Cascade Connection Functions」 .
Fig. 1-2-3 Cascade connection established between Virtual HUB and Virtual
HUB
Location of PacketiX VPN Server
If constructing VPN by PacketiX VPN, in most cases VPN can be designed/constructed by

establishing connection from a hub other that the one the with the PacketiX VPN Server
by PacketiX VPN Bridge or PacketiX VPN Client. Thus, because it is a single organization,
it is basic to set up a PacketiX VPN Server for constructing VPN. For specific location, see
「10.2.1 VPN Server Location」 .
Fig. 1-2-4 Location of PacketiX VPN Server and

PacketiX VPN Bridge
License Form
PacketiX VPN Server is provided as a software product that requires payment of a fee.
When using after selecting an Edition, a product license and connection license must be
purchased (there are free licenses for academic use). For details see 「1.3 PacketiX VPN
2.0 Product Configuration and License」 .
Role of PacketiX VPN Client
PacketiX VPN Client is VPN client software that functions as a Virtual Network Adapter
that can connect to Virtual HUB of PacketiX VPN Server. With a computer installed with
PacketiX VPN Client, the user can access via the Internet with only simple settings, and
can carry out random communication by connecting to Virtual HUB of PacketiX VPN
Server via Virtual Network Adapter.
For details concerning PacketiX VPN Client, see 「Chapter 4 PacketiX VPN Client 2.0
Manual」 .
Fig. 1-2-5 VPN connection to Virtual HUB by PacketiX VPN Client
Virtual Network Adapter

If using PacketiX VPN Client, communications are carried out by creating a Virtual
Network Adapter recognized a single Network Adapter by the operating system and all
applications using communications. Consequently a computer installed with PacketiX
VPN Client can carry out VPN communications via Virtual Network Adapter for an
application.
Fig. 1-2-6 Virtual Network Adapter
Bridge between Virtual Network Adapter and Physical Network Adapter
Because Virtual Network Adapter is implemented as a device driver recognized by the

operating system as a single network adapter. If there is a bridge function between the
operating system and network adapter, it makes bridge connection between Virtual
Network Adapter and physical network adapter possible. For details see 「4.3.4 Bridge
Connection Between a Virtual Network Adapter and Physical Network Adapter」 .
Because cascade connection and local bridge are supported for PacketiX VPN Server and
PacketiX VPN Bridge, this method is not used very much for PacketiX VPN 2.0.
License Form
PacketiX VPN Client is a free software product and is provided in the same manner as
freeware, and if the user agrees to the terms of the users' agreement, all functions can
be used.
Role of PacketiX VPN Bridge
PacketiX VPN Bridge is software that enables cascade connection to Virtual HUB of
PacketiX VPN Server operating at a remote location, and also enables VPN connection to
be layer 2 bridge connection between a physical network adapter and computer running
PacketiX VPN Bridge. PacketiX VPN Bridge is optimal software for introducing to
computer connected by LAN of the hub if you want to bridge connect hub LAN at a
remote location to VPN configured by PacketiX VPN Server (in other words Virtual HUB
operating on PacketiX VPN Server).
For details concerning PacketiX VPN Bridge, see 「Chapter 5 PacketiX VPN Bridge 2.0
Manual」 .
Fig. 1-2-7 Bridge connection to remote hub by PacketiX VPN Bridge
PacketiX VPN Bridge and PacketiX VPN Server
PacketiX VPN Bridge is technically software optimized for bridge hub by removing the
function for creating multiple Virtual HUBs and function for accepting connection from
PacketiX VPN Server and PacketiX VPN Client of other computer from the software
program of PacketiX VPN Server. When PacketiX VPN Bridge is installed, a single Virtual
HUB named "BRIDGE" is created. The network administrator makes a local bridge with
the LAN of the hub to bridge the Virtual HUB and connects to the Virtual HUB of the
PacketiX VPN Server of the connection destination.
Fig. 1-2-8 Difference between PacketiX VPN Server and PacketiX VPN Bridge
Local Bridge and Cascade Connection
A Virtual HUB named "BRIDGE" exists in PacketiX VPN Bridge, but can connect from
"BRIDGE" Virtual HUB to Virtual HUB of PacketiX VPN Server operating at a remote
location and the physical network adapter of the computer on which "BRIDGE" Virtual
HUB and PacketiX VPN Bridge are running can be connected by local bridge function.
The cascade connection function and local bridge function are therefore the same as
those with which PacketiX VPN Server is equipped.
License Form
PacketiX VPN Bridge is a free software product and is provided in the same manner as
freeware, and if the user agrees to the terms of the users' agreement, all functions can
be used.
PacketiX VPN Server Manager is an administration utility equipped with graphical user
interface (GUI) for administrating by connecting to PacketiX VPN Server and PacketiX
VPN Bridge in the administration mode. Only the Windows version PacketiX VPN Server
Manager is currently provided.
Using PacketiX VPN Server Manager enables administration by connecting by TCP/IP to

PacketiX VPN Server and PacketiX VPN Bridge from a remote location. PacketiX VPN
Server Manager can also be used as a stand-alone by installing on a computer terminal
for administration.
When PacketiX VPN Server Manager, the user does not have to memorize difficult
operating procedure or command lines. Most operations are accomplished by mouse
click or keyboard input of necessary items.
Fig. 1-2-9 PacketiX VPN Server Manager
The PacketiX VPN command line management utility (vpncmd) is a command user
interface (CUI) administration utility for carrying out administration by connecting to
PacketiX VPN Server, PacketiX VPN Client and PacketiX VPN Bridge.
Currently on the Windows version of PacketiX VPN Server Manager is offered, but
vpncmd programs are offered for all platforms on which PacketiX VPN Server operates,
thus enabling administration by same method no matter which platform is used.
This manual contains a command reference for vpncmd commands. For details see
「Chapter 6 Command Line Management Utility Manual」 .
With vpncmd, all operations are accomplished by command input, but because the
program contains detailed command help with usage methods and explanations, you can
refer to the manual each time inputting commands, so you don't have to memorize the
commands and the number of times key input is required is reduced by an automatic
input complement function. When calling out vpncmd commands, batch command line
script can be passed as a command line argument, automatic processing can be
executed, and processing results can be written in a file.
Fig. 1-2-10 PacketiX VPN command line management utility (vpncmd)
The following utilities are contained in PacketiX VPN.
Communication throughput measurement utility
TCP/IP communications setting optimization utility
For further information on these utilities, see 「7.2.3 Optimizing the TCP/IP
Communication Settings」 and 「4.8 Measuring Effective Throughput」 .
< 1.1 What is PacketiX VPN? 1.3 PacketiX VPN 2.0 Product Configuration and
License>
< 1.2 Software of which PacketiX VPN is composed 1.4 VPN Operation Principle and Communication
Method>
PacketiX VPN 2.0 is a software product. Licenses are sold as multiple Editions for each
function. PacketiX VPN 2.0 product configuration and license model adopted for PacketiX
VPN 2.0 is described here.
PacketiX VPN is next-generation VPN software that offers power and is compatible with
all advanced networks that produce wide bandwidth and high load required by large
corporations and Internet providers as well as networks for individuals and homes and
networks for small and medium size businesses. Some of the functions for realizing this
however may be required and other may not depending on the objective for which
PacketiX VPN 2.0 is used. For example, homes and small businesses do not require a
clustering function that supports from several hundred to several thousand simultaneous
connections for operating remote access VPN.
SoftEther Corporation therefore offers four product editions according the needs of
PacketiX VPN 2.0 users. The customer can choose the product from among the four
editions that best matches his needs.
PacketiX VPN Server 2.0 Edition
Items concerning differences in the various Editions explained below apply to PacketiX
VPN Server 2.0 only. SoftEther Corporation ships its software products as pay software
products that require a license key to use PacketiX VPN Server 2.0 only.
PacketiX VPN Client and PacketiX VPN Bridge are Freeware

A license is not required to use PacketiX VPN Client 2.0 and PacketiX VPN Bridge. they
are offered as freeware that anyone can get and use for free.
Memo: Unlike open source software, the terms of the users' agreement that appears
when installing, etc., must be adhered to when using.
PacketiX VPN Server is divided into the following 7 product editions. The differences in
functions and precautionary notes are as follows.
Product Number of Number of Clustering Commercial use

edition simultaneous simultaneous
name client connections bridge
connections
Standard According to According to NG OK
Edition number of number of
purchased client purchased bridge
connections/licenses connections/licenses
< 1.2 1.4 VPN
Software Operation
of which Principle and
PacketiX Communication
VPN is Method>
composed
Enterprise According to According to OK OK

Edition number of number of
purchased client purchased bridge
connections/licenses connections/licenses
Carrier Unlimited Unlimited OK OK
Edition
Embedded Differs according to Differs according to NG OK
Edition form form

Academic Unlimited Unlimited OK NG
Edition
A product license for each Edition of pay software products must be purchases for
editions other than Academic Edition. The maximum number of clients and bridges
that can be simultaneously connected to a VPN Server depends on the total number
of client connection licenses and bridge connection licenses purchased.
The Academic Edition is a free software product. All its functions and unlimited
number of simultaneous connections can be used without purchasing a license, but it
is limited to academic use and may not be used for commercial use. Check
http://www.softether.com/ for information on how to get the Academic Edition and
its license system.
The contents of the online manual apply to the time when the manual was prepared.
Check http://www.softether.com/ for the latest product information and license
system.
What is the Standard Edition?
The PacketiX VPN Server 2.0 Standard Edition is the PacketiX VPN Server 2.0 product
edition that offers VPN server function of a scale that does not require a clustering
function.
It is generally suited to businesses, government and individuals. Unlike the Enterprise

Edition, the clustering function is not available.
To use the PacketiX VPN Server 2.0 Standard Edition, you must purchase the PacketiX
VPN Server 2.0 Standard Edition License from a partner who handles PacketiX VPN.
When using the PacketiX VPN Server 2.0 Standard Edition, you must purchase client
connection and bridge connection licenses as well as the product license.
A list of partners who handle PacketiX VPN is available at http://www.softether.com/ .
32-bit Version and 64-bit Version

There is a 32-bit version and a 64-bit version of the PacketiX VPN Server 2.0 Standard
Edition product license.
z The PacketiX VPN Server 2.0 Standard Edition (32-bit version) runs only on a 32-bit
operating system.
z The PacketiX VPN Server 2.0 Standard Edition (64-bit version) can run on either a 32-
bit or 64-bit operating system. You should select the 64-bit version if using a 64-bit
operating system (64-bit Windows, Linux, Solaris, etc.) on a 64-bit CPU (AMD64,
EM64T, etc.).
VPN Client and VPN Bridge are freeware. 32-bit and 64-bit versions are available. Even if
for example the connection destination VPN Server is a 32-bit version, the client side can
use a 64-bit version without additional cost.
For 64-bit environment support, see 「Chapter 12 PacketiX VPN Software

Specification」 .
What is the Enterprise Edition?
The PacketiX VPN Server 2.0 Enterprise Edition is the PacketiX VPN Server 2.0 product
edition that offers VPN server function of a scale that requires a clustering function. The
Enterprise Edition is the top of the line Edition ordinarily offered to customers.
With the PacketiX VPN Server 2.0 Enterprise Edition you can use the clustering function
not available in the Standard Edition 2.0. For details concerning the clustering function,
see 「1.7 Handling Large Environments by Clustering」 .
The Enterprise Edition is best suited to companies, government and universities when
offering large-scale remote access VPN service. It also includes PacketiX VPN 2.0
Administration Pack that allows you to create custom VPN client software for your
company or a customized installer that offers an easy install function or Web install
function to company end users. For details, see #1.3.22#.
To use the PacketiX VPN Server 2.0 Enterprise Edition, you must purchase the PacketiX
VPN Server 2.0 Enterprise Edition License from a partner who handles PacketiX VPN.
Customers who already have a PacketiX VPN Server 2.0 Standard Edition License can
upgrade to the Enterprise Edition by purchasing an additional PacketiX VPN Server 2.0
Enterprise Edition Upgrade License.
When using the PacketiX VPN Server 2.0 Enterprise Edition, you must purchase client
connection and bridge connection licenses as well as the product license.
A list of partners who handle PacketiX VPN is available at http://www.softether.com/ .
There is a 32-bit version and a 64-bit version of the PacketiX VPN Server 2.0 Enterprise
Edition product license.
z The PacketiX VPN Server 2.0 Enterprise Edition (32-bit version) runs only on a 32-bit
operating system.
z The PacketiX VPN Server 2.0 Enterprise Edition (64-bit version) can run on either a
32-bit or 64-bit operating system. You should select the 64-bit version if using a 64-
bit operating system (64-bit Windows, Linux, Solaris, etc.) on a 64-bit CPU (AMD64,
EM64T, etc.).
VPN Client and VPN Bridge are freeware. 32-bit and 64-bit versions are available. Even if
for example the connection destination VPN Server is a 32-bit version, the client side can
use a 64-bit version without additional cost.
Specification」 .
What is the Carrier Edition?
PacketiX VPN Server 2.0 Carrier Edition is the PacketiX VPN Server 2.0 product edition
optimized for managing online service of form for providing VPN server function to
customers (end users) such as Web hosting services, communication carriers and
Internet service providers by hosting.
All functions of the PacketiX VPN Server 2.0 Carrier Edition are available and can actually
accept an unlimited number of VPN connections in standard status. A connection license
is not required.
If Carrier Edition is used, you can start a business providing online services to end users
such as shown in 「10.9 Setting Up a Large Scale Virtual HUB Hosting Service」 .
Carrier Edition is a special license offered only to communications companies that

conclude a contract with SoftEther Corporation or SoftEther Corporation sales partner.
Ordinary customers cannot purchase this license.
Difference with Enterprise Edition
The PacketiX VPN Server 2.0 Carrier Edition differs from the Enterprise Edition in the
following ways:
A connection license (client connection license / bridge connection license) does not
need to be purchase or registered for operating Carrier Edition.
Service providers providing VPN service for large numbers of end users originally had
to purchase a large number of PacketiX VPN Server product licenses and connection
licenses. Purchasing (contract) Carrier Edition however eliminated the need to
purchase product and connection licenses and enables all PacketiX VPN Server
functions to be used for an extremely low price.
It is necessary to conclude a contract to use Carrier Edition with either SoftEther

Corporation or one of its sales partners. Contract terms differ according to the type of
business, but in the majority of the cases the license fee is assessed according to the
monthly results of VPN Server usage (number of Virtual HUBs, number of registered
users, etc.).
It is a precondition that multiple VPN servers be operated in a cluster.
Use of at least a 64-bit server is a precondition (a 32-bit version is also offered but is
not recommended from the standpoint of scalability when processing large amounts
of VPN connections from a large number of end users).
The virtual DHCP server function of SecureNAT function can be used along with the
clustering function to enhance end user convenience. For details, see 「3.7.5 Virtual
DHCP Server」 and #3.9.13#.
It also includes PacketiX VPN 2.0 Administration Pack that allows you to create
custom VPN client software or a customized installer that offers an easy install
function or Web install function to end users. For details, see #1.3.22#.
The PacketiX VPN 2.0 Administration Pack is included as a standard accessory. For
details, see #1.3.21#.
Communications companies that are interested may obtain details on the PacketiX
VPN Server 2.0 Carrier Edition License from the website at
http://www.softether.com/ .
The PacketiX VPN Server 2.0 Carrier Edition runs on either a 32-bit or 64-bit operating
system. Running on a 64-bit operating system is however recommended if processing a
large number of VPN connections on a single VPN server.

Specification」 .
What is the Embedded Edition?
The PacketiX VPN Server 2.0 Embedded Edition is the special built-in version PacketiX
VPN Server 2.0 offered by SoftEther Corporation to hardware vendors.
For example you can integrate functions of PacketiX VPN Server 2.0 or other PacketiX
VPN software to a compact board and use for VPN communications for a certain purpose.
You can also equip built-in devices such as a broadband router with PacketiX VPN Server
2.0 VPN server function to facilitate development of remote access VPN gateways.
Hardware vendors that are interested may obtain details on the PacketiX VPN Server
2.0 Embedded Edition License from the website at http://www.softether.com/ .
What is the Academic Edition?
The PacketiX VPN Server 2.0 Academic Edition is a free product license offered by
SoftEther Corporation to academic researchers.
The license is issued to researchers and research organizations using PacketiX VPN
Server 2.0 for non-profit academic research. The Academic Edition license is issued
under conditions established by SoftEther Corporation.
Academic researchers that are interested may obtain details on the PacketiX VPN
Server 2.0 Academic Edition License from the website at http://www.softether.com/ .
Two versions, a 32-bit version and a 64-bit version, of PacketiX VPN Server 2.0 became
available in August 2006 (originally only the 32-bit version was offered).
The 64-bit version of PacketiX VPN Server 2.0 has the following advantages over the 32-
bit version.
Officially Compatible with the 64-bit Version Operating System
64 bit-compliant operating system for which 64 bit-compliant CPU and computer

hardware are widely used (example: Windows XP Professional x64 Edition, Windows
Vista, etc.) has begun to become popular. Conventional 32-bit version PacketiX VPN 2.0
software was not officially compatible with operating systems that operated in a 64-bit
mode, and in the case where it could operate on a 64-bit system by 32-bit emulation
mode, it had several limitations such as it could not use Virtual Network Adapter or local
bridge function, and due to overhead by the emulation mode, users could not benefit
from the performance enhancement that originally should have been realized by the 64-
bit system. The 64-bit version PacketiX VPN 2.0 runs best in 64-bit mode on 64-bit
versions of Windows, Linux, FreeBSD and Solaris. Compared with a 32-bit environment,
the maximum performance is exhibited in a high-performance 64-bit computing
environment.
Communication Throughput Improvement
Even on hardware that offers the same performance as when using 64-bit version
PacketiX VPN 2.0, VPN communication throughput is improved compared to when using
32-bit version PacketiX VPN 2.0. In especially fast communications lines, when carrying
out VPN communications, in the case of environments whereby CPU speed and memory
access architecture form a bottleneck, it is known that a 17% better communications
throughput is achieved by changing PacketiX VPN Server 2.0 to 64 bits.
Improvement in Number of Virtual HUBs and Simultaneous Connection

VPN Sessions for VPN Server
Conventional 32-bit version PacketiX VPN Server 2.0 used to have the following
limitations for applications such as setting up the maximum number of Virtual HUB for a
single VPN server or accommodating the maximum amount of VPN session simultaneous
connections. The 64-bit version PacketiX VPN Server 2.0 however technically eliminates
these limitations and enables a large number of Virtual HUBs and VPN sessions to be
supported by a single VPN server.
Items 32-bit version VPN 64-bit version VPN

Server 2.0 Server 2.0
Number of Virtual HUBs 4,096 100,000
Number of VPN session simultaneous 4,096 100,000

connections
Theoretically the maximum number, and is not limited to the case of insufficient
hardware resources. The number of VPN sessions that can actually be connected for a
VPN Server product is separately limited according to VPN Server product license and
connection license.
In the case of implementing ASP type VPN service by creating a large number of Virtual
HUBs using a PacketiX VPN Server Carrier Edition system set up at a data center by a
service provider to expand business using PacketiX VPN and renting the right to use
each respective Virtual HUB to end users for example, a large number of users can be
accommodated by a minimal number of computers by using a server computer that
supports 64-bit architecture.
How to Obtain Detailed Information

Specification」 .
If using the PacketiX VPN Server 2.0 Standard Edition or PacketiX VPN Server 2.0
Enterprise Edition, in addition to a product license, you must estimate the number of
VPN Clients and VPN Servers that could possible connect simultaneously to the VPN
Server and purchase at least that many client connection licenses and bridge connection
licenses.
z In the case where communications companies offer VPN server service for end users
and a large number of simultaneous connections needs to be processed, PacketiX VPN
Server 2.0 Carrier Edition can be purchased. For details, see 「1.3.7 PacketiX VPN
Server 2.0 Academic Edition 」 .
The number of connection licenses is related to the server computer on which PacketiX
VPN Server 2.0 is installed, and is determined by the number of connections PacketiX
VPN Server 2.0 of the computer can process. Some or all of the connection licenses must
not be applied to the server computer running PacketiX VPN Server 2.0 as well.
If using PacketiX VPN Server 2.0 Enterprise Edition in a clustering environment, the
number of client connection licenses and bridge connection licenses are managed by the
cluster total. For details see 「1.7.5 Product License and Connection License when
Clustering」 .
PacketiX VPN Server 2.0 does not accept VPN connection from a number of computers
that exceeds the simultaneous connection limit calculated by the total number of
licenses registered. This software furthermore provides functions that match the
number of connection licenses and contents of the license key owned by the customer
as much as possible, but operation of some functions may decline, become unstable or
not work according to technical limitations that are difficult or impossible for hardware
or software avoid. For example despite purchasing 400 client connection licenses, if
the available memory space of the server computer that runs PacketiX VPN Server 2.0
is only about 100 Mbytes, the available memory space of the server computer would
be used up with approximately 200 connections and the function may not work
properly. The maximum value limit value of the number of connections that PacketiX
VPN Server 2.0 can theoretically accept establishes the number of connection licenses,
but it is not guaranteed that the customer can establish the number of VPN
connections that equals the number of licenses purchased.
PacketiX VPN Server 2.0 can accept and process simultaneous client connections up to
the total number of client licenses registered for VPN Server 2.0. If the limit is exceeded
and client connections in excess of the total number of registered client connection
license cannot be processed, an error occurs for subsequently connected VPN sessions
and they are cut off.
Types of VPN Connection Sessions that Consume Client Connection

Licenses
VPN connection sessions that match the following conditions are counted as the number
of client connections that require client connection licenses.
z VPN connection session from PacketiX VPN Client of other computer (does
not include those connected in bridge/router mode)
If PacketiX VPN Client running on a separate computer is connected to VPN via
network to Virtual HUB in PacketiX VPN Server 2.0, that VPN connection session can
be counted in number of client connections. VPN sessions for which bridge/router
mode is valid at time of VPN connection are however counted as bridge connections,
they are not counted as client connection licenses and do not consume client
connection licenses. Connections from PacketiX VPN Client running on the computer
running VPN Server are not connections via network and are therefore not counted.
To administer internal SecureNAT session, local bridge session, cascade connection

session on PacketiX VPN Server 2.0, administration session connected by PacketiX VPN
Server Manager or vpncmd command is not counted as client connections or bridge
connections and do not consume connection licenses.
PacketiX VPN Server 2.0 can accept and process simultaneous bridge connections up to
the total number of bridge connection licenses registered for VPN Server 2.0. If the limit
is exceeded and bridge connections in excess of the total number of registered bridge
connection licensed cannot be processed, an error occurs for subsequently connected
VPN sessions and they are cut off.
Types of VPN Connection Sessions that Consume Bridge Connection

Licenses
VPN connection sessions that match the following conditions are counted as the number
of bridge connections that require bridge connection licenses.
z VPN session of cascade connection from PacketiX VPN Server 2.0 or PacketiX
VPN Bridge 2.0 from separate computer
If PacketiX VPN Bridge 2.0 or PacketiX VPN Server 2.0 running on a separate
computer is connected to VPN via network to Virtual HUB in PacketiX VPN Server 2.0,
that VPN connection session can be counted in number of bridge connections. Also in
the case such as where Virtual HUB in your own PacketiX VPN Server 2.0 connects to
another Virtual HUB by cascade connection, because it is not a connection via
network, it is not counted as a bridge connection license and does not consume a
bridge connection license.
z VPN connection session connected in bridge/router mode from PacketiX VPN

Client 2.0 from separate computer
If PacketiX VPN Client 2.0 running on a separate computer is connected in
bridge/router mode to VPN via network to Virtual HUB in PacketiX VPN Server 2.0,
that VPN connection session can be counted in number of bridge connections. VPN
sessions from VPN Client for which bridge/router mode is not valid at time of VPN
connection are however counted as client connections, they are not counted as bridge
connection licenses and do not consume bridge connection licenses. Connections from
PacketiX VPN Client running on the computer running VPN Server are not connections
via network and are therefore not counted.
For details concerning bridge/router mode by PacketiX VPN Client 2.0, see 「1.6.9
Bridge/Router Mode Session」 and 「3.4.9 Communicating in Bridge / Router Mode
Session」 .
To administer internal SecureNAT session, local bridge session, cascade connection

session on PacketiX VPN Server 2.0, administration session connected by PacketiX VPN
Server Manager or vpncmd command is not counted as client connections or bridge
connections and do not consume connection licenses.
Even if physical network adapter is connected to Virtual HUB of PacketiX VPN
Server 2.0 by local bridge (see 「3.6 Local Bridges」 ), the local bridge itself is
not counted in the number of bridges and does not consume a bridge
connection license.
Product licenses and connection licenses are required to use PacketiX VPN Client 2.0 and
PacketiX VPN Bridge 2.0. Because VPN Client 2.0 and VPN Bridge 2.0 are freeware
offered by SoftEther Corporation, they can be used in accordance the users' agreement
displayed when installing.
If PacketiX VPN Client 2.0 and PacketiX VPN Bridge 2.0 are however connected to
PacketiX VPN Server 2.0, they require the product license for the connection destination
PacketiX VPN Server 2.0 and client connection licenses and bridge connection licenses
(does not apply to VPN Server that does not require purchase of connection license).
SoftEther Corporation issues a demo version license so potential customers can try the
usage method, performance, functions and stability of PacketiX VPN 2.0 before
purchasing product licenses and connection licenses.
The demo version license is issued free of charge. The demo version license key for
desired edition (PacketiX VPN Server 2.0 Standard Edition or PacketiX VPN Server 2.0
Enterprise Edition) and demo version license keys for enough client connection licenses
and bridge connection licenses can be obtained when the software is applied for. The
demo version can be used for a certain period (period established when SoftEther
Corporation issues the license; usually about 60 days). When the period is up, you must
either purchase a license of usage of PacketiX VPN Server 2.0 expires.
If the product version license is purchased while in demo version license status, the
status can be changed to product version license smoothly without interrupting operation
of VPN Server.
As a rule, the demo version license for PacketiX VPN Server 2.0 is issued only
once to an organization.
The same that can be used with the product version of PacketiX VPN Server 2.0 can also
be used with the demo version license. We strongly recommend you use PacketiX VPN
Server 2.0 with the demo license to try out the performance and functions in the actual
environment used by PacketiX VPN 2.0 before purchasing a product license for PacketiX
VPN Server 2.0.
You can obtain the demo version of PacketiX VPN Server 2.0 from the website at
http://www.softether.com/ .
When using the demo version license, a usage time limit for the demo version is set
for PacketiX VPN Server 2.0 only. PacketiX VPN Client and PacketiX VPN Bridge are
freeware regardless of the usage time limit.
License keys purchased as a regular product version license normally have no expiration
date. licenses with no expiration date can be used for an unlimited period of time.
The expiration date of the demo version license is the same as the usage time limit.
Both product license and connection licenses automatically become invalid when they
expire and are treated as licenses that are not registered for PacketiX VPN Server 2.0.
Sessions of VPN Client and VPN Bridge connected to PacketiX VPN Server when a
connection license expires however are not suddenly interrupted the instant the license
expires.
SoftEther Corporation may issue licenses other than product or demo version to certain
customers. These licenses are usually called Premium Licenses. Premium Licenses may
or may not have an expiration date. In the case of conditions simultaneously specified
by SoftEther Corporation, the license may become invalid according to the conditions.
Role of Server ID
Numbers up to 12 digits called server ID are specified for all license keys for PacketiX
VPN Server 2.0. Server ID defines the computer on which PacketiX VPN Server 2.0 runs.
If for instance there were two VPN server computers called A and B in a certain
company, both installed with PacketiX VPN Server 2.0 and used as VPN servers, the
server ID of the product license issued for server computer A differs from the server ID
and B in a certain company, both installed with PacketiX VPN Server 2.0 and used as
VPN servers, the server ID of the product license issued for server computer B.
The server ID contained in the input license information for PacketiX VPN Server 2.0 is
read and the current server ID is displayed for the administrator of VPN Server 2.0. For
details on checking license ID, see 「7.4.3 Checking the Current License Status and the
Usage Status of the Number of Connections」 .
If the customer wants to purchase an additional connection license for PacketiX VPN
Server 2.0 of server computer A, he specifies the server ID of server computer A and
purchases the connection license for that server.
In keeping with this, the connection license key issued for another VPN Server running
PacketiX VPN Server 2.0 such as server computer B cannot be input and used for server
computer A.
Similarly if a product license for PacketiX VPN Server 2.0 Standard Editions purchased
and the servers used as PacketiX VPN Server 2.0 Standard Edition, and the clustering
function is required, even if the PacketiX VPN Server 2.0 Enterprise Edition Upgrade
License is subsequently purchased, the server ID for PacketiX VPN Server 2.0 Standard
Edition that was used must be specified for upgrade.
Advantages of Administration by Server ID
Server ID is specified for product and connection licenses for PacketiX VPN Server 2.0,
and because there are limitations so license keys with multiple server IDs cannot be
mixed and registered for the same server, the customer decides in advance which
license having a server ID is to used for which computer, thereby facilitating
administration of number of licenses and license keys.
The server ID also consists of about 40 bits of integers using random numbers so that
when SoftEther Corporation issues a new product license it cannot duplicate another
server ID. It has no other significance and the customer does not have to supply
SoftEther Corporation with administration information such as for what computer the
license is to be used when purchasing a license.
License ID and License Key
The product license, client connection license and bridge connection license for PacketiX
VPN Server 2.0 are distinguished by license ID and license key. The customer owns the
license ID and license key. By inputting them in PacketiX VPN Server 2.0, it proves that
the customer owns a legitimate license for the PacketiX VPN Server 2.0 program and
enables PacketiX VPN Server 2.0 functions to be used.
License Key
License keys are for uniquely distinguishing licenses. The licenses for which the key must
actually be input for PacketiX VPN Server 2.0 are generally of the following format:
XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
The licenses expressed in 36 digit combinations of numbers and hyphens contain

information required for administration of licenses such as license type, license
expiration date, server ID and serial ID. Possessing the license key proves that the user
owns a legitimate license for PacketiX VPN Server 2.0.
License ID
License ID uniquely distinguishes licenses. When the license key is input, the
corresponding license ID is displayed by PacketiX VPN Server 2.0. The license key is
printed on the license certificate when the license is issued and sent to the customer by
e-mail.
The license ID is generally of the following format:
AAAAA-BBBBB-CCCCCCCCCCCC-DDDDD-EE
Numbers go in the digits indicated by alphabets A - E above. The license ID consists of
29 digits (not counting the hyphens). The information of the various fields is as follows:
Field Value
AAAAA License Type (5-digit number indicated whether the

license is a product license or a connection license)
BBBBB If the license has no time limit, the number is 00000.

If the license has an expiration date, the number that
indicates the expiration date (approximate number of
days from January 1, 2005). If it is 4 digits or less,
zeros are added to the front until it reaches 5 digits.
CCCCCCCCCCCC 12-digit number that indicates server ID. If it is 11

digits or less, zeros are added to the front until it
reaches 12 digits.
DDDDD 5-digit number that indicates serial ID to distinguish

license keys under same server ID. If it is 4 digits or
less, zeros are added to the front until it reaches 5
digits.
EE Check digit (2 digits)
Thus you can tell whether or not there is an expiration date by looking at the second
field and the server ID of the license is by the third field of the license ID. This facilitates
administration of multiple license keys and license IDs.
Treatment of License Keys and License IDs
You should treat license keys and license IDs issued directly by SoftEther Corporation or
through one of its partners with care. License keys should be stored with particular care,
and should only be revealed to the minimum number of people required, such as the
administrator of PacketiX VPN Server 2.0. A license key cannot be generated with only
the license ID. Even if the license ID is leaked, license violation can be prevented, but if
the license key gets out, the software product can be illegally used by inputting the key
into another computer, thus resulting in damage. If PacketiX VPN 2.0 support is
requested from a partner, only let them know the license ID (there is no need to present
the license key when receiving support).
Inputting the same License Key in Multiple Computers is Illegal Copying

and is Prohibited by Law.
The customer may not input the same license key in 2 or more computers running
PacketiX VPN Server 2.0. According to the users' agreement for PacketiX VPN Server
2.0, " input the same product license key or connection license in 2 or more
computers.", this license key usage method is stipulated as prohibited. If the user does
not agree and inputs the same product license key or connection license key in multiple
computers, it infringes on program copyright and constitutes a violation of copyright law
and is subject to criminal or civil penalty.
Customers can use the website to check whether or not product license keys and
connection license keys purchased through partners that handle PacketiX VPN are legally
issued by SoftEther Corporation.
By accessing the PacketiX license management service website, as a rule, customers can
check whether the license keys or license IDs they hold are genuine and can also get
additional detailed information on licenses.
To check validity of PacketiX product licenses and additional information, access the
website at http://www.softether.com/ .
License information that customers can check by accessing the PacketiX license
management service website and inputting their license key or license ID is as follows:
License type
License ID
License key
Server ID
Serial ID
License issue date/time
License expiration date
License sales partner name and support information
Input license server ID and list of other license IDs and license keys held by the same
server ID
If using PacketiX VPN Server 2.0 Standard Edition or PacketiX VPN Server 2.0 Enterprise
Edition and the number of client connection licenses and bridge connection licenses has
become insufficient, contact the partner who you purchased PacketiX VPN from or the
person in charge of support by maintenance contract, etc. The server ID or license ID is
required at this time. Additionally purchased client connection licenses, bridge

connection licenses or PacketiX VPN Server 2.0 Enterprise Edition Upgrade License are
issued to the server ID of PacketiX VPN Server 2.0 that the customer already has.
Overview of PacketiX VPN 2.0 Option Pack
PacketiX VPN 2.0 Option Pack is an update with additional new functions for PacketiX
VPN 2.0 software (VPN Client 2.0 / VPN Server 2.0 / VPN Bridge 2.0).
Each time a new function is added to PacketiX VPN Server 2.0, users who own an Option
Pack license can update the software by downloading and can automatically use the
latest functions free of charge.
How to get PacketiX VPN 2.0 Option Pack
Those who own a product license for PacketiX VPN Server 2.0 (Standard Edition or
Enterprise Edition) have the right (license) to obtain PacketiX VPN 2.0 Option Pack and
use the latest software functions. Specifically Option Pack functions can be used by
inputting the license key issued.
In order to get lots of users to use PacketiX VPN 2.0 Option Pack, as a rule SoftEther
Corporation offers the license free of charge (users who own VPN Server Standard
Edition or Enterprise Edition and end users who subscribe to maintenance serve provided
by SoftEther Corporation or one of its sales partners). Other users should contact a sales
partner to see if an Option Pack license can be additionally purchased.
List of new Functions as of August 2006
By introducing PacketiX VPN 2.0 Option Pack, the customer can use new functions
developed by the company since the initial version of PacketiX VPN 2.0 was released and
went on sale in December 2005 (Build 5080).
1. VoIP / QoS function

Concerning communication packets that are considered to require low delay, low
jitter transmission such as VoIP, VoIP / QoS function with technology to secure
wider band transmission than other packets can be used. For details, see 「1.9.1
What is VoIP / QoS Support Function?」 .
2. Syslog transmission function
The contents of the administration log for entire VPN server of VPN Server 2.0 or
security log and packet log for each Virtual HUB can be sent to an external syslog
server, etc., by syslog protocol, which is a standard logging and delivery protocol.
Various logs for VPN Server 2.0 used to be saved on the disk, but buy using the
syslog transmission function, a system administrator administering multiple
systems can consolidate log administration and reduce administration cost, and
can be used to issue an alert when certain log contents concerning the software
appear on the syslog receiving side. For details, see 「3.3.17 Syslog Transmission
Function」 .
3. Multi-login restriction function
As a security policy, multiple login limit can be set for each group or users
registered to a Virtual HUB. If a user attempts to connect multiple sessions to a
Virtual HUB under the same user name, if the number of connections set for that
user name is exceeded, new connections under that user name are refused. With
the old version of VPN Server 2.0, when a user object is created, multiple VPN
sessions could be simultaneously established from multiple VPN client computers.
In the case where an account is issued for each individual VPN connection for a
company user for example, the same person could establish VPN connections
simultaneously from multiple locations using multiple computers, which poses
problems for both administration and security. This function enables the system
administrator of VPN Server 2.0 to limit the number of VPN connection that can be
simultaneously established for each user to a specified number (usually one). For
details, see 「3.5.9 Security Policies」 .
The contents of the online manual apply to the time when the manual was prepared.
Check http://www.softether.com/ for the latest product information and new
functions available for Option Pack.
Overview of PacketiX VPN 2.0 Administration Pack
The PacketiX VPN 2.0 Administration Pack is a collection of special software tools for
those in the position to offer VPN service to large numbers of end users such as service
providers and system administrators of companies. In specific terms, the following
software is included:
z VPN client easy installer creation kit

Enables you to create an easy installer for distribution to end users in your company
organization. Unlike the old VPN Client installer, the user only has to launch the
installer. VPN Client software is then installed on the computer automatically. If
necessary connection to the VPN server can be initiated using the connection setting
file contained in the installer. The end user is therefore not burdened with installing
the VPN Client software and making the initial settings and can connect to the VPN
server set up by the network administrator with a single click. By using in
combination with a brand kit, you can create an easy installer to install your own
company brand VPN Client.
z VPN Client web installer creation kit

VPN Client software is automatically installed on the end user's computer by just
accessing the web page and clicking ActiveX control. If necessary connection to the
VPN server can be initiated using the connection setting file contained in the installer.
This eliminates the need for the network administrator to distribute the VPN Client
installer file to the end user in advance, and VPN Client can be installed by just
pasting the URL sent by e-mail in the user's web browser. By using in combination
with a brand kit, you can create a web installer to install your own company brand
VPN Client.
z VPN Server SDK for .NET 2.0
DLL file (private assembly) for Microsoft .NET Framework 2.0 for automatically
controlling operating VPN Server software All operations in the case where system
administration is carried out manually using conventional VPN Server Manager or
vpncmd (checking Virtual HUB or user creation/deletion, etc.) can be freely carried
out calling functions from NET programs created by C#.net or VB.net, etc. This
enables VPN Server administration, operation check, etc., to be automatically
conducted from a administration utility or web application that runs on ASP.NET, etc.
If ASP type VPN service is offered for end users using Carrier Edition, operation is
linked with the user's online sign-up system, online setting page, etc., thereby
facilitating construction of a system that can operate the status of the VPN server side
in real time.
How to get PacketiX VPN 2.0 Administration Pack
Users who own a product license for PacketiX VPN Server 2.0 Enterprise Edition or
PacketiX VPN Server 2.0 Carrier Edition can use PacketiX VPN 2.0 Administration Pack
free of charge (this however applies to after PacketiX VPN 2.0 Administration Pack is
offered).
Other users who want to obtain PacketiX VPN 2.0 Administration Pack should inquire
from the company website at http://www.softether.com/ .
< 1.2 Software of which PacketiX VPN is composed 1.4 VPN Operation Principle and Communication
Method>
< 1.3 PacketiX VPN 2.0 Product Configuration and 1.5 Bolstering Security>
License
This section contains a description of operation principle and communication method of

VPN that can be constructed by PacketiX VPN, an overview of the modules and functions
used by VPN communications and the types of VPN that can be constructed using
PacketiX VPN.
PacketiX VPN implements the mechanism of Ethernet communications as it is by

software and realizes VPN by creating a virtual network. The following is a brief
description of the mechanism by which Ethernet operates.
Ethernet Basics
With LAN using common Ethernet standards (IEEE802.3) such as conventional 100Base-
TX or 1000Base-T, multiple computers equipped with communications equipment
(network adapter) that supports Ethernet are connected by star connection to a central
switching HUB (also referred to as "layer 2 switching") and communicate freely with
each other.
Switching HUB and Network Adapter
With Ethernet multiple computers can communicate with each other. Here however the
computers use a network adapter (also referred to as "LAN Card") which is a special
device for connecting to Ethernet, and connect physically to Ethernet.
In specific terms, the computer connects from the network adapter to the desired
Ethernet switching HUB by a physical signal line called a "network cable".
Fig. 1-4-1 Switching HUB and network adapter for Ethernet
MAC Address
Computers participating in Ethernet must communicate with IDs to prevent them from
duplicating each other. Each network adapter is assigned a unique 48-bit ID. This 48-bit
ID is referred to as "MAC address". As a rule, the MAC address of the physical network
adapter is assigned so computers are not duplicated anywhere in the world (in the case
of software network adapter such as PacketiX VPN Virtual Network Adapter, a suitable
algorithm whereby possibility of MAC address actually being duplicated is extremely low
is generated to prevent duplication.
Communication Packets (Ethernet Frames) that Flow through Ethernet
Communication packets that flow through Ethernet are commonly referred to as

"Ethernet frames" or "MAC frame Ethernet packets" (in this manual they are uniformly
referred to as "Ethernet frames"). Ethernet frames contain several headers and the data
to be actually transmitted (payload). The following four items are the most important of
these.
Fig. 1-4-2 Ethernet frame (MAC frame)
The destination MAC address (48 bits) is a field containing the MAC address that of the
recover indicating to which computer the Ethernet frames of the computer sending the
frames will be sent. Relaying devices such as a switching HUB within Ethernet read the
destination MAC address and relay the Ethernet frames.
The source MAC address (48 bits) is the field containing the MAC address of the network
adapter of the computer sending the Ethernet frames.
Protocol type (16 bits) indicates in a 16-bit value what protocol the data contained in the
Ethernet frame (payload) uses in layer 3. For example the value is 0x0806 for IP and
0x0800 for ARP. In some cases the field may contain a value that indicates the length of
the payload instead of the protocol type, but it is currently not used often.
The payload (maximum 1500 bytes) is the data to be actually transmitted using
Ethernet.
Unicast and Broadcast
There are two ways that Ethernet frames can be sent. "Unicast" is when an Ethernet
frame is sent by specifying the MAC address of a certain network adapter and
"broadcast" is when the frame is sent to all network adapters participating in Ethernet
other than your own.
If sending frames by unicast, the MAC address of the destination network adapter is
specified for destination MAC address and if sending frames by broadcast, the special
MAC address FF:FF:FF:FF:FF:FF is specified as the destination MAC address. The frames
of which the MAC address is destination called FF:FF:FF:FF:FF:FF are called "broadcast
packets" and as a rule can be received by all computers (network adapters) participating
in the Ethernet network.
Switching HUB Mechanism
The switching HUB used by Ethernet (layer 2 switch) constructs a network by Ethernet
and is an important peripheral device for communication. Switching HUBs have multiple
ports (usually 8 ports, but can have from tens to hundreds. By connecting a compute to
the Ethernet by network cable, etc., a physical network is connected between the
switching HUB and computer's network adapter, thus enabling Ethernet communications
by layer 2.
The ports of a switching HUB can also be connected to the ports of another switching
HUB. Even though the connected switching HUBs were originally separate Ethernet
networks, by connecting them by network cable, they work like a single Ethernet
network. This is called "cascade connection".
The computers connected to the switching HUBs on the left and right in the following
figure can communicate freely with each other.
Fig. 1-4-3 Segment junction by cascade connection of switching HUBs
Frame Exchange and MAC Address Learning by Switching HUB
Switching HUBs constantly recognize in advance which computers with what sort of MAC
address are connected to the respective ports and maintain the information in an
internal database. This is called a "MAC address table".
When a switching HUB receives an Ethernet frame, it reads the destination MAC address
of the Ethernet frame, and if the destination MAC address is registered in the MAC
address table, it is sent to the concerned port. If the destination MAC address is not
registered in the MAC address table or the Ethernet frame is a broadcast frame, it is sent
to all ports.
The processing whereby a switching HUB learns new MAC addresses and registers them
in the internal MAC address table is carried out automatically by reading the source MAC
address each time a new Ethernet frame is received.
This realizes function whereby unicast packets are sent only to required ports, and are
not sent to unnecessary ports. This is called the "Frame exchange and MAC address
learning by switching HUB function".
Ethernet Segment (Broadcast Domain)
In examples thus far, a single network through which computers participating in an

Ethernet network can communicate freely with each other is called an "Ethernet
segment," a "segment" or "broadcast domain". An Ethernet configured of a switching
HUB is usually one segment. A segment can also be formed by connecting two originally
separate segments by network cable, etc., as was previously mentioned.
Cascade Connection
As was previously mentioned, the method of connecting two segments configured of two
switching HUBs and using as a single segment is called "cascade connection". Cascade
connection can consist of an unlimited number of cascades provided the physical limit
established for Ethernet is not exceeded. The fact that cascade connection can be
accomplished easily is one of the greatest features of using Ethernet. By cascade
connecting another switching HUB to one for which the number of ports has become
insufficient, you can increase the number of available ports and increase the number of
computers that can be connected to the network.
Bridge Connection
Bridge connection enables frames to be exchanged freely by cascade connection of two

physically separated Ethernet segments or similar configuration.
Cascade connection and bridge connection are technically similar connection methods,
but whereas cascade connection indicates connecting switching HUBs to construct a
single large segment from the beginning, bridge connection means connecting networks
to be used as two segments that are physically separate and are administered
separately.
1.4.2 Virtual HUB
With PacketiX VPN by creating a virtual switching HUB and network adapter, VPN
communication that creates virtual Ethernet is realized. This section contains a brief
description of Virtual HUB. A more concrete description of Virtual HUB is provided in
「1.6 VPN Communication Details」 .
Virtual HUB Functions
Virtual HUB is one of the most important functions of PacketiX VPN. Virtual HUB
implements the same level of functions as the existing common layer 2 switching HUB as
software. Virtual HUB has a MAC address learning function and frame exchange/delivery
functions based on learning. Whereas conventional switching HUBs used to handle this
processing as hardware, with Virtual HUB of PacketiX VPN, the processing is handled as
software.
For details concerning realization of VPN communications by Virtual HUB, see 「1.6 VPN
Communication Details」 and 「3.4 Virtual HUB Functions」 .
PacketiX VPN Server can create multiple Virtual HUBs. You can create as many Virtual
HUBs as memory space, CPU speed and specifications will permit. Each respective
Virtual HUB conducts MAC address learning for virtual Ethernet frames flowing through
the VPN. As a result virtual layer 2 Ethernet segments are realized by sending Ethernet
frames to computers participating in other VPNs.
Fig. 1-4-4 Connection between Virtual HUBs or between Virtual Network

Adapters
Creation and Administration of Multiple Virtual HUBs
If multiple Virtual HUBs are created within a single VPN server, those Virtual HUBs
cannot communicate with each other. Consequently if multiple Virtual HUBs are created,
it means multiple Ethernet segments are formed within the VPN Server.
Unlike the physical switching HUB in conventional Ethernet, the Virtual HUB of PacketiX
VPN is connected by TCP/IP-based tunneling protocol ( PacketiX VPN protocol) via an
existing IP network (such as the Internet) rather than direct connection by network
cable. In other words, there is a function whereby a virtual port equal to port connected
to a physical switching HUB by network cable stands by for connection to the Virtual
HUB, enabling VPN connection by PacketiX VPN protocol just like as if connected by
network cable to virtual port from another computer.
Fig. 1-4-5 Segment separation by Virtual HUB within VPN Server
Role of Administration Unit
As was previously mentioned, you can connect to Virtual HUB from a remote location by
PacketiX VPN protocol, but if connection is permitted by anybody, a third party not
permitted can connect to the Virtual HUB. To prevent this the administrator defines
users who can connect to the Virtual HUB, and can set so that only users successfully
authenticated are accepted (either password authentication or certificate authentication
may be used). Concerning communication within the Virtual HUB as well, permitting all
communication contents by default but applying packet filtering and security policy,
some types of communication can be blocked.
These setting contents are completely independent for each Virtual HUB, and
administration is divided into units so each individual administrator can administrate
separately. Administrators of VPN Servers at large can manage all Virtual HUBs, but
administrators granted authority concerning some Virtual HUBs from the VPN Server
administrator can manage only those Virtual HUBs and are unable to manage other
Virtual HUBs.
Method of Connecting Virtual HUBs to each other
Virtual HUBs can be cascade connected to Virtual HUBs operating on the same VPN
Server or VPN Server operating on another computer, and the cascade connected Virtual
HUBs that were originally separate segments are joined to work as a single segment.
For Virtual HUBs operating on the same VPN Server, via virtual layer 3 switch by IP
routing, network among Virtual HUBs can be connected by layer 3.
With PacketiX VPN, a physical switching HUB can be made virtual to realize Virtual HUB.
Similarly, a physical network adapter can be made virtual by software to realize a Virtual
Network Adapter. Virtual Network Adapter can connect to a Virtual HUB operating within
PacketiX VPN Server at a remote location through a network by TCP/IP-based PacketiX
VPN protocol.
For details concerning PacketiX VPN Client and Virtual Network Adapter, see 「Chapter 4
PacketiX VPN Client 2.0 Manual」 .
Fig. 1-4-6 PacketiX VPN Virtual Network Adapter

recognized as a network adapter by the operating
system
Virtual Network Adapter software is currently offered as a PacketiX VPN Client for
Windows and Linux. Computers installed with PacketiX VPN Client can connect the VPN
Server as a VPN client. Multiple Virtual Network Adapters can be created on a client
computer as a PacketiX VPN Client setting. Because the created Virtual Network Adapter
is recognized as a network adapter just as physical network adapter by almost any
communications application running on the operating system, as a rule almost all
network protocols that support Ethernet communications and TCP/IP protocol can
communicate on VPN via Virtual HUB.
Fig. 1-4-7 Property window of Virtual Network Adapter
With PacketiX VPN Server, you can create multiple Virtual HUBs and operate them
together. In the initial state however Virtual HUBs have only independent layer 2
segments, and although computers connected to the same Virtual HUB can communicate
freely, computers connected to separate Virtual HUBs cannot communicate with each
other.
Cascade Connection
Using the cascade connection function, you can connect to a Virtual HUB on which the
same VPN Server or other computer's VPN Server is operating. By combining cascade
connection and bridge connection functions, you can easily construct base-to-base
connection VPN. For details on cascade connection, see 「3.4.11 Cascade Connection
Functions」 . For examples of VPN construction combining cascade and bridge connection
functions, see "10.5#.
Virtual Layer 3 Switch

The virtual layer 3 switch function emulates a communications device for IP routing by
IP protocol called "layer 3 switch" or "IP router".
Layer 3 switches and IP routers can be joined as a layer 3 IP network with physically
separated layer 2 segments with split broadcast domain. In this case layer 2 segments
separated by IP routing that communicate via layer 3 switch or router and IP packets
can arrive at another network across networks sequentially via 3 switch or router.
Massive IP networks such as the Internet are realized by combination of layer 3 switch
and router.
Using the virtual layer 3 switch function of PacketiX VPN Server enables IP routing
among multiple Virtual HUBs. If conducting IP routing among multiple Virtual HUBs with
the previous version of SoftEther 1.0, etc., you had to conduct IP routing with a physical
layer 3 switch or special router by bridge connecting each respective Virtual HUB
segment to a physical Ethernet segment. PacketiX VPN Server's support of virtual layer 3
switch function enables network administrators to easily realize communication among
Virtual HUBs by IP routing among multiple Virtual HUBs.
Fig. 1-4-8 IP routing among Virtual HUBs by virtual layer 3 switch
When connecting multiple networks bases by VPN by PacketiX VPN, a combination of

local bridge function and cascade connection function is usually sufficient, but if
connecting networks to each other by VPN, you might have to use a combination of IP
routing by virtual layer 3 switch function. For VPN construction examples using virtual
layer 3 switch function, see 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」 .
PacketiX VPN Server and PacketiX VPN Bridge are equipped with a local bridge function.
Using the local bridge function enables you to bridge connect Virtual HUB and physical
network adapter. In other words, you can join two segments such as Virtual HUB and
existing physical network as a single segment. For details see 「3.6 Local Bridges」 .
By connecting Virtual HUB and physical existing LAN by multiple bases and by
furthermore cascade connecting Virtual HUBs existing physical LAN of multiple bases can
be easily made a single segment via Internet to realize base-to-base VPN.
Fig. 1-4-9 Example of base-to-base connection by PacketiX VPN
Networks that can realize PacketiX VPN can roughly be divided into the following three
forms:
z Computer-to-computer VPN
z Remote access VPN
z Base-to-base connection VPN
A sophisticated VPN can be constructed by separating or combining these forms. For

actual network construction examples, see 「Chapter 10 Instructions and Examples For
Configuring a VPN」 .
Computer-to-computer VPN is the simplest form of VPN built using PacketiX VPN. The
range of communication via VPN the can be constructed extremely easily is not very
wide.
With computer-to-computer VPN, for Virtual HUB of PacketiX VPN Server established at
one location, multiple computers connecting network adapter of PacketiX VPN Client to
Virtual HUB by VPN enable any Ethernet frame to be sent or received among computers
participating in VPN so communication can be carried out freely and safely without
depending on physical network form. All VPN communication is encrypted to prevent
eavesdropping and tampering.
With computer-to-computer VPN, however, computers installed with PacketiX VPN Client
can communicate freely, but computers other than these cannot participate in VPN.
For specific connection method, see 「10.3 Setting Up a PC-to-PC VPN」 .
Fig. 1-4-10 Computer-to-computer VPN
Remote access VPN is a type of VPN that can be built using PacketiX VPN. You can freely
access computers out in the field or at home that cannot be accessed from Internet such
as common company LAN, and can communicate with the application of your choice.
Remote access to company LAN used to frequently be accomplished using PPP protocol
by dial-up network such as telephone line or ISDN. Communication speed for these
methods is however low, and because it was pay-as-you-go, it was difficult to send or
receive large quantities of data that took an extended amount of time.
With remote access VPN by PacketiX VPN, by installing PacketiX VPN Client, as a rule, as
long as you had an environment where the Internet could be connected to, you could
easily connect by VPN to a PacketiX VPN Server set up in company LAN from anywhere
in the world, thereby enabling company LAN access. All VPN communication is also
encrypted to prevent eavesdropping and tampering.
In order to realize remote access VPN, a PacketiX VPN Server is established in the
company LAN and the Virtual HUB and existing physical Ethernet segment created in
VPN Server are connected by bridge connection. Connecting by computer installed with
VPN Client from remote to concerned Virtual HUB enables remote access to company
LAN.
With conventional VPN protocol, even protocols other than TCP/IP that used to be hard
to use in many cases can be used via virtual Ethernet. VPN sessions can furthermore be
easily established via proxy servers, firewall or NAT that use to be hard for conventional
VPN protocol to get through.
For specific connection method, see 「10.4 Setting Up a Generic Remote Access VPN」
Fig. 1-4-11 Remote access VPN
Remote access VPN is the form of VPN that enables multiple computers installed with
VPN Client to access one base via Internet or other bases from a remote location.
Base-to-base VPN on the other hand is a VPN connection method whereby multiple
bases in physically separated locations can connect with each other. It is probably the
best way for companies or departments where two or more bases already exist or are
considering increasing the number of bases.
With base-to-base VPN, set up computers installed with VPN Server or VPN Bridge at
multiple bases and connecting existing physical Ethernet segments of each base and
Virtual HUB within the VPN Server or VPN Bridge by local bridge connection. Virtual HUB
of another VPN Bridge, etc., is connected by cascade connection to VPN Server of one of
several bases. By doing so, physical layer 2 segments of multiple separated bases
recognize each other as a single segment. After physical networks among multiple bases
are connected to each other so they can be used as a single segment by PacketiX VPN,
they are used just as if they are physically connected by cascade connection using an
extremely long network cable. All VPN communication is also encrypted to prevent
eavesdropping and tampering.
Base-to-base connection VPN function to bridge bases can realize economic and secure
service through the Internet that is the same as that of conventional broadband Ethernet
service as communication carriers.
For specific connection method, see 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge
Connections)」 .
Fig. 1-4-12 Base-to-base VPN of ordinary scale
The method of connecting physical Ethernet segments of multiple bases such as by the
previously described base-to-base VPN connection of ordinary scale works well if there
are a total of several hundred clients at each base connected by VPN, but if the number
of computers exceeds this when totaled and you want to connect respective computers
to each other, several limitations such as the following may occur.
z If the number of computers exceeds several hundred, the volume of communication

by protocol using broadcast frames such as ARP and NetBIOS increases and increases
the load of VPN connection among bases.
z Because networks that were originally separate become a single large network with
the system of connecting layer 2 segments alike, as a rule it is preferable that
computers in the segments belong to the same IP network, but if the total number of
computers is large, it costs a lot to alter the configuration.
In the case where such limitations may pose problems, by combining the virtual layer 3
switch function, layer 2 local bridge function and cascade connection function of PacketiX
VPN Server, you can use IP routing by layer 3 instead of direct cascade connection of
base networks by layer 2. Using this method is especially effective if realizing large scale
base-to-base connection VPN. This however requires knowledge of IP routing for
designing and building and improves level of difficulty. For specific connection method,
see 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」 .
By this method, same or better base-to-base VPN communication supported older VPN
protocols such as PPTP and L2TP/IPSec can be easily realized by PacketiX VPN software.
Fig. 1-4-13 Base-to-base VPN of large scale
< 1.3 PacketiX VPN 2.0 Product Configuration and 1.5 Bolstering Security>
License
< 1.4 VPN Operation Principle and Communication 1.6 VPN Communication Details>
Method
Offering sufficient security is one of the most important matters for PacketiX VPN
software designed and developed for the purpose of supporting backbone
communication by company network, etc. Compared with older VPN solutions, PacketiX
VPN software has new advanced security functions and offers sufficient security for VPN
construction that can withstand use for backbone work of businesses from small scale
VPN. This section contains a description of the security functions offered by PacketiX
VPN.
The types of user authentication when connecting PacketiX VPN Client or PacketiX VPN
Bridge by VPN to PacketiX VPN Server include all sorts of methods as well as simple
password database. All types of user authentication and parameters can be set in detail
for each user. Because the user database is managed separately for each Virtual HUB,
Virtual HUBs are independent of each other.
User authentication methods that can be used include the following. For details see
「2.2 User Authentication」 .
Anonymous authentication
Anonymous authentication allows connection as long as at least the user name is
known, and is used when establishing widely offered Virtual HUB service, etc. It is not
usually used for businesses, etc.
Password Authentication
Standard password authentication is the method of conducting user authentication by
user name and password and is the method for which security can be most easily
maintained. Users can also change the password themselves using VPN Client. The
password is hashed when typed in and because password confirmation is conducted
by challenge and response when authenticating, the password and hash data do not
flow on the network.
RADIUS server authentication

Method of user authentication using RADIUS authentication server already owned by
company, etc.
NT domain and Active Directory authentication

Method of user authentication using Windows NT main controller or Active Directory
of user database of Windows 2000 / Server 2003 already owned by company, etc.
Certificate authentication (PKI authentication)

Method of user authentication whereby those connected to VPN are identified by
mathematically calculating whether or not those connected have a private key by
having those connected to VPN present a client certificate to VPN Server. Because a
fixed character string such as password is not used, it is the most secure method of
user authentication.
With PacketiX VPN protocol, all communication contents and data related to user
authentication is encrypted by Secure Socket Layer (SSL) encryption. SSL is currently
the standard security protocol for the Internet, and is used for communication between
HTTP server and web browser (called "HTTPS protocol").
There are several versions of SSL, but the only one that is compatible with PacketiX VPN
is SSL Version 3, which is considered to be the most secure; older versions of SSL
protocol that have weaknesses are not used at all.
SSL primarily offers three functions: encryption, electronic signature, and certificate
authentication. All three of these functions are utilized for PacketiX VPN to maintain
security of VPN sessions between PacketiX VPN Server and VPN connection source.
With the SSL implemented for PacketiX VPN algorithms used for encryption and those
used for electronic signature are not fixed; the VPN Server administrator can choose the
algorithm. The RC4 128 bit encryption algorithm and MD5 hash algorithm are selected
by default, but algorithms such as DES, AES, or SHA-1 can be selected by specifying the
number of bits.
Fig. 1-5-1 Robust VPN session encryption by various

encryption algorithms
Many older VPN protocols have a user authentication function to identify and
authenticate connection source users that have connected to the VPN server. Oppositely
the majority of VPN clients have no function to confirm whether or not the VPN server
they are about to connect to is authentic.
If constructing VPN using a public IP network such as the Internet, however, there is the
possibility of a malicious cracker, etc., lurking somewhere in the line setting up a false
VPN server and relaying VPN communication from the client, reading or tampering with
the packets flowing through the VPN by "man-in-the-middle" (MITM) attack.
Commonly used protocols such as HTTPS and SSH check the certificate of the connection
destination web server and SSH server and connect only if the certificate is authentic. If
the certificate is not authentic, the connection is interrupted and a warning is displayed.
VPN communications requires a way to authenticate the connection destination server to
guard against masquerading or MITM attack.
The server certificate presented by the connection destination server can be trusted, and
PacketiX VPN can make sure the server has the RSA private key for the secret by
mathematical calculation. If the connection destination VPN Server presents a suspicious
certificate, VPN connection to the server is interrupted and a warning is displayed.
PacketiX VPN keeps a list of certificates that can be trusted. Certificates not signed by a
reliable certification institution are regarded as untrustworthy (the user can keep a list of
certificates).
Server certificate verification is conducted by the connection source software side such
as cascade connected VPN Server or VPN Bridge or VPN Client connected to remote VPN
Server by usual method. For details on server certificate verification, see 「4.4.5 Server-
Certificate Verification」 , etc.
Fig. 1-5-2 Verifying server certificate presented by VPN Server
When conducting user authentication for VPN connection to VPN Server, if password
authentication or conventional certificate authentication is used, a certain degree of
security can be maintained, but the following problems also exist.
z If using password authentication, if the password in not long or complicated enough,

there is danger of the password being guessed for unauthorized access. If a third
party obtains a password from a second party that observes the password being
input, there is danger of unauthorized access by the third party.
z Certificate authentication provides a method of authentication that is more secure

than password protection, but under ordinary circumstances, private key data of the
certificate is kept in the hard disk of the computer. If the computer's hard disk is
stolen by a malicious third party or only the certificate data is extracted, the third
party can masquerade as the user using the private key data of the certificate and
connect to the VPN server.
With PacketiX VPN, if certificate authentication is used to authenticate users when VPN
Client connects to the VPN Server, the certificate and private key data are written in a
smart card or other hardware security token device instead of saving on the computer
hard disk, and user authentication can be carried out by inputting each time the client
connects to VPN Server.
Smart cards or other hardware security token devices have a built-in chip that performs
RSA calculation, and electronic signature can be accomplished using certificate and
private key from the memory of the smart card without exposing the private key
externally. Also with PacketiX VPN, existing certificates and private key objects stored in
smart cards can be specified and used for user authentication.
Smart cards and other hardware security token devices are designed so that once
private key data is written inside, it cannot be extracted. The data in smart cards is
protected by a PIN code consisting of several digits. Smart cards are designed so that
the smart card itself halts access if the PIN code doesn't match. Because of this
protection, the private key can be loaded into the smart card, and by conducting user
authentication using the private key in the smart card when connecting to the VPN
Server, even if the computer itself or smart card is lost or stolen, a malicious third party
can be prevented from access by masquerading.
For information on how to use the user authentication function using a smart card, see
「4.6 Using and Managing Smart Cards」 .
Fig. 1-5-3 Smart card authentication
< 1.4 VPN Operation Principle and Communication 1.6 VPN Communication Details>
Method
< 1.5 Bolstering Security 1.7 Handling Large Environments by Clustering>
This section contains a brief description of basic concept of various matters involving
VPN communication using PacketiX VPN and a description of important things to know
when constructing VPN by PacketiX VPN.
1.6.1 VPN Sessions
With PacketiX VPN, VPN communication starts when the VPN connection source
computer connects to the VPN Server by VPN. This unit of VPN communication is
referred to as a "VPN session".
In 「1.4.2 Virtual HUB」 , it was explained that along with emulating a conventional
Ethernet switching hub, PacketiX VPN can accept connection from a VPN connection
source just as with a physical connection point of a conventional switching hub.
Physical network adapters and switching hubs are connected to each other by network
cable, but in the case of PacketiX VPN, but when a Virtual Network Adapter or Virtual
HUB of another computer is connected to a Virtual HUB, the communication contents are
tunneled and flow through a physical network as TCP/IP-based PacketiX VPN protocol.
Consequently each and every PacketiX VPN protocol connection is substantially the same
as a network cable is to physical Ethernet, and can be expressed as a connection unit for
Ethernet.
With PacketiX VPN, when VPN Client connects by VPN to VPN Server or when Virtual
HUBs connect to each other by cascade connection, a transmission path for VPN
communications established, and in the case where encapsulated Ethernet frames are
transmitted, a VPN session is established between VPN connection source and VPN
Server in all cases. In addition to this, although it does not physically exist, virtual hosts
or DHCP servers connected to a Virtual HUB by software internally generate VPN
sessions.
For more information on VPN sessions, see the rest of this chapter and 「3.4.5 Session
Management」 , etc.
Fig. 1-6-1 List of VPN session types from perspective of Virtual HUB
As will be subsequently explained, the following seven types of session exist for PacketiX
VPN 2.0. Concerning each respective session, with the exception of some special
treatment, Virtual HUB handles all by same mechanism.
Type Session name Generator

Ordinary Client mode Conventional VPN connection from VPN Client
session session
Bridge/router Conventional VPN connection from VPN Client
mode session Cascade connection from VPN Server Cascade
connection from VPN Bridge
Monitoring mode Conventional VPN connection from VPN Client
session
Special Local bridge Local bridge function in VPN Server
session session
Cascade connection Cascade connection function in VPN Server
session
SecureNAT session SecureNAT function in VPN Server / VPN Bridge
Virtual layer 3 Virtual layer 3 switch function in VPN Server
switch session
PacketiX VPN Server is the only software that can accept VPN connection session from
PacketiX VPN Client, PacketiX VPN Server and PacketiX VPN Bridge running on another
computer.
PacketiX VPN Server stands by for connection with multiple TCP/IP ports open as a port
number for accepting VPN connection from the VPN connection source computer. The
VPN Server administrator can freely establish or modify the list of port numbers used at
this time.
TCP/IP port numbers open to stand by for VPN connection from other computers are
called "listener ports". The following three TCP/IP ports are allocated as listener ports by
default.
Port No. 8888 (This port number is used exclusively by PacketiX VPN; the number
8888 is used so it is easy to remember.)
Port No. 443 (This port number is the same port number as that of HTTPS protocol. It
is convenient to make relay equipment recognize TCP/IP connection as HTTPS
protocol for VPN session.)
Port No. 992 (This port number is the same port number as that of TELNETS protocol,
which is hardly used anymore. It is convenient to make relay equipment recognize
TCP/IP connection as TELNETS protocol for VPN session.)
By opening multiple TCP/IP ports, other computers that attempt to connect to that VPN
server, PacketiX VPN Server executed connection to the easiest port number to connect
to according to network environment, proxy servers and limitations such as firewalls. No
matter which TCP/IP port you connect to, the functions and performance are the same
after the VPN session is established. PacketiX VPN Server treats each TCP/IP listener
port equally.
For more information on listener ports, see 「3.3.6 Listener Ports」 .
Fig. 1-6-2 TCP/IP listener ports of VPN Server
As was described in 「1.4.2 Virtual HUB」 , PacketiX VPN Server can operate multiple
Virtual HUBs within a single server process.
Computers that attempt to connect by VPN to VPN Server specify one of the Virtual
HUBs operating in VPN Server and connect to it.
When attempting to connect to a Virtual HUB, user authentication such as explained in

「1.5.1 Abundant User Authentication Options」 has to be carried out. User information
is managed separately for each Virtual HUB and has to be set in advance by each
PacketiX VPN Server and Virtual HUB administrator. As a result of carrying out user
authentication according to user information in the security account database that exists
for each Virtual HUB, if the VPN Server recognizes the VPN connection as proper, the
VPN Server accepts VPN connection to the Virtual HUB, an new VPN session is
established and VPN communication starts.
During the time until connection to the Virtual HUB is completed, there is no VPN
communication between the VPN connection source computer and VPN Server
(sending/receiving of Ethernet frames); VPN data communication is carried out after
user authentication has been completed. Processing during connection to Virtual HUB
before completion of user authentication by PacketiX VPN protocol during negotiation
VPN is actually completed, session is established, and state where VPN communication
can be used is expressed as "established".
Fig. 1-6-3 VPN protocol sequence and status

transition at time of connection to Virtual HUB and
session establishment
With PacketiX VPN protocol, packets that flow through the actual physical network for
communication between PacketiX VPN Server and VPN connection source computer (VPN
session) are encapsulated as TCP/IP packets and are generated by sender. TCP/IP
packets received by the reception side are encapsulated and de-capsulated. All TCP/IP
communication is encrypted by Secure Socket Layer (SSL) and an electronic signature
can be added.
For communication between PacketiX VPN Server and VPN connection source computer,
communication can be carried out by one TCP/IP connection per VPN session, but if the
user so desires, multiple TCP/IP connections can be established and load distribution can
be performed for communication data among these TCP/IP connections, delay can be
managed, transmission sequence automatically adjusted, network line used more

efficiently and throughput and response enhanced. Data transmission direction (full
duplex or half duplex) and life until cut off can also be set for each TCP/IP connection.
For details see 「2.1.3 Communication Efficiency and Stability」 and 「4.4.11 Advanced
Communication Settings」 .
All data contents for data transmission of PacketiX VPN protocol is encrypted by SSL and
is compressed by a data compression algorithm. When used for low-speed lines such as
modems or ISDN or PHS, data compression may theoretically function effectively when
transmitting large quantities of data. Compression can be used simultaneously with
encryption. For more information on data compression, see 「2.1.3 Communication
Efficiency and Stability」 and 「4.4.16 Data Compression Option」 .
Fig. 1-6-4 Virtual Ethernet frame transmission in VPN

session
Virtual HUB manages multiple VPN sessions from VPN client connection sources, receives
virtual Ethernet frames sent to Virtual HUB from those sessions, identifies destination
MAC address and sends them out to other proper VPN sessions. This processing is the
equivalent of layer 2 Ethernet frame switching (packet exchange) carried out in a
physical switching hub.
Just like a physical switching hub, Virtual HUB automatically conducts MAC address
learning and associates the learned MAC addresses with VPN sessions. When Ethernet
frames that need to be processed arrive, the destination MAC address of the Ethernet
frame can be read and switched to a suitable matching VPN session. This virtual
Ethernet frame switching processing is the most important function of Virtual HUB and is
the most substantial part of VPN communications by PacketiX VPN.
MAC address tables managed by Virtual HUB are automatically updated and the actual
network status is applied as much as possible. The Virtual HUB administrator can display
the MAC address table an can freely delete entries.
The mechanism and timing by which Virtual HUB learns new MAC addresses and update
the MAC address table database is the same as that of a physical Ethernet switching
hub.
Fig. 1-6-5 VPN session and MAC address association by Virtual HUB
PacketiX VPN Server accepts connection from software that is compatible with PacketiX
VPN protocol that is running on other computers (there is no problem if running by
localhost). There are three types of this software: PacketiX VPN Server, PacketiX VPN
and PacketiX VPN Bridge (new software or dedicated hardware that supports PacketiX
VPN may be developed and offered by SoftEther Corporation or third party in the
future).
Fig. 1.6.6 Session from other VPN Server / VPN Client / VPN Bridge
All VPN connections from these three types of software are conducted by PacketiX VPN
protocol; the communication contents and nature are the same regardless of the type of
software and purpose of communication.
Connection from PacketiX VPN Client
Connection from PacketiX VPN Client is generally connection from Virtual Network
Adapter attempting to connect to Virtual HUB. In other words if VPN Client is installed on
client computers of end users using VPN communications and VPN Server is registered
as the connection destination of VPN Client, the Virtual Network Adapter of the computer
connects to Virtual HUB operating by VPN Server, and can carry out the same
communication as for example a network adapter connected to a physical switching hub
by network cable.
As a special usage method, bridge connection by layer 2 between VPN Client computer
Virtual Network Adapter and existing physical network adapter connected to the
computer is possible. The bridge function of the operating system is used for this. With
SoftEther 1.0, bridging between Virtual HUB and physical network adapter was often
accomplished by this method. With PacketiX VPN 2.0, however, because bridging could
be accomplished easier and faster by local bridge connection function of VPN Server or
VPN Bridge, this method ceased to be used frequently.
Connection from PacketiX VPN Bridge
PacketiX VPN Bridge operating at a base at a remote location can be connected to

PacketiX VPN Server by cascade connection. By connecting the two Virtual HUBs on the
VPN Server and VPN Bridge sides to existing physical LAN of both bases, you can
connect the two bases by VPN connection. This method is often used for base-to-base
VPN connection.
For more information on PacketiX VPN Bridge, see 「Chapter 5 PacketiX VPN Bridge 2.0
Manual」 .
Connection from PacketiX VPN Server

Because PacketiX VPN Bridge is software that limits just one part of PacketiX VPN
Server, previously described connection method from PacketiX VPN Bridge works the
same for cascade connection from one PacketiX VPN Server to another and can be used
as such.
As was explained in 「1.6.6 Session from other VPN Server / VPN Client / VPN Bridge」 ,
VPN connection of VPN Client / VPN Server / VPN Bridge, etc., operating on another
computer to VPN Server is established and managed as a VPN session for all Virtual
HUBs.
VPN Server is basically treated the same for VPN sessions of any PacketiX VPN protocol,
but that does not mean it is interested in the type of VPN software of the VPN session
connection source or the type of network of the VPN session destination.
To facilitate administration of the VPN network of PacketiX VPN Server, you may want to
differentiate and separate the connection type of the connection source computer of VPN
session, into two types according to the objective of VPN session. Thus PacketiX VPN
adopts the concept of connection mode for ordinary VPN session and defines two types
of connection modes.
Connection modes include a client mode and a bridge/router mode.
VPN session in the client mode is primarily applied to VPN sessions connected from VPN
Client to VPN Server. This way of using conventional VPN Client is primarily usage as
VPN client for remote access VPN by installing VPN Client on client computers in a
remote location, creating Virtual HUB and connecting the Virtual HUB to VPN Server.
With VPN sessions established by connection from conventional VPN Client, only one
Ethernet device with a MAC address should be connected to VPN on the VPN Client side.
In other words, Virtual Network Adapter device driver used by VPN Client for connection
is simply connected to Virtual HUB, and the MAC address allotted to the Virtual Network
Adapter is supposed to be the only network adapter existing on the client side for the
concerned VPN session.
Users who actually use computers installed with VPN Client however can bridge connect
to a separate physical network adapter on the client computer side using function of the
operating system and can connect to another IP network using the IP routing function of
the operating system. If this operation is randomly performed by users having VPN
Client, the user may unintentionally alter the network topology on the VPN administrator
side, and could destroy the uniformity and manageability of the VPN network as a whole.
Thus in a client mode session (i.e., VPN session connected from VPN Client layer 2
bridge or layer 3 routing on the client side of the VPN session is forbidden as a rule. This
makes it impossible for users of VPN Client connected to PacketiX VPN Server to connect
Virtual Network Adapter on the client computer side to another network. In other words
alteration of the network topology or unintentional computer connection to VPN by
administrator can be prevented.
By selecting the bridge/router mode as the connection mode for advanced

communication setting of VPN Client connection settings, client mode session limitations
are canceled and bridge and routing on the VPN Client side become possible. For details
see 「4.4.17 Selecting the Connection Mode」 .
If deny security policy bridge and router operation is enabled for user setting values
registered for each Virtual HUB of PacketiX VPN Server, users cannot connect to VPN
Server in bridge/router mode (error occurs for VPN connection). For more information on
security policy, see 「3.5.9 Security Policies」 .
Fig. 1-6-7 Client mode session and bridge/router mode session
If VPN session is connected by bridge/router mode session, the limitation whereby layer
2 bridge and layer 3 routing are denied on the VPN connection source side for client
mode sessions and as a rule any kind of communication can be carried out.
The session connection mode is automatically selected when Virtual HUB of PacketiX VPN
Server or PacketiX VPN Bridge are connected to a separate Virtual HUB by cascade
connection.
Setting on the VPN Client side is required to connect to from PacketiX VPN Client to
Virtual HUB in the bridge/router mode. For details see 「4.4.17 Selecting the Connection
Mode」 .
The administrator must establish security policy so the user can't connect to Virtual HUB
created for use with general VPN connection in the bridge/router mode. For more
information on security policy, see 「3.5.9 Security Policies」 .
The monitoring mode is a connection mode that can be selected when VPN Client
connects to Virtual HUB of VPN Server.
VPN sessions connected in the monitoring mode can receive all Ethernet frames flowing
through the connection source Virtual HUB as they are. This mode can be used for
intercepting Ethernet packets flowing through Virtual HUB, capturing them using packet
capture software, and inspecting all packets such as IDS and IDP. Sessions connected to
Virtual HUB in the monitoring mode can receive all Ethernet frames flowing through
Virtual HUB, but Ethernet fames cannot oppositely be transmitted to Virtual HUB.
Using this mode enables you to execute the equivalent of functions such as port
monitoring and port mirroring that common layer 2 intelligent switching hubs are
equipped with.
Fig. 1-6-8 Monitoring mode session
A local bridge session is established when a local bridge connection is created between
Virtual HUB of PacketiX VPN Server and a physical network adapter. Unlike a
conventional VPN session established by VPN connection from VPN Client / VPN Server /
VPN Bridge by PacketiX VPN protocol via a network, the actual communication source for
local bridge sessions is a module separate of the computer on which VPN Server is
operating, and is therefore classified as a special session.
For more information on these functions, see 「3.6 Local Bridges」 .
A cascade connection is a special session generated within a Virtual HUB of cascade

connection source VPN Server or VPN Bridge if Virtual HUB of PacketiX VPN Server or
PacketiX VPN Bridge operating on a separate computer is connected to Virtual HUB of
PacketiX VPN Server by cascade connection.
In other words, in the case of using cascade connection, a bridge/router mode session,
which is the normal session, is generated by the Virtual HUB of the side being connected
to, and a cascade connection session, which is a special session, is created by the Virtual
HUB which initiated the cascade connection.
For more information on cascade connection sessions, see 「3.4.11 Cascade Connection
Functions」 .
A SecureNAT session is a special session automatically created internally if the

SecureNAT function, which is one of the Virtual HUB functions of PacketiX VPN Server or
PacketiX VPN Bridge, is enabled. For more information on SecureNAT function, see 「3.7
Virtual NAT & Virtual DHCP Servers」 .
A virtual layer 3 switch session is a special session automatically created internally for
connection between virtual layer 3 switch and Virtual HUB if virtual layer 3 switch
function, which is a function of PacketiX VPN Server, is used. For more information on
virtual layer 3 switch function, see 「3.8 Virtual Layer 3 Switches」 .
< 1.5 Bolstering Security 1.7 Handling Large Environments by Clustering>
< 1.6 VPN Communication Details 1.8 Multiple Language Support>
PacketiX VPN Server supports the clustering function, which enables multiple VPN
Servers to be administered as a single VPN Server and realize load balancing and fault
tolerance among the various VPN Servers. The clustering function can be used with the
Enterprise Edition and Carrier Edition of PacketiX VPN Server 2.0.
For a more detailed description of the clustering functions, see 「3.9 Clustering」 .
PacketiX VPN Server is VPN server software equipped with superior performance and
functions. Throughput and number of simultaneous connections that can be supported
by a single VPN Server differ according to the hardware performance of the computer
running VPN Server, but the power a single computer can exhibit by hardware resource
is always limited. No matter how much server hardware is optimized and speeded up,
hardware performance limitations ultimately exist, and more processing cannot be
executed on a single computer.
Using the clustering function of PacketiX VPN Server enables you to consolidate multiple
VPN Servers as a single cluster. VPN connection source computers that attempt to
connect to the cluster (usually connection from VPN Client, but there may also be
cascade connection from VPN Server / Bridge, etc., in some cases) are automatically
connected to one of the VPN Servers in the cluster by cluster controller. At this time, the
cluster controller decides the load balancing algorithm by operation mode of connection
destination Virtual HUB.
Fig. 1-7-1 Processing large amounts of VPN connections by clustering
If one of the computers operating in the cluster experiences trouble such as fault and
stops running, connection is directed to other cluster computers participating in the

cluster and VPN communication processing continues. At this time it appears the VPN
communication from VPN connection source has stopped instantaneously but is restored
right away, because processing of Virtual HUB that had conducted by VPN Server up to
that point is executed, communication continues by automatically avoiding the trouble
without the VPN Server administrator or VPN users performing any special processing at
all.
In the case where processing cannot be carried out with a single PacketiX VPN Server
using these features, in the case where large amount of simultaneous connections that
decreases throughput dramatically can be processed in parallel by properly balancing the
load or in the case a server in the cluster stops, processing can be taken over by another
server, so it can be used effectively in large scale environments or environments
demanding high reliability.
Fig. 1-7-2 Load balancing
Two types of computers that participate in PacketiX VPN Server clusters: cluster
controllers and cluster member servers.
Cluster Controller
A cluster controller is a special computer. Each cluster of servers required one cluster
controller only. The cluster controller manages all other computers participating in the
cluster (cluster member servers) and conducts important processing to maintain
compatibility among the various servers.
If constructing a cluster of VPN Servers using PacketiX VPN Server, first one of the
server computers is set as the cluster controller and other server computers are
connected to the cluster controller.
Cluster Member Server
All computers participating in the cluster other than the cluster controller are cluster
member servers. Cluster member servers cannot operate on their own, but by executing
cluster control connection to the cluster controller the PacketiX VPN Server cluster
begins to operate as a single unit based on the connection destination cluster controller.
Fig. 1-7-3 Cluster controller and cluster member servers
The cluster function of PacketiX VPN Server operates optimally with primarily two
applications: large scale remote access VPN Server and large scale Virtual HUB hosting
VPN Server. It also functions correctly if it is necessary to use the two applications
combined.
The PacketiX VPN Server clustering function is used when constructing a remote access
VPN server using PacketiX VPN Server to connect computers at a remote location to
company LAN and there is expected to be an extremely large number of connections or
if high reliability is required and you want to shorten stop time as much as possible for
remote access VPN server hardware fault, etc.
A cluster of VPN Servers is constructed, a static Virtual HUB is established within for
instance of static Virtual HUB generated by VPN server, load balancing is automatically
carried out for large quantities of users that attempt remote access to the network and
are connected to the proper VPN Server computer in the cluster by bridge connection of
network such as physical company LAN. At this time the user does not have to be aware
that he is connected to the cluster and no special operation is required. Also, as a result
of load balancing, the same communication can be carried out as when connected to any
VPN Server computer. In case hardware fault occurs for the connection destination VPN
Server computer or if the server needs to be temporarily shut off or restarted for adding
hardware or updating the operating system, that computer is already connected and
when reconnected the VPN session is automatically switched to another VPN Server so
communication can continue.
This secures scalability and fault tolerance for remote access VPN Server.
Also, if there are multiple physical LANs to be remote accessed, you can create multiple
static Virtual HUBs and can connect each respective Virtual HUB to the physical LAN by
local bridge connection.
For application examples of the clustering function of large scale remote access VPN
servers, see 「10.8 Setting Up a Large Scale Remote Access VPN Service」 .
Fig. 1-7-4 Large scale remote access VPN Server
You can effectively use the clustering function when using a large amount of Virtual
HUBs for hosting with PacketiX VPN Server. The clustering function of PacketiX VPN
Server is used if Internet Service Providers or the IT department of large corporations
offer Virtual HUB function for customers or users, if there are many Virtual HUBs, or if
there are many VPN sessions to be simultaneously connected.
A cluster can be of multiple VPN Servers can be constructed and the exact amount of
dynamic Virtual HUBs can be created within it. In the case of such a configuration, if VPN
Client or VPN Bridge in a remote location connects to VPN Server by VPN connection or
cascade connection, the connection destination Virtual HUB creates an instance for one
of the VPN Servers operating in the cluster and communication within that Virtual HUB is
possible. Load is automatically balanced for Virtual HUB or VPN connection session for
the Virtual HUB. At this time the user does not have to be aware that he is connected to
the cluster and no special operation is required. In case hardware fault occurs for the
connection destination VPN Server computer or if the server needs to be temporarily
shut off or restarted for adding hardware or updating the operating system, that
computer is already connected and when reconnected the VPN session is automatically
switched to another VPN Server so communication can continue (at this time, Virtual
HUB instance is also automatically switched to another server). Just as with a
conventional Virtual HUB, because no communication at all is carried out among Virtual
HUBs individually, independence of Virtual HUBs is maintained. Also, administrator
authority for each Virtual HUB can be transferred to the customer or user.
For application examples of the clustering function of large scale Virtual HUB hosting
VPN servers, see 「10.9 Setting Up a Large Scale Virtual HUB Hosting Service」 .
Fig. 1-7-5 Large scale Virtual HUB hosting VPN Server
If using the clustering function of PacketiX VPN Server, each PacketiX VPN Server that
participates in the cluster requires a product license and a PacketiX VPN Server 2.0
Enterprise Edition License or PacketiX VPN Server 2.0 Carrier Edition License.
Connection licenses (client connection license and bridge connection license) are
administered by the cluster as a whole. Consequently the exact amount of connection
licenses is obtained by estimating the possible number of simultaneous connections for
the entire cluster and connection license registration is completed by just registering the
licenses for the cluster controller. There is no need to purchase a connection license for
each VPN Server. Compared to the case where load is distributed manually for each
individual VPN Server, by processing a large number of simultaneously connected users
as a cluster, in some cases the number of connection licenses required can be
dramatically reduced.
Fig. 1-7-6 Product license and connection license when clustering
< 1.6 VPN Communication Details 1.8 Multiple Language Support>
< 1.7 Handling Large Environments by Clustering 1.9 VoIP / QoS Support Function>
The user interface internal data structure and communications protocol for PacketiX VPN
2.0 supports multiple languages. This enables localization for various languages for use
of VPN service for multinational companies and for PacketiX VPN 2.0 itself.
PacketiX VPN uses Unicode character code for the internally used data structure,
interface to be actually used, and TCP/IP-based communications protocol communicated
as PacketiX VPN protocol so multiple language characters can be set and communicated
mixed.
Data Structure Unicode Support
Of user information and group information for PacketiX VPN, parts using multibyte
characters for names and explanations, etc., and parts where there is a high probability
of multibyte character code other than numbers (full size characters such as hiragana
and kanji) being used for treatment of registration item X.509 certificate for various
other objects are managed by Unicode. In a Windows environment, UTF-16 Little Endian
is used for local memory space within the PacketiX VPN process; UCS-4 is used in UNIX
environments such as Linux, FreeBSD, Solaris and Mac OS X (the situation differs
according to the actual platform). UTF-8 is used uniformly when writing out this data to
the disk. Because all configuration files and log files written out by PacketiX VPN 2.0 are
used with UTF-8 character code having consistent, characters of multiple languages can
be mixed.
Unicode Support of User Interface
Server Administrator Manager, Client Connection Manager and Command Line Utility
(vpncmd), which are user interfaces of PacketiX VPN, support Unicode as display and
input character. Thus if the environment of the operating system executing these utility
programs (system call, etc.) fully supports Unicode, you can input/output any Unicode
character.
Unicode Support of PacketiX VPN Protocol
PacketiX VPN protocol is stream protocol based on TCP/IP. UTF-8 is used for delivering
Unicode character strings. UTF-8 is the de facto standard Unicode character code system
used worldwide by multi-platforms that do not depend on endian of the CPU. Thus
PacketiX VPN protocol enables mutual operation without recognizing difference in
computer architecture and operating system on the sending and receiving sides.
All menu message explanations and error character strings displayed by Server
Administrator Manager, Client Connection Manager and Command Line Utility (vpncmd),
which are user interfaces of PacketiX VPN, are defined as Unicode character strings.
Thus the character string table data can be localized to languages other than Japanese
(such as English, Chinese, Korean, French and Russian) in the future and can be easily
transplanted into multiple languages by simply translating the character string table
data.
1.8.3 Limitations
Part of PacketiX VPN Unicode support depends upon the operating system running the
PacketiX VPN software. With operating systems that do not support Unicode, for
example, the character code may not be converted correctly, and if some Unicode
characters are not contained in the available fonts, those characters cannot be
displayed.
Because Unicode character strings are not fully supported by Windows 98, Windows 98
Second Edition and Windows Millennium Edition, some characters that rely upon Unicode
may not be able to be displayed. The operating system kernel of Windows NT 4.0, 2000,
XP and Server 2003 support Unicode, so the impact of Unicode can be fully exhibited.
Concerning support of Unicode by UNIX operating systems including Linux, refer to the
specifications of the manual for those operating systems.
< 1.7 Handling Large Environments by Clustering 1.9 VoIP / QoS Support Function>
< 1.8 Multiple Language Support Chapter 2: PacketiX VPN 2.0 Overall Manual>
PacketiX VPN 2.0 (build 5205 and later) incorporates advanced priority control
technology (VoIP / QoS processing technology) whereby communication packets for IP
telephone such as VoIP packets in the VPN tunnel can be transmitted at low delay and
low jitter even if networks are mixed together.
Users with a PacketiX VPN Server 2.0 Option Pack license can easily use this function
without any settings (for details on Option Pack, see #1.3.21#).
Communications that demand low delay / low jitter such as VoIP packets require priority
in processing over ordinary communications packets (such as downloading large files). A
generic name for the technology for securing bandwidth and priority control is Quality of
Service (QoS) technology. Many conventional network devices such as IP routers and
layer 3 switches support QoS.
All Ethernet frames used to receive equal processing (cueing, transmission) in VPN
tunnels configured by encapsulating packets by TCP/IP such as PacketiX VPN 2.0.
New technologies incorporated into PacketiX VPN2.0 realize QoS processing for
communication using layer 2 VPN configured by PacketiX VPN 2.0. Concerning the
various packets flowing through the VPN tunnel, by automatically conducting priority
control and securing bandwidth according to priority information, communication packets
demanding low delay and jitter such as VoIP can be given priority for VPN transmission
over other packets.
Sound quality can be dramatically enhanced when using IP telephone via VPN or when
networks are mixed for traffic such as file download, etc., by this technology.
As a technology that can provide high-priority marked packets such as VoIP packets with
priority for transmission when physical networks are congested by VPN software for
emulating layer 2 (Ethernet layer), encapsulating by TCP/IP and transmitting, the
technology developed by SoftEther Corporation is recognized as the first with
commercial viability (as of July 2006, according to a study conducted by SoftEther
Corporation; concerning VPN software capable of realizing VPN communication by
encapsulated TCP/IP packets by emulating layer 2 [Ethernet]).
1.9.2 Applying to Extension System by Connecting Bases by Layer 2

VPN Using IP Telephone Equipment
If this function is used, even if there is normally a large amount of communication

packets (file download, etc.) flowing through VPN, VoIP packets for telephone and so on
can be provided with high priority for transmission within VPN, thereby dramatically
enhancing sound quality when using IP telephone via VPN. This function can be used
regardless of hardware such as the router in the physical network in which the
communication packets are flowing supports QoS.
Using layer 2 VPN such as PacketiX VPN 2.0 enables you to connect multiple separate
LANs and create a single network. (for details, see 「10.5 Setting Up a LAN-to-LAN VPN
(Using Bridge Connections)」 and 「10.6 Setting Up a LAN-to-LAN VPN (Using IP
Routing)」 ). If the VoIP / QoS support function is furthermore used, because
communication for IP telephone (VoIP packets) is always given higher priority than other
traffic for bands, even if the network is congested with traffic other than IP telephone,
you can construct an IP telephone extension system that overlaps bases at low cost. In
this case, even if there is no equipment supposed to be used on VPN such as IP
telephone equipment or VoIP gateways, if the priority control header is properly set for
packets to be sent, priority control is automatically conducted on VPN without requiring
an special operation by end users.
Thus a high quality IP telephone system can be built using low-cost broadband
connection, which ties into reduction of communication cost, hardware expense and
administration cost.
If the priority control header is properly set for other IP packets to be sent and received
by an existing teleconference system, the packets can be automatically provided with
high priority for transmission with the VPN by the VoIP / QoS support function.
Fig. 1-9-1 VoIP communication among bases using VPN
If using PacketiX VPN Server 2.0 not equipped with PacketiX VPN 2.0 software or Option
Pack, the VoIP / QoS function cannot be used.
With the exception of the case where the VoIP / QoS support function is disabled by
security policy on the VPN Server side, or is disabled by connection setting on the VPN
Client or VPN Bridge side (side that initiates VPN connection), the VoIP / QoS support
function is automatically enabled for VPN communication.
With VPN sessions, you can check whether the VoIP / QoS support function is functioning
effectively by acquiring the connection status of the VPN session. For details, see 「3.4.5
Session Management」 and 「4.5.2 Checking the Connection Status」 .
1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support

Function
VoIP / QoS support function checks the value of the priority rank header in the IP
packet, and if the value is to be priority controlled, it as marked as such and priority
control is executed.
< 1.8 Multiple Language Support Chapter 2: PacketiX VPN 2.0 Overall Manual>
< 1.9 VoIP / QoS Support Function 2.1 VPN Communications Protocol>
To understand all the functions of PacketiX VPN 2.0, you must first get an understanding
of the parts shared by PacketiX VPN 2.0 in its entirety. Matters in common to PacketiX
VPN 2.0 are covered in detail in this chapter.

2.1.2 Flexibility
2.4.5 Setup Wizard
2.4.6 Limitations
2.5.6 Limitations
< 1.9 VoIP / QoS Support Function 2.1 VPN Communications Protocol>
< Chapter 2: PacketiX VPN 2.0 Overall Manual 2.2 User Authentication>
The protocol used by PacketiX VPN for VPN communications are version 3 of the global
security standard Secure Socket Layer (SSL). PacketiX VPN includes several technical
innovations to increase speed and enhance security of VPN communications.
This section provides a detailed description of PacketiX VPN protocol. For more
information on PacketiX VPN protocol, see 「1.6 VPN Communication Details」 .
PacketiX VPN is a VPN system that consists of exchanging virtual Ethernet frames and
communication by VPN among VPN Client / VPN Server / VPN Bridge. Based on TCP/IP
protocol, PacketiX VPN protocol plays the role of encapsulating, encrypting and
transmitting virtual Ethernet frames on a physical IP network.
Protocol based on conventional TCP/IP has the drawback of communication efficiency

being not all that high. Because the protocol itself conducts retransmission control and
flow control, in some cases TCP/IP can only use some actually available network bands.
By dexterously controlling and optimizing TCP/IP connection established to carry out VPN
communication when developing PacketiX VPN protocol, as a result of communication
being optimized and made as efficient as possible, in the case where PacketiX VPN is
used for a network with sufficient bandwidth, SoftEther Corporation succeeded in
realizing higher speed and lower delay for so the user of VPN communication can't
actually sense a difference in whether communication is carried out via VPN or directly
flowing on a physical network.
2.1.2 Flexibility
PacketiX VPN protocol is based on TCP/IP and all data flows according to TCP/IP
connection. When constructing VPN by PacketiX VPN, it can be constructed via network
devices and servers that support TCP/IP.
VPN can now be easily constructed through proxy servers, NAT or firewalls that used to
be difficult for VPN protocol, representative examples of which as older PPTP or
L2TP/IPSec.
For method of actually conducting stable VPN communications through a proxy server or
other firewall, see 「4.4.11 Advanced Communication Settings」 .
Communication efficiency (throughput and response) and stability can be enhanced for
the following networks if the user properly sets advanced communications parameters of
PacketiX VPN protocol.
z Networks with large delay time despite wide bandwidth.
z Networks whereby there are proxy servers, NAT or firewalls in the VPN
communications route that produce delay.
z Networks whereby there is band control equipment (QoS equipment) on the VPN
communications route which intentionally band control maximum communication
speed for each separate TCP/IP connection.
z Networks whereby there are proxy servers, NAT or firewalls in the VPN
communications route, special processing for TCP/IP protocol through network
gateway devices and servers is executed, an expiration date is set for each TCP/IP
connection and the connection is disconnected when the expiration date is exceeded,
count and transmission interval for packets of HTTPS protocol, etc., are strictly
recorded, and if there is a violation of the default standards of HTTP protocol, the
TCP/IP connection is disconnected and special processing is executed.
VPN communication source computers simultaneously establish multiple TCP/IP

connections for a single VPN session with PacketiX VPN Server, and by distributing load
for communications data using the respective connections in parallel, VPN
communication data can be sent and received at high speed with low delay by PacketiX
VPN protocol.
Fig. 2-1-1 Communication of VPN session by multiple TCP/IP connections
Computers that connect VPN communications can initiate VPN connection by specifying
the following parameters.
Reconnection Setting when VPN Connection Fails or Becomes

Disconnected during Communications
If VPN connection to PacketiX VPN Server is temporarily cut off due to network problems
or the connection destination VPN Server stops temporarily, the system attempts to
reconnect to the VPN Server until it succeeds. You can specify the maximum number of
reconnection attempts and the interval at which reconnection is attempted (cannot be
set less than 5 seconds).
The default settings are 15 seconds for reconnection attempt interval and unlimited for
number of reconnection attempts. The connection is maintained constantly as long as
the network is functioning and connection destination VPN Server is running.
As long as attempts are made to connect the PacketiX VPN Server by cascade
connection and connection is completed, the function to maintain connection keeps the
reconnection interval fixed to 10 seconds and the number of reconnection attempts
fixed to unlimited. The user cannot change the settings.
VPN session type, reconnection interval, number of reconnection attempts that can be
set and the default settings are as follows:
Session type Reconnection No. of

interval reconnection
attempts
Ordinary VPN sessions initiated by Min. 5 seconds 0 - unlimited
VPN Client (default is 15 (default is
seconds) unlimited)
Cascade connection VPN sessions 10 seconds (fixed) Unlimited
initiated by VPN Server / VPN Bridge (fixed)
Number of TCP/IP Connections Used for VPN Communication
Multiple TCP/IP connections can be established during VPN session with PacketiX VPN
Server, throughput can be enhanced and delay shortened using respective parallel
TCP/IP connections for data transmission. If some of the established TCP/IP connections
are disconnected or if communication cannot be carried out for a certain amount of time,
the number of insufficient TCP/IP connections can be compensated for by creating new
TCP/IP connections up to the specified amount, adding VPN sessions, and maintaining
communication with the specified number of TCP/IP connections as much as possible.
Fig. 2-1-2 Automatic reconnection processing if

disconnected while using multiple TCP/IP connections
The user can specify from 1 to 32 TCP/IP connections.
z The default setting when creating new connection settings by PacketiX VPN Client is
1.
z The default setting when creating new cascade connections by PacketiX VPN Server /
PacketiX VPN Bridge is 8.
If the number of TCP/IP connections is simply increased, rather than enhancing

throughput of VPN communications, if the bandwidth of the communication route with
the VPN Server on the IP network is large, it appears that increasing the number of
connections often enhances throughput or stabilizes communication. Oppositely, in the
case of low speed lines like ISDN or PHS where bandwidth is just server tens or
hundreds of kbps, because the band is consumed by Keep-Alive messages and control
data of various TCP/IP connections, fewer connections often improved stability and
enhances communications speed.
The number of optimal TCP/IP connections furthermore varies according to the amount
of data and type of communications protocol used within the VPN session. After
actually constructing VPN, we recommend you select the proper setting while using
the communication throughput measurement tool. For details on the communication
throughput measurement tool, see 「4.8 Measuring Effective Throughput」 .
Establishment Interval for TCP/IP Connections
If conducting VPN communications by establishing 2 or more TCP/IP connections, you

can specify how many seconds must pass after the immediately preceding TCP/IP
connection is established before another can be established beginning with the second
one. The default setting is 1 second. Can be set to 1 second or longer.
Under ordinary circumstances, 1 second will suffice, but if establishing a large number of
TCP/IP connections (such as 32) and TCP/IP connections are established consecutively,
the firewall on the IP network or equipment such as IDS may mistakenly interpret it as a
DoS attack, etc., and disconnect the TCP/IP connection, and if VPN connection is not
correctly established, misdetection can be avoided by increasing the connection interval.
Fig. 2-1-3 Establishment interval for TCP/IP connections
Life of TCP/IP Connections
If conducting VPN communications by establishing 2 or more TCP/IP connections, if the

number of seconds specified after establishing connection between the connection
source computer and VPN Server elapses for the various TCP/IP connections, along with
disconnecting the TCP/IP connections, the number of TCP/IP connections that is lacked
can be newly established. By default, this function is not used.
This function is used to stabilize VPN communications by PacketiX VPN protocol in an

unstable network such as where network gateway devices on the IP network route such
as firewalls, IDS or proxy servers, or if the server setting per TCP/IP connection is set to
a long time, the connections may be disconnected or mistaken as a DoS attack, etc.
Using in Half Duplex Mode

The half duplex mode is a function whereby, if VPN communications are conducted by
establishing 2 or more TCP/IP connections, concerning various TCP/IP connections
between VPN connection source and PacketiX VPN Server, approximately half of the
TCP/IP connections are dedicated to the transmission direction and the other half are
dedicated to receiving. If this function is enabled, transmission direction of data flowing
through respective TCP/IP connections established as part of PacketiX VPN protocol is
limited to either from VPN server to client (download) or from client to VPN server
(upload). If all TCP/IP connections are lumped together, simultaneous communication in
both directions is possible (full duplex), but each respective TCP/IP connection can only
handle data transmission in one direction, so it is referred to as the half duplex mode.
This function is used to stabilize VPN communications by PacketiX VPN protocol in an

unstable network where the proper communication by PacketiX VPN protocol is mistaken
as an attack or malicious backdoor communication and a warning is issued or
disconnected forcibly, by the network security devices such as, firewalls, IDS or proxy
servers on the physical IP network that inspect TCP/IP packets for bidirectional SSL data
flow.
By using the half duplex mode, some software processing is involved for control
processing, and because CPU time is consumed, communication speed efficiency
deteriorates but drop in throughput and the effect on the user is extremely small, so
there is no problem under ordinary circumstances.
Fig. 2-1-4 VPN session communications in half duplex mode
Disabling Encryption Option
By default with PacketiX VPN protocol, all communications contents are encrypted by
SSL and an electronic signature is added, but in the following cases encryption and
electronic signature can be waived.
If physical IP networks that conduct VPN communications are limited to physically

secure LAN and it is physically difficult for a malicious third party to eavesdrop on
and/or tamper with packets on the line.
If communications are conducted by dedicated frame relay offered by

communications provider or on a network with high reliability whereby eavesdropping
by other users is difficult such as wide area Ethernet and the service provided by the
communications provider is sufficiently reliable.
If PacketiX VPN protocol is combined with other software (SSH port transmission tool,
etc.) and encryption is carried out lower layer.
If the same computer is operating between VPN connection source software and
PacketiX VPN Server (case where connected to localhost). A connection configuration
such as this results when cascade connection, etc., is conducted among Virtual HUBs
of the same VPN Server.
By not executing encryption and electronic signature, a header for encapsulating is

simply added to virtual Ethernet frames for data flowing on a physical IP network, and
encryption and electronic signature protection is not implemented by PacketiX VPN
protocol. Thus more CPU time for calculating encryption and electronic signature can be
used for encapsulating virtual Ethernet frames and communication to enhance
communication throughput.
Even if encryption is disabled, important processing such as user authentication is

encrypted by SSL.
Using Data Compression
PacketiX VPN protocol can compress all Ethernet frames sent and received internally and
transmit them. The deflate algorithm developed by Jean-loup Gailly and Mark Adler is
used as the data compression algorithm. The compression parameter is set so
processing is executed at the fastest speed.
By using data compression for VPN communications, a maximum of 80% of

communications volume can be reduced (depends on protocol used). If compression is
conducted, CPU load of both client and server becomes higher, and depending on the
performance of the various types of hardware, if the line speed exceeds about 10 Mbps,
in many cases not compressing data improves communication speed.
With PacketiX VPN protocol, encryption and electronic signature are realized using SSL.
The following are implemented as the encryption and electronic signature algorithm
used.
RC4-MD5
RC4-SHA
AES128-SHA
AES256-SHA
DES-CBC-SHA
DES-CBC3-SHA
The algorithm used for encryption is specified by the PacketiX VPN Server administrator
(cannot be specified by connection source computer users). You can select any of the
encryption algorithms given above, but RC4-MD5 is selected by default.
RC4-MD5 is the fastest algorithm that offers a certain degree of security. There is no
need to select another algorithm without a special reason. In a service environment
where only a certain algorithm such as AES can be used due to regulations or an
administrator that is strict about encryption, you can use a more secure encryption
algorithm such as AES.
PacketiX VPN protocol supports QoS for VPN communication and gives band priority to
high priority packets such as VoIP packets for transmission processing. For details see
「1.9.4 Types of Packets Priority Controlled by VoIP / QoS Support Function」 .
< Chapter 2: PacketiX VPN 2.0 Overall Manual 2.2 User Authentication>
< 2.1 VPN Communications Protocol 2.3 Server Authentication>
With PacketiX VPN, security is ensured by conducting strict user authentication when a
new VPN session attempts to connect to a Virtual HUB to prevent a security violation
whereby an unauthorized third party could connect to a Virtual HUB without permission.
In order to conduct user authentication, the Virtual HUB administrator must create users
for the PacketiX VPN Server in advance, select from among 6 types of user
authentication and specify the required parameters.
A type of user authentication can be specified for each created user. For example you
can easily make it where Mr. A and Mr. B can connect to VPN by password authentication
but the communications contents are limited by security policy and access list, and Mr. C
can only connect with stricter certificate authentication but limitations are lenient.
The is section contains a description of each type of user authentication.
Anonymous authentication is the simplest type of user authentication. If a user set by

anonymous authentication exists for Virtual HUB, anyone who knows the user name can
connect to the Virtual HUB and conduct VPN communication.
With PacketiX VPN, anonymous authentication does not offer much help for business
networks, etc. Anonymous authentication should be used in the following cases.
If providing Virtual HUB that anybody can connect to for public IP network such as
the Internet.
If creating Virtual HUB that does not require user authentication for VPN server in
company LAN. Case where for example streaming video can be viewed if connected to
Virtual HUB.
Password authentication is the easiest to use for identifying and authenticating users. A
password is established for the user if using password authentication.
Users are refused access if the password doesn't match when they attempt to connect to
VPN. Users can change the password registered in VPN Server themselves at any time
using VPN Client. For details see 「4.9.1 Changing the User Password Registered to VPN
Server」 .
The passwords for password authentication are registered in the configuration database
of PacketiX VPN Server. At this time the password is hashed by hash function, so the
original password no longer exists. When conducting password authentication, PacketiX
VPN protocol checks passwords for user authentication by challenge and response
authentication (digest authentication). At this time the original password is not
transmitted on the network.
The drawbacks of password authentication are as follows.
If there are few users, operation can be conducted with no problem, but if there are
more than several hundred users, it takes effort to register/delete users. In such
cases, RADIUS authentication, NT domain or Active Directory authentication is used.
The password base authentication method is connected with weaknesses such as the
possibility of the password being guessed. Certificate authentication is used if
corporate security policy does not recommend the password base authentication
method and higher security is required.
Fig. 2-2-1 Password authentication
Just as with password authentication, RADIUS authentication authenticates user name

and password, but when doing so, the password is managed by authentication server
that supports RADIUS protocol rather than by the PacketiX VPN Server. This enables
user authentication using the existing company password database. If company
employees change their passwords on the RADIUS server, it also applies to the password
for PacketiX VPN connection, thereby enabling password unification.
Authentication Using RADIUS Server
There are software based and hardware based RADIUS servers (authentication server
that supports RADIUS protocol), both of which are widely used. Thus companies and
Internet service providers that have RADIUS based authentication service can conduct
user authentication by RADIUS server.
If users set to use RADIUS authentication conduct user authentication, the

authentication data sent by the user (encrypted by SSL) is sent from the PacketiX VPN
Server to the RADIUS server set in advance. Users that pass user authentication by the
RADIUS server are permitted by the PacketiX VPN Server to connect. In any other case,
permission is denied (if user authentication fails or if RADIUS server cannot be
accessed).
If using RADIUS authentication, the IP address of the PacketiX VPN Server is registered
on the RADIUS server side, and after a password called "shared secret" is decided,
Virtual HUB settings are changed. The RADIUS server to be used can be set for each
Virtual HUB, and security settings of Virtual HUBs are independent of each other. The
following 3 items are required to set RADIUS server settings for a Virtual HUB.
Host name and IP address of RADIUS server to be used
UDP port number of RADIUS server to be used
Shared secret decided in advance
This information can be obtained from the RADIUS server administrator. The RADIUS
server to be used must be set to enable use of Password Authentication Protocol (PAP).
The server product name that the PacketiX VPN Server notifies the RADIUS server of is
"PacketiX VPN Server 2.0".
Fig. 2-2-2 RADIUS authentication
RADIUS Settings for Each User and for All Users

If users within a Virtual HUB are authenticated by the RADIUS server, there are the
following 2 methods:
If you only want to use RADIUS authentication for some users registered in
advance:
In this case users to use RADIUS authentication as the method of user authentication
are created and RADIUS authentication is set as the authentication method for those
users. Then when the user attempts to connect to Virtual HUB, the input
authentication information is verified by the RADIUS server and access is either
permitted or denied. Also, if the user name for the Virtual HUB and that of the
RADIUS server differ, you can specify a user name (other name) for the RADIUS
server.
If you want to make all users registered for in the RADIUS server to connect
to Virtual HUB by RADIUS authentication:
To basically permit all users already registered in the RADIUS server and users whose
connection to Virtual HUB is registered, the user account is created with an asterisk
(*) as the user name. By setting the user type, no matter what user name the
connection is made under, the user name and authentication information are checked
by RADIUS Server, and if it passes authentication, access to the Virtual HUB is
permitted. With this method, if a user passes RADIUS authentication and connects to
Virtual HUB, even if a user of that user name is not actually registered to Virtual HUB,
user authentication is passed, and the security policy setting value asterisk (*) is
used as the user setting value. In other words, the asterisk (*) user is used as a
template for VPN sessions connected by that method. Also if you want to allow all
users registered in the RADIUS server except a few to connect to VPN, you can create
user of user name to be denied and set that user for RADIUS authentication, and by
disabling access permission as security policy, you can make that user fail user
authentication. Also, even if there are users registered as an asterisk (*) or other
users registered in Virtual HUB, user authentication by explicitly registered user data
is first attempted, and only if it fails, RADIUS authentication is conducted via asterisk
(*) user.
NT domain and Active Directory authentication are methods whereby user name and
password are authenticated, just like with password authentication, but passwords are
managed by NT domain controller of a Windows NT 4.0 Server or later or an Active
Directory controller of Windows 2000 Sever or Server 2003 rather than PacketiX VPN
Server. This enables user authentication using the existing company password database.
If company employees change their passwords on the Windows domain, it also applies to
the password for PacketiX VPN connection, thereby enabling password unification.
Authentication Using NT Domain Controller or Active Directory

Controller
Windows domain by Windows NT 4.0 / 2000 Server / Server 2003 is already widely
used. Thus companies and Internet service providers that have Windows domain based
authentication service can conduct user authentication by NT domain controller or Active
Directory controller.
If users set to use NT domain controller or Active Directory controller authentication

conduct user authentication, the authentication data sent by the user (encrypted by
SSL) is sent from the PacketiX VPN Server to the NT domain controller or Active
Directory controller. Users that pass user authentication by the NT domain controller or
Active Directory controller are permitted by the PacketiX VPN Server to connect. In any
other case, permission is denied (if user authentication fails or if NT domain controller or
Active Directory controller cannot be accessed).
If using NT domain or Active Directory authentication, the PacketiX VPN Server must be
made to participate in the Windows domain to be used. PacketiX VPN Servers
participating in the Windows domain can conduct NT domain or Active Directory
authentication of users set for NT domain or Active Directory authentication without
special setting.
In order to conduct NT domain or Active Directory authentication, the PacketiX VPN
Server to conduct user authentication must be capable of running on Windows NT 4.0

Workstation, Windows NT 4.0 Server, Windows NT 4.0 Server Enterprise Edition,
Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server,
Windows XP Professional, Windows XP Tablet PC Edition, Windows XP Media Center
Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise
Edition, or any Windows Vista edition capable of participating in domain. PacketiX VPN
Servers that run on Windows 98, Windows 98 Second Edition, Windows Millennium
Edition or Linux, FreeBSD, Solaris or Macintosh OS X cannot conduct NT domain or
Active Directory authentication. Authentication of users set for NT domain or Active
Directory authentication always fails.
Fig. 2-2-3 NT domain or Active Directory authentication
NT Domain Authentication Setting for Individual Users and for All Users
If users within a Virtual HUB are authenticated by NT domain controller or Active

Directory controller, there are the following 2 methods:
If you only want to use NT domain controller or Active Directory controller

for some users registered in advance:
In this case, users to use NT domain or Active Directory authentication as user
authentication method are created and NT domain or Active Directory authentication
is set as the authentication method for those users. Then when the user attempts to
connect to Virtual HUB, the input authentication information is verified by the NT
domain controller or Active Directory controller and access is either permitted or
denied. Also, if the user name for the Virtual HUB and that of the NT domain
controller or Active Directory controller differ, you can specify a user name (other
name) for the NT domain controller or Active Directory controller.
If you want to make all users registered in the NT domain controller or

Active Directory controller to connect to Virtual HUB by NT domain or Active
Directory authentication:
To basically permit all users already registered in the NT domain controller or Active
Directory controller and users whose connection to Virtual HUB is registered, the user
account is created with an asterisk (*) as the user name. By setting the user type, no
matter what user name the connection is made under, the user name and
authentication information are checked by the NT domain controller or Active
Directory controller, and if it passes authentication, access to the Virtual HUB is
permitted. With this method, if a user passes NT domain or Active Directory
authentication and connects to Virtual HUB, even if a user of that user name is not
actually registered to Virtual HUB, user authentication is passed, and the security
policy setting value asterisk (*) is used as the user setting value. In other words, the
asterisk (*) user is used as a template for VPN sessions connected by that method.
Also if you want to allow all users registered in the NT domain controller or Active
Directory controller except a few to connect to VPN, you can create user of user name
to be denied and set that user for NT domain or Active Directory authentication, and
by disabling access permission as security policy, you can make that user fail user
authentication. Also, even if there are users registered as an asterisk (*) or other
users registered in Virtual HUB, user authentication by explicitly registered user data
is first attempted, and only if it fails, NT domain or Active Directory authentication is
conducted via asterisk (*) user.
Matters Common to Certificate Authentication
With password authentication, RADIUS authentication, NT domain and Active Directory

authentication, user authentication is accomplished by the VPN client side proving that it
is authorized to connect to the PacketiX VPN Server by user name and password. The
method of user authentication using passwords generally offers sufficient security, but if
corporate security policy does not recommend using a password for user authentication,
user authentication must be conducted using a more secure method called certificate
authentication (also called PKI authentication). There are 2 kinds of certificate
authentication -- individual certificate authentication and signed certificate
authentication. Each user may select the kind that best suits his needs. The PacketiX
VPN Client that attempts to connect to the PacketiX VPN Server in the client certificate
authentication mode can select either the client computer's hard disk or an external
smart card as the place for storing the certificate and private key.
With certificate authentication, when the connection source computer attempts to

connect to the Virtual HUB it presents a user name together with an X.509 electronic
certificate. The PacketiX VPN Server checks whether is correct and the connection source
computer is only allowed to connect if it passes.
The connection source computer must possess certificate data and a private key (RSA
private key) that corresponds to the public key in the certificate to present. Certificate
data is sent from the connection source computer to the VPN Server by private key data
is not transmitted. Next the VPN Server sends random number data (called challenge
values) to the client. When the client receives the data, it signs it by the private key it
possesses and returns the data. VPN Server verifies the signature data sent by the client
using the public key in the electronic certificate initially received and makes sure that the
client computer has the certificate and corresponding private key (if it can't be
confirmed, user authentication fails on the spot). It subsequently checks if the certificate
subsequently presented by the client matches the attributed defined for each user as
user authentication data. You can select either individual certificate authentication or
signed certificate authentication as the test method at this time.
Certificates that can be used with PacketiX VPN are X.509 format. RSA is used for PKI
algorithm, and bit length for public and private keys is 1,024 or 2,048 bits. Version 1
of X.509 certificates and later can be used, but some extension fields are not
supported (contents are ignored). The subject values that can be recognized by all
PacketiX VPN modules are "CN" and "O" and "OU", "C" and "ST", "L".
Certificates which have expired and those registered in the list of invalid certificates that
can be set per Virtual HUB are recognized as invalid and user authentication always fails.
Fig. 2-2-4 Certificate authentication
Client Certificate Authentication by Individual Certificate Authentication
With individual certificate authentication, certificate data is registered for user in Virtual
HUB side user database, and permission to connect is granted if the certificate presented
by the user perfectly matches the previously registered certificate.
Advantages of Individual Certificate uthentication
Using individual certificate authentication facilitates use of PacketiX VPN with certificate
authentication function. Especially if the number of users using certificate authentication
ranges from several users to tens of users, the VPN system can be operated sufficiently
by individual certificate authentication. As for the specific operation method, the Virtual
HUB administrator creates several X.509 certificates, registers them sequentially in the
Virtual HUB, and by transferring the certificate and private key to the user by a secure
method (e-mail in company LAN, shared folder or smart card), the user can use them to
connect to Virtual HUB of VPN Server any time. Oppositely the user can create the
certificate and can register it by transferring to the Virtual HUB administrator (this
method is more secure because the private key never leaves from the user's
possession).
The private key and X.509 certificate can be created with a utility (freeware or
commercially available software) that supports various existing PKIs. The X.509
certificate file and private key file can be created by the MakeCert command of
certificate creation tool and PacketiX VPN command line management utility (vpncmd)
which are functions of PacketiX VPN Server Manager (see 「Chapter 6 Command Line
Management Utility Manual」 ). These simple utilities support creation of both self-
signing certificates and signed certificates.
Disadvantages of Individual Certificate Authentication
individual certificate authentication is difficult to use if there a large number of users that
need to be registered or PKI has been adopted by the company and each employee has
a private key in a smart card (employee ID, etc.). In such a case we recommend you
select signed certificate authentication.
Client Certificate Authentication by Signed Certificate Authentication
Signed certificate authentication is convenient when used when company CA

(Certification Association) distributes X.509 certificate and private key file to each
individual employee. Also if PKI system is currently not yet adopted but you want to
allow a large number of users to access Virtual HUB, it can be used if you want to use
certificate authentication. The requirements for using this method are as follows.
An X.509 certificate and corresponding private key must be distributed to each user
to access Virtual HUB by file or smart card.
Certificates for each respective user are signed by root certificate (or intermediate
certificate) and private key possessed by company CA (certificate association) and
have tree structure reliability relationship.
If using signed certificate authentication, root certificate (or intermediate certificate)

signed for each user is registered in the certificate list of CA trusted by Virtual HUB.
Next, new user is created and signed certificate authentication is set as the
authentication method for that user. Thus if the certificate presented by client computer
connected by user name is confirmed to be signed by a certificate the certificate list of a
trusted CA registered in Virtual HUB, that client computer passes user authentication.
With this method, however, because of equal treatment, any employee having a
certificate issued by company root CA for example if users who want to increase the
types of protocol that can be communicated are differentiated, it is used together with
method of limiting connectable certificates by serial number or Common Name, which
will be described next.
Limit of Connectable Certificate by Common Name or Serial Number
The contents of X.509 certificate may include Common Name (CN) and serial number. In
such case, by limiting Common Name and serial number, for example, even in the case
where it could not be confirmed that the certificate is signed by a certificate of a CA
trusted Virtual HUB or when one or both items of the serial number do not match
perfectly, access can be denied.
If this function is used, by creating users that can connect only if certain serial number
or CN value of certificate signed by certificate that can be trusted, security policy, etc.
can be differentiated according to type of certificate.
< 2.1 VPN Communications Protocol 2.3 Server Authentication>
< 2.2 User Authentication 2.4 VPN Server Manager>
This section contains a description of the method of authenticating VPN client computers
that connect to the PacketiX VPN Server in the previous item 「2.2 User
Authentication」 . Server authentication is oppositely the function whereby the VPN
Server verifies that the VPN client computer (VPN client or VPN Server / VPN Bridge that
conducts cascade connection) that attempts to connect to the PacketiX VPN Server is
authentic. Because server authentication is not needed for conventional operation, it is
off by default, but can be enabled for each client connection setting or cascade
connection setting.
Concerning Man in the Middle Attack in Internet of Public IP Network
Server authentication is needed when verifying whether the connection destination VPN
Server when connecting to insecure VPN using public network is authentic. By planting
special software that rewrites protocol in the line of an IP network, a malicious third
party can technically make it appear as though you are connecting to an authentic VPN
server when you are actually attempting to connect to a phony one. By redirecting
connection from the phony VPN Server to the VPN Server the user intends to connect to,
a malicious third party can temporarily read and re-encrypt and send all the packets
flowing in the VPN to their destination post so they can eavesdrop or tamper with VPN
communication without the user being aware of it.
This is called direct attack, man in the middle attack or person in the middle attack.
Because of the enormous amount of traffic on the backbone of the Internet, realistically
speaking, it is difficult to install special software on the backbone to conduct these
attacks, but such attacks have succeeded in parts of network branches where
throughput is not so high.
The server authentication function is therefore used if you want to prevent data
transmitted in VPN from being eavesdropped on or tampered with by such attacks.
Mechanism of Server Authentication by Certificate
Server authentication by certificate verifies that the connection destination VPN Server is
authentic by verifying the certificate, the opposite role of client certificate authentication
such as described in 「2.2.5 Individual Certificate Authentication」 . The connection
destination VPN Server possesses an X.509 certificate and corresponding private key
data, and the VPN client computer (VPN client or VPN Server / VPN Bridge that conducts
cascade connection) that attempts to connect to VPN Server determines if the
connection destination VPN Server can be trusted by the contents of the certificate.
Because an RSA algorithm is used for verifying the certificate, the VPN Server must have
a private key that corresponds to the certificate.
If the server fails verification or presents an expired certificate, the connection

destination VPN Server is determined to be insufficiently reliable and VPN connection is
interrupted.
The two methods by which the VPN client computer (VPN client or VPN Server / VPN
Bridge that conducts cascade connection) can determine whether the certificate
presented by the connection destination VPN Server can be trusted are as follows.
Server individual certificate authentication is an authentication method whereby the

X.509 certificate of the connection destination VPN Server is registered for each
connection setting to VPN Server and connection to the VPN Server continues only when
the certificate presented by the VPN Server when connecting matches the certificated
registered in advance perfectly. If not the connection is cut off.
This method can be used if the server certificate of the connection destination VPN
Server is already possessed. The contents of the certificate are displayed on the window
when you first attempt to connect to the connection destination VPN Server with the
mode for enabling confirmation of server certificate by VPN Client on enabled, and a
message is displayed asking if want to register as the server individual certificate. If the
user selects "Yes", beginning from the next time he connects to the VPN Server, the
certificate used to connect the first time can be used as the server individual certificate.
Server signed certificate authentication is the authentication method whereby the VPN
client computer that conducts VPN connection has a list or reliable root certificates (or
intermediate certificates) and connection is allowed to continue if the certificate
presented by the connection destination VPN Server is signed by one of the trusted
certificates.
If there are several VPN Servers in the company or if the number is expected to increase
in the future the server certificate of each VPN Server is signed by the company root
certificate and by establishing that to root certificate is reliable, clients that attempt to
connect to these VPN Servers can determine the servers are authentic if the certificates
they present are signed by the root certificate.
< 2.2 User Authentication 2.4 VPN Server Manager>
< 2.3 Server Authentication 2.5 VPN Client Manager>
PacketiX VPN Server Manager is an administration utility for Windows that comes with
PacketiX VPN Server 2.0 or PacketiX VPN Bridge 2.0. This section contains a description
of how to use PacketiX VPN Server Manager.
PacketiX VPN Server Manager is an administration utility that supports Windows graphic
user interface (GUI) for administering PacketiX VPN Server or PacketiX VPN Bridge by
local or remote computer. Using VPN Server Manager enables you to connect to and
administer PacketiX VPN Server or PacketiX VPN Bridge without learning complicated
commands or operation methods. You can also administer PacketiX VPN Server /
PacketiX VPN Bridge operating on a UNIX operating system from a familiar Windows
terminal.
Using VPN Server Manager is extremely convenient because it lets you connect to VPN
Server / VPN Bridge in a remote location via the Internet. The host name or IP address
of the connection destination VPN Server / VPN Bridge when connecting and the listener
port number by which the servers are operating are specified as "1". If server
administration is conducted through a network, all communication contents are
automatically encrypted by SSL to ensure security.
For information on how to use VPN Server Manager, see 「3.3.3 Administration Tools &
Remote Administration」 .
Fig. 2-4-1 VPN Server and VPN Bridge administration by

VPN Server Manager
VPN Server Manager supports the following operating systems.
Windows 98 / Windows 98 Second Edition / Windows Millennium Edition / Windows NT 4.0

Workstation / Windows NT 4.0 Server / Windows NT 4.0 Server, Enterprise Edition / Microsoft
Windows 2000 Professional / Microsoft Windows 2000 Server / Microsoft Windows 2000
Advanced Server / Microsoft Windows XP Professional / Microsoft Windows XP Professional x64
Edition / Microsoft Windows XP Home Edition / Microsoft Windows XP Tablet PC Edition /
Microsoft Windows XP Tablet PC Edition 2005 / Microsoft Windows XP Media Center Edition
2004 / Microsoft Windows XP Media Center Edition 2005 / Microsoft Windows Server 2003
Standard Edition / Microsoft Windows Server 2003 Standard x64 Edition / Microsoft Windows
Server 2003 Enterprise Edition / Microsoft Windows Server 2003 Enterprise x64 Edition /
Microsoft Windows Server 2003 R2 Standard Edition / Microsoft Windows Server 2003 R2
Standard x64 Edition / Microsoft Windows Server 2003 R2 Enterprise Edition / Microsoft
Windows Server 2003 R2 Enterprise x64 Edition / Microsoft Windows Vista Home Basic /
Microsoft Windows Vista Home Premium / Microsoft Windows Vista Business / Microsoft Windows
Vista Enterprise / Microsoft Windows Vista Ultimate
If the Japanese version of VPN Server Manager is used with Windows 98, Windows 98
Second Edition or Windows Millennium Edition, it requires a Japanese operating system.
Other language operating systems that support Unicode can also be used.
PacketiX VPN Server Manager can conduct remote administration by connecting to VPN
Server or VPN Bridge. If the connection destination VPN Server or VPN Bridge is running
on the same machine, it can also connect to localhost (in this case communication
among processes is carried out and network communication does not occur).
PacketiX VPN Server Manager can manage VPN Server or VPN Bridge operating remotely
via HTTP proxy server or SOCK proxy server.
When connecting to VPN Server or VPN Bridge you must select either server
administration mode or Virtual HUB administration mode as the connection mode.
Server administration mode:

Server administration mode is used when authorized to administer the entire PacketiX
VPN Server. If connected in the server administration mode, you can acquire or
modify setting information for the entire VPN Server and you can administer all
Virtual HUBs operating in that VPN Server. If conducting administration by connecting
to PacketiX VPN Bridge, connection is always in the server administration mode.
Virtual HUB administration mode:

With the Virtual HUB Administration mode, you select one of the Virtual HUBs
operating within PacketiX VPN Server and connect as administrator of that Virtual
HUB. This mode is used to transfer administration authority from the administrator of
the entire PacketiX VPN Server to another Virtual HUB.
For information on transferring administration authority, see 「3.3.4 Administration

Authority」 .
PacketiX VPN Server Manager is automatically installed on to the computer when

Windows version of either PacketiX VPN Server or PacketiX VPN Bridge is installed.
A version without installer is available in the Windows distribution package for PacketiX
VPN Server and PacketiX VPN Bridge (marked "exe-only"). When the exe-only version
package is unzipped, executable files for PacketiX VPN Server and PacketiX VPN Bridge
are unzipped to the directory of your choice. PacketiX VPN Server Manager can be
executed from the following 2 files alone:
vpnsmgr.exe (vpnsmgr_x64.exe for 64-bit version)
hamcore.se2
To administer computers installed with PacketiX VPN Server or PacketiX VPN Bridge from
a remote location, install by copying the files given above in any directory of any
Windows PC to be used for administration. This enables PacketiX VPN Server or PacketiX
VPN Bridge to be administered by GUI from a laptop PC, etc.
2.4.5 Setup Wizard
If you connect to PacketiX VPN Server or PacketiX VPN Bridge for which no settings have
been made after being installed PacketiX VPN Server Manager, the PacketiX VPN
Server / Bridge easy setup wizard may be launched.
Using the setup wizard facilitates setting of VPN Server / Bridge for VPN connection
among bases or VPN Server for remote access VPN.
The online manual does not provide a description of how to use the setup wizard, but it's
so easy it doesn't require an explanation.
Fig. 2-4-2 PacketiX VPN Server / Bridge setup wizard
2.4.6 Limitations
PacketiX VPN Server Manager is superior administration software whereby all operation
can be conducted from GUI, but it has the following limitations.
z Because it supports a Windows GUI, the software will not run on any operating
system other than Windows. Consequently Linux or other UNIX systems cannot be
used to administer PacketiX VPN Server. (PacketiX VPN Server running on Linux or
UNIX system can however be administered from a Windows terminal.)
z Because it is GUI software, it is not easy to automate administration by importing
script commands that are hard to operate by input from command line. (It can be
done by using other automation tool of GUI operation, but is not common.)
z "reboot" command is not implemented in vpncmd command.
If you want to conduct administration with the limitations described above, we

recommend using VPN command management utility (vpncmd). For more information on
vpncmd, see 「2.6 VPN Command Line Management Utility (vpncmd)」 and 「Chapter
6 Command Line Management Utility Manual」 .
< 2.3 Server Authentication 2.5 VPN Client Manager>
< 2.4 VPN Server Manager 2.6 VPN Command Line Management Utility
(vpncmd)>
VPN Client Manager is a user interface for controlling PacketiX VPN Client installed
together with PacketiX VPN Client 2.0 on a Windows PC. This section contains a
description of VPN Client Manager.
VPN Client Manager is the only software directly operated by the average end user using
VPN system by PacketiX VPN. VPN Client Manager enables you to control VPN Client,
create new connection settings or Virtual Network Adapters and connect to PacketiX VPN
Server using the connection settings.
For details on VPN Client Manager and VPN Client, see 「Chapter 4 PacketiX VPN Client
2.0 Manual」 .
Fig. 2-5-1 VPN Client Manager
VPN Client Manager runs on all operating systems that support the Windows version of
PacketiX VPN Client. For details see 「12.2 PacketiX VPN Client 2.0 Specs」
VPN Client Manager operates in close cooperation with PacketiX VPN Client service
(background service that offers VPN Client functions). VPN Client Manager is front end
software for end users who operate VPN client computers. It offers the following
features.
Almost all operations can be performed by mouse operation. Only a few items have to
be input by keyboard.
The VPN Client Manager window that is a fixture in the task tray can be operated in a
snap without opening the window.
A password can be set for when opening VPN Client Manager. A third party using the
same computer who does not know the password therefore cannot use PacketiX VPN
Client service of that computer without permission.
If remote administration is allowed in advance, you can connect to PacketiX VPN

Client 2.0 service running on another computer and control it.
You can connect to Linux version PacketiX VPN Client 2.0 service and operate.
2.5.6 Limitations
VPN Client Manager has the following limitations.
z Only a Windows version of VPN Client Manager is available. Consequently it cannot be

used to control Linux version PacketiX VPN Client 2.0 from localhost. (It can however
control Linux version PacketiX VPN Client 2.0 from a separate Windows terminal by
remote connection.)
z Because it is GUI software, it is not easy to automate administration by importing

script commands that are hard to operate by input from command line. (It can be
done by using other automation tool of GUI operation, but is not common.)
If you want to conduct administration with the limitations described above, we

recommend using VPN command management utility (vpncmd). For more information on
vpncmd, see 「2.6 VPN Command Line Management Utility (vpncmd)」 and 「Chapter
6 Command Line Management Utility Manual」 .
< 2.4 VPN Server Manager 2.6 VPN Command Line Management Utility
(vpncmd)>
< 2.5 VPN Client Manager Chapter 3 PacketiX VPN Server 2.0 Manual>
The PacketiX VPN command line management utility (vpncmd) is a superior command
utility that can control settings or operation accomplished by conventional GUI by
connect to by local or remote connection to PacketiX VPN Server, PacketiX VPN Client,
and PacketiX VPN Bridge by command line or input file.
VPN Command Line Management Utility (vpncmd)
PacketiX VPN command line management utility (vpncmd) is command interface (CUI)
software that combines Windows control tools of PacketiX VPN Server administration
utility and PacketiX VPN Client Manager described in 「2.4 VPN Server Manager」 and
「2.5 VPN Client Manager」 .
vpncmd runs on an operating system that supports PacketiX VPN Server 2.0. It can also
be used by Linux / FreeBSD / Solaris / Mac OS X. You can therefore administer PacketiX
VPN Server by invoking vpncmd on the SSH console off a computers installed with
PacketiX VPN Server, etc., and connecting to localhost.
Invoking vpncmd from External Program
By specifying input file (/IN) as command line argument, you can have it automatically
executed by inputting a command file with multiple commands. You can also output the
execution results to a file (/OUT). By invoking vpncmd from an external program with
these functions, VPN Server / VPN Client / VPN Bridge can be automatically controlled.
Using vpncmd for Repetitious Processing Such as Registering Large

Numbers of Users
When using the vpncmd program, for example, if GUI is used to register a large number
of users (several thousand to several tens of thousands) at once in the Virtual HUB of
PacketiX VPN Server, processing that takes a lot of time can be semi-automated.
Usage of vpncmd and GUI Tool
The command line interface of vpncmd program contains a large amount of commands.
In order to use all of these commands properly, you must thoroughly read 「Chapter 6
Command Line Management Utility Manual」 or command help. Even beginners can
easily use all of the functions of PacketiX VPN Server Manager and PacketiX VPN Client
Manager, but it takes time to be able to use the vpncmd program properly.
Therefore concerning routine operation, administration and settings, use PacketiX VPN
Server Manager and PacketiX VPN Client Manager as much as possible; it is best to use
the vpncmd program for registering large numbers of users and automatically controlling
from another program.
Specific vpncmd Usage Method

For specific method of using the vpncmd program, see 「Chapter 6 Command Line
Management Utility Manual」 .
Fig. 2-6-1 VPN command line management utility (vpncmd)
If there are any commands in the command line console of the vpncmd program that
you do not know how to use, you can display help by adding "--help" or "/help" to the
end of the command name.
If you forget the command name, all command names can be displayed by inputting
"help".
As a rule, the target of the operation is placed in the front of the vpncmd command
name. For example, the command to create anew user is UserCreate. In this case by
inputting "User?" a list of commands beginning with "User" is displayed.
For details on command input method, input rules and automatic complement function
for command console of the vpncmd program, see 「Chapter 6 Command Line
Management Utility Manual」 .
< 2.5 VPN Client Manager Chapter 3 PacketiX VPN Server 2.0 Manual>
< 2.6 VPN Command Line Management Utility 3.1 Operating Environment>
(vpncmd)
The PacketiX VPN Server 2.0 is VPN server software equipped with high performance,
functionality, security, scalability and portability.
The PacketiX VPN Server is the most important software in the PacketiX VPN system,
and as its name implies, acts as a VPN server which supports access from remote VPN
Clients, VPN Bridges and so on across a network.
This server must be installed whenever the PacketiX VPN software is used in order to
realize a VPN in any format. This is because the PacketiX VPN Server is the only one
capable of supporting access from the VPN Client and VPN Bridge.
This chapter describes each of the functions of the PacketiX VPN 2.0 Server as well as
how they are used.
The PacketiX VPN is provided as paid software and, upon choosing an edition, a product
license and access license must be purchased in order to enable use. For details, please
refer to 「1.3 PacketiX VPN 2.0 Product Configuration and License」 .

3.1.7 Limitations
3.2 Operating Modes
3.2.1 Service Mode
3.2.2 User Mode
3.3.16 Initializing the VPN Server Service Reboot & Configuration Information

3.3.18 Restricting IP Address Remote Administration Connection Sources
3.4.13 Local Bridge
3.5.8 Setting an Alias in RADIUS Authentication or NT Domain & Active Directory
Authentication
3.6 Local Bridges

3.6.8 Outputting all Communication Data in the Virtual HUB to the Network
Adapter
3.7.3 Virtual NAT
3.8.7 Limitations
3.9 Clustering
3.10.2 Server Log

< 2.6 VPN Command Line Management Utility 3.1 Operating Environment>
(vpncmd)
< Chapter 3 PacketiX VPN Server 2.0 Manual 3.2 Operating Modes>
The PacketiX VPN Server supports many platforms and operating systems. Please refer
to 「12.1 PacketiX VPN Server 2.0 Specs」 for specifications on compatible operating
systems.
The PacketiX VPN Server supports the Microsoft Windows platform. Support is provided
not only for Windows NT 4.0 and new NT kernel-based platforms from Windows 2000
onwards, but also for legacy systems Windows 98 and Windows Millennium Edition, and
the PacketiX VPN Server may in some cases be operable on these legacy systems.
When developing the PacketiX VPN Server, SoftEther Corporation develops the programs
as well as basic debugging and optimization on a Windows platform and then ports these
tasks to other operating systems. That is why the performance of the Windows OS
kernel scheduler and network protocol stack is equivalent to or slightly better than those
of Linux, and not only matches the performance of UNIX operating systems, but exceeds
it. Using the Windows version of the PacketiX VPN Server also enables VPN Server
operation with the least limitations.
In addition, while specific software may not work properly for Linux and other UNIX
operating systems depending on the kernel version and differences between the
distribution and various library systems, Windows operating systems guarantee a certain
degree of uniformity in terms of the operation of system APIs and user-mode libraries
such that the PacketiX VPN Server can operate safely on both old and new versions of
Windows.
Accordingly, SoftEther Corporation recommends using the PacketiX VPN Server on a

Windows platform where no other technical or cost issues are involved.
The Windows version PacketiX VPN Server is compatible with the following system
architectures. Note that there is a high likelihood that compliant architectures will
increase in the future.
x86
x64 (AMD64 / EM64T)
PacketiX VPN Server 2.0 can be operated on either 32-bit or 64-bit (x64 version)
versions of Windows (except where license limitations apply). See 「1.3.10 Client
Connection Licenses」 for details. For more information about support for 64-bit
environments, please refer to 「Chapter 12 PacketiX VPN Software Specification」 .
The PacketiX VPN Server supports the Linux platform. The server can be operated on the
Linux Kernel 2.4 or later kernel versions.
The Linux platform is the next operating environment recommended by SoftEther

Corporation after Windows. The performance of the Linux kernel scheduler and
multithread library has improved considerably on past versions, and the network
protocol stack also now rivals that of Windows in terms of reliability. Therefore, where
technical or political issues make the use of Windows as the VPN server difficult, we
recommend using the PacketiX VPN Server on a Linux system. One of the particular
advantages of using a Linux system is that the cost of software license fees upon
installation is often cheaper than for Windows. The Linux version PacketiX VPN Server
also exhibits performance and functions comparable with the Windows version.
Furthermore, the Linux operating system offers the benefit of supporting many types of
CPUs compared to the Windows OS. For this reason, the PacketiX VPN Server supports
many CPUs such as those listed below. Apart from common computers, Linux may also
be installed on embedded devices (NASs, routers, HDD recorders, etc.) whose hardware
adopts a CPU aimed at such devices other than the x86. The PacketiX VPN Server can
also operate on these types of hardware.
The Linux version PacketiX VPN Server is compatible with the following system
x86
x64 (AMD64 / EM64T)
PowerPC (32-bit mode)
SH4 (32-bit mode)
MIPS (32-bit mode)
versions of Linux (except where license limitations apply). See 「1.3.10 Client
The PacketiX VPN Server supports the FreeBSD platform. The server is operable on the
FreeBSD 5.x or later kernel versions.
While the PacketiX VPN Server can perform sufficiently on the FreeBSD platform, there is
the disadvantage of not being able to use the local bridge connection function. On the
whole, using the PacketiX VPN Server on FreeBSD does not pose any problems when the
user does not intend to utilize the local bridge function.
The FreeBSD version PacketiX VPN Server is compatible with the following system
x86
x64 (AMD64 / EM64T)
versions of FreeBSD (except where license limitations apply). See 「1.3.10 Client
The PacketiX VPN Server supports the Sun Microsystems Solaris platform. The server
can be operated on the Solaris 8 or later kernel versions.
The VPN Server can deliver sufficient performance on the Solaris platform. Additionally,
the local bridge connection function can be used on Build 5220 or later versions of the
Solaris version PacketiX VPN Server 2.0 / VPN Bridge 2.0. This has enabled the Solaris
OS to realize VPN Server / VPN Bridge functionality comparable to that of Windows or
Linux operating systems.
Also, because the Solaris OS operates on hardware using SPARC CPUs, companies
possessing this special hardware can effectively utilize their resources as VPN servers by
running the PacketiX VPN Server on said hardware.
Due to a lack of test hardware, SoftEther Corporation has not carried out testing of the
PacketiX VPN Server for all CPU types and versions of the Solaris OS. We therefore
recommend using the latest possible version of the Solaris operating system to best
ensure operation.
The Solaris version PacketiX VPN Server is compatible with the following system
x86
x64 (AMD64 / EM64T)
SPARC (32-bit mode)
SPARC (64-bit mode)
PacketiX VPN Server 2.0 can be operated on either 32-bit or 64-bit (x64 or SPARCv9)
versions of Solaris (except where license limitations apply). See 「1.3.10 Client
The PacketiX VPN Server supports the Mac OS X platform. The server can be operated
on Darwin 7.9.0 or later kernel versions.
While the PacketiX VPN Server can perform sufficiently on the Mac OS X platform, there
is the disadvantage of not being able to use the local bridge connection function. On the
whole, using the PacketiX VPN Server on Mac OS X does not pose any problems when
the user does not intend to utilize the local bridge function. Multithread library
performance on the Mac OS X may be inferior to that of other operating systems, so we
recommend using other OS when the PacketiX VPN Server is to be used in a high load
environment.
The Mac OS X version PacketiX VPN Server is compatible with the following system
The PacketiX VPN Server features highly portable, memory-saving software

programming code and can therefore be embedded in hardware devices in hardware
routers, Layer 3 and Layer 2 switches, wireless LAN devices, digital consumer electronics
and miniature computers in automobiles and the like, provided that said hardware
devices satisfy the operational requirements. See 「1.3.8 64-bit version of PacketiX VPN
Server 2.0」 for details.
Embedding the PacketiX VPN Server into various devices in the future would theoretically
ensure interconnectivity and communication between these devices via the common
PacketiX VPN protocol, thus enabling not only computer users but also consumers in
general to use the PacketiX VPN intuitively.
3.1.7 Limitations
A number of operating system limitations exist for the PacketiX VPN Server. While these
limitations may be described in other areas of this manual, it is also possible that other
technically difficult OS and hardware architecture-dependent issues may exist. Moreover,
SoftEther Corporation does not guarantee the operational stability of the PacketiX VPN
Server on all operating systems. Please refer to 「12.1 PacketiX VPN Server 2.0 Specs」
for details on our recommended operating systems and system configurations.
< Chapter 3 PacketiX VPN Server 2.0 Manual 3.2 Operating Modes>
< 3.1 Operating Environment 3.3 VPN Server Administration>
3.2 Operating Modes
The user can operate the PacketiX VPN Server in two modes: Service Mode and User
Mode. Below is an explanation of these two modes.
3.2.1 Service Mode
Service Mode is the normal operating mode. Installing and operating the PacketiX VPN
Server in Service Mode will cause the PacketiX VPN Server to operate in the background
as a part of the OS, launch when the OS launches prior to user log in and await VPN
session connection as the VPN server. In addition, the server will automatically
shutdown when the operating system shuts down.
The word "service" here refers to a background system service in Windows and some
UNIX operating systems and is sometimes referred to as a daemon in other operating
systems.
When the VPN Server is operating in Service Mode, said operation is not depended upon
by users currently logged onto the operating system. That is why we recommend
running the VPN Server in Service Mode on most occasions.
When using the VPN Server in Service Mode, the VPN Server process (executable file
name vpnserver) typically runs on system or root authority.
The executable file name for the 32-bit Windows version PacketiX VPN Server is
"vpnserver.exe", while the file name for the 64-bit version is "vpnserver_x64.exe".
The description in this manual assumes use of the 32-bit version, so please apply the
relevant changes in the case of the 64-bit version.
Installing the VPN Server in Service Mode
The method for installing the VPN Server in Service Mode on the Windows version differs
to that of other UNIX versions.
z Installing the Windows version PacketiX VPN Server from the installer results in the
installation of the Service Mode and automatic initiation of its operation as a
background service. For details, please refer to 「7.2 Installing to Windows and
Configuring the Default Settings」 .
z In order to install the PacketiX VPN Server in Service Mode on the Linux version or
other UNIX versions, it is necessary to register it on the system as a daemon process.
For details, please refer to 「7.3 Installing to Linux and Configuring the Default
Settings」 .
Service Mode cannot be used in the following situations, in which case the VPN Server
should be used in User Mode.
When the system on which the PacketiX VPN Server is to operate does not have
System Administrator authority.
When the client wishes to install and use the PacketiX VPN Server temporarily rather
than continuously.
When the client wishes to launch the PacketiX VPN Server with general user authority
for security reasons.
Service Mode for Windows Version PacketiX VPN Server
We recommend using the installer when installing the Windows version VPN Server in
Service Mode. This method automatically launches and runs the VPN Server as a service
without the need for any special operation by the client. Even if the system is rebooted,
the VPN Server will automatically begin operating upon system start-up. Because the
VPN Server is launched as a background task, the computer on which the server is
installed can be used for other tasks without the client having to be aware of said
server's installation.
In addition, the Windows version PacketiX VPN Server service can be commenced or
terminated by attaching the relevant command line argument to the executable file
name (vpnserver.exe), or can be removed or re-registered from the Windows system via
the Windows system service list.
The shortened service name of the PacketiX VPN Server service registered on the
Windows system is "vpnserver" and the long service name is "PacketiX VPN Server".
In order to register vpnserver.exe as a service when the PacketiX VPN Server service is
not currently installed on the Windows system, insert the following from the command
prompt and execute vpnserver.exe (System Administrator authority is required).
> vpnserver /install
To delete the PacketiX VPN Server service when it is already installed on the Windows
system, insert the following from the command prompt and execute vpnserver.exe
(System Administrator authority is required).
> vpnserver /uninstall
Furthermore, attaching the /start or /stop arguments enables the service to be

commenced or terminated. For details on other arguments which can be designated in
the vpnserver program, please refer to the message box which appears when directly
executing vpnserver.exe.
The service can also be started and terminated by accessing [Control Panel] >
[Administrative Tools] > [Services] (or [Control Panel] > [Services] in the case of
Windows NT 4.0). It is possible to change the server from [Automatic] to [Manual]
startup by selecting PacketiX VPN Server from the [Services] list, then clicking open
[Startup type]. Changing the startup type to [Manual] means that the service does not
launch automatically on startup, and does not operate until initiated by a user with
Administrator authority.
It is also possible to start and stop the PacketiX VPN Server service using the net
command. Enter net start vpnserver to start the service, and net stop vpnserver to
terminate the service.
The PacketiX Server emulates the service system of Windows NT or later when
operating on an older OS. There may be several limitations in this case, such as the
process terminating when the user logs off.
Fig. 3-2-1 PacketiX VPN Server registered as a service
Service Mode for UNIX Version PacketiX VPN Server

Please refer to 「7.3 Installing to Linux and Configuring the Default Settings」 for
details on installing and launching the Linux and other UNIX versions of the PacketiX
VPN Server in Service Mode.
3.2.2 User Mode
User Mode is a special type of operating mode. Operating the PacketiX VPN Server in
User Mode causes the PacketiX VPN Server to run in the background as a user process.
To operate the PacketiX VPN Server in User Mode, it is necessary to log onto the system
as a user and launch the vpnserver executable file each time the server is launched.
Operations may differ depending on the operating system as described below.
Launching the VPN Server in User Mode on the Windows OS will result in the server
process running in the background only while the user is logged on, and the process
will terminate at the same time that the user logs off.
Meanwhile, launching the VPN Server in User Mode on a UNIX OS will result in the
VPN Server's server process creating a child process at that time, and running that in
the background, thereby enabling separation of the process from the user session.
Consequently, the VPN Server process will remain operational on the OS even if the
user logs off, and will continue running until the system is shutdown or rebooted.
User Mode for Windows Version PacketiX VPN Server
To launch the Windows version VPN Server in User Mode, attach the [/usermode]
option to the vpnserver.exe executable file and then launch.
> vpnserever /usermode
Once the launch is complete, an icon will appear in the task tray and the VPN Server will
have launched in User Mode. In this mode, the VPN Server program operates as one
which can be executed with general user authority, similar to other application programs
operating in User Mode (such as Word, calculator and so on). That is why absolutely no
System Administrator authority is required to launch the VPN Server in User Mode.
However, the VPN Server process also terminates at the same time that the user logs
off. We recommend saving the above /usermode option attached to the command line as
a shortcut on the desktop or setting it up in the [Startup] folder in order to facilitate the
frequent launch of the VPN Server in User Mode.
Fig. 3-2-2 PacketiX VPN

Server launched in User
Mode
To terminate the User Mode once it has been launched, right click on the icon in the task
tray and select [Exit PacketiX VPN Server].
Furthermore, clicking on [Hide task tray icon], hides the icon in the task tray display.
This function is available when the VPN Server is launched regularly in User Mode and
the icon display becomes a hindrance. Note, however, that the VPN Server cannot be
terminated from the menu when the task tray icon is hidden. In this case, press the Ctrl
+ Alt + Del keys to open the Task Manager and end the vpnserver.exe process. When
launching vpnserver.exe the next time in User Mode, the task tray icon can be restored
by attaching the /usermode_showtray option.
Fig. 3-2-3 Hide task tray icon menu
When using the PacketiX VPN Server, rather than operating the server by using
System Administrator authority and registering the server as a system service,
operating the server in User Mode with general user authorization may enable security
to be enhanced. Launching the PacketiX VPN Server in User Mode may, however,
result in the inability to use the local bridge function.
User Mode for Unix Version PacketiX VPN Server
To launch the VPN Server in User Mode on UNIX systems including Linux, rather than
registering the vpnserver executable file in the system as a daemon, attach the start
argument from the command line as shown below as if launching a normal application
command (such as ls, cat, etc.) and launch vpnserver.
$ ./vpnserver start
PacketiX VPN Server Service Started.
$
If control returns to the shell after the message [PacketiX VPN Server Service Started.]
is output, this means that the VPN Server was properly launched in User Mode. To
terminate the VPN Server once it has been launched, attach the stop argument and
launch the vpnserver as follows.
$ ./vpnserver stop
PacketiX VPN Server Service Stopped.
$
When the VPN Server is launched on UNIX in User Mode, the process operates and
becomes a background process with that user's authority. Therefore, the vpnserver
process continues to operate even if the user logs out or disconnects the SSH
connection. The process continues to operate until the system is rebooted or until the
process is forcibly terminated by root.
As described in 「7.3 Installing to Linux and Configuring the Default Settings」 ,

daemonizing and using the vpnserver process in UNIX operating systems is simply a
matter of registering it so as to instruct the operating system's startup script to call up
vpnserver start. Even when running the VPN Server in Service Mode, something
equivalent to the procedure described here is automatically performed by a system with
root authority so there is fundamentally no difference. Accordingly, the items described
below also apply generally to the daemonized VPN Server.
As shown below, the vpnserver process is launched in two stages on the UNIX version
VPN Server. First, the first process named execsvc is launched as a background process,
after which that process creates a child process using the fork() system call, and this
child process carries out the actual VPN processing. The parent process (process ID 1549
in the example below) constantly monitors the child process (process ID 1550 in the
example below) and in the event that an abnormal error occurs, immediately terminates
the process and launches it again to attempt recovery (see 「3.3.12 Failure Recovery」
for details). The example below was actually run on a particular Linux system so it may
not appear the same on different Linux or other operating systems. In addition, in order
to display multiple threads as multiple processes in the case of versions with old Linux
kernels (i.e. versions not compatible with native threads), the actual vpnserver
processes created may be more than those in the example below but this is a display
issue and operation is in fact normal.
$ ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
neko 1549 0.0 0.8 5188 560 ? S< Nov24 0:00 /tmp/vpnserver execsvc
neko 1550 0.0 4.0 11888 2520 ? S< Nov24 0:08 ¥_ /tmp/vpnserver execsvc
Although it only occurs rarely, in the event that the VPN Server process launched in User
Mode goes out of control for some reason such as a hardware malfunction (a memory
shortage, for instance) and is unable to be stopped by vpnserver /stop, first forcibly
terminate the parent vpnserver process (process ID 1549 in the example above) by
sending a signal to it using kill -KILL, then forcibly terminate the remaining process
(process ID 1550 in the above example) by sending a signal to it with kill -KILL.
Forcibly terminating the child process first may cause the parent process to determine
that the child process terminated abnormally and launch it again. Depending on the
system, killall -KILL vpnserver may enable the simultaneous termination of all
vpnserver processes.
Moreover, when the vpnserver receives the TERM signal (the normal termination
request signal), it performs termination processing properly.
The use of TCP/IP ports with a port number less than 1024 in standby mode is not
permitted for processes operating with general user authority in the case of UNIX
operating systems. That is why TCP/IP listener ports with a port number less than
1024 cannot be opened when operating the PacketiX VPN Server in User Mode with
general user authority rather than operating it after registration as a system service
with System Administrator authority. Please note that although the PacketiX VPN
Server attempts to open the three ports 443, 992 and 8888 in default as listener
ports, operating the server in User Mode means that only the 8888 port goes into
listen mode. Additionally, launching the PacketiX VPN Server in User Mode may result
in inability to use the local bridge function.
< 3.1 Operating Environment 3.3 VPN Server Administration>
< 3.2 Operating Modes 3.4 Virtual HUB Functions>
Operations to administer the PacketiX VPN Server are divided into two main types. One
is for the overall administration of the VPN Server while the other is for the
administration of specific Virtual HUBs within the VPN Server. Here we will first explain
the know-how and handling methods required to administer the entire VPN Server.
The following explanation contains a description of specific methods for handling the
PacketiX VPN Server Manager and the corresponding VPN command line management
utility (vpncmd) command names. Please refer to 「Chapter 6 Command Line
Management Utility Manual」 for details on how to use each of the vpncmd commands.
The entire program structure of the PacketiX Server has been carefully designed so that
the VPN Server process itself does not have to be rebooted regardless of the type of
settings changes being made. The only exceptions whereby the VPN Server process
must be rebooted are the following four cases.
When rebooting the operating system.
When updating the VPN Server program.
When the VPN Server process goes out of control due to a hardware or other type of
malfunction and needs to be rebooted.
When manually configuring the VPN Server configuration file or rolling back to old
versions.
While the VPN Server process does not have to be rebooted for the following settings
changes, the VPN session connected when the internal status of the VPN Server's server
module is being initialized is temporarily disconnected and then later reconnected.
When changing the server clustering settings when using VPN Server Enterprise
Edition or Carrier Edition.
Multiple Virtual HUBs can be created in the PacketiX VPN Server. Each Virtual HUB has
an independent layer 2 segment and is incapable of communicating with the others.
Furthermore, the user verification-oriented user authentication database and access list,
trusted certificate list, RADIUS server settings, SecureNAT settings and cascade
connection settings are managed by the Virtual HUB units and are completely
independent of each other. Changes to the settings of a Virtual HUB do not have any
effect upon the operation of any other Virtual HUBs.
Fig. 3-3-1 The VPN Server, Virtual HUBs & settings

data which can be held by each hub
Administration of the PacketiX VPN Server is carried out using the PacketiX VPN Server
Manager described in 「2.4 VPN Server Manager」 and the VPN command line
management utility (vpncmd) described in 「2.6 VPN Command Line Management Utility
(vpncmd)」 . Connection to the VPN Server for administration sessions is possible from a
local or remote computer, and if the VPN Server is connected to the Internet, then
administration connection and remote administration of the VPN Server is theoretically
possible from anywhere in the world.
The PacketiX Server Manager is suitable for GUI administration, while the VPN command
line management utility (vpncmd) is suitable for CUI administration. Apart from these
two utilities, no other utilities are required for the day-to-day administration of the VPN
Server. We recommend permanently installing these two utilities on administration
terminals. Please refer to 「2.4.4 Installing VPN Server Manager Alone」 for details on
the installation of administration tools.
Fig. 3-3-2 Methods for administering the VPN Server & VPN Bridge
There are two types of administration authority in order to connect to and administer the
VPN Server in Administration Mode.
Administration Authority for the Entire PacketiX VPN Server
Administration authority for the entire PacketiX VPN Server should be held by the
persons responsible for administering the server computer. This authority makes it
possible to change the settings of all VPN Server items, create new Virtual HUBs,
administer existing Virtual HUBs and delete all existing Virtual HUBs and the objects
contained therein. As such, administration authority for the entire PacketiX VPN Server is
very important and should be treated carefully as tantamount to root authority /
Administrators authority in a common computer. When installing the VPN Server on a
server computer, it is best for the Administrator with the administration authority for
that server computer's operating system to hold the administration authority for the
entire VPN Server.
The administration authority for the entire VPN Server is protected by a password. This
password is initially blank so we recommend changing it immediately after installing the
VPN Server (Footnote: the current installer does not display a window to set the
password during installation). Connecting to the VPN Server using the VPN Server
Manager when no Administrator password has been set displays a message box
prompting the setting of a password, so please click [Yes] and set the password
immediately. A password set on the VPN Server possesses the same degree of safety as
an Administrator password on a Windows or UNIX server. Please rest assured that a VPN
Server Administrator password is hashed and then saved and cannot be restored as
clear text.
To change the overall VPN Server password, click on [Encryption and communication
settings] in the VPN Server Manager, then click on [Administrator password] and enter
the new password twice in the text box which appears. In the vpncmd utility, the
password can be set using the command [ServerPasswordSet].
Fig. 3-3-3 Changing the VPN Server password
Virtual HUB Administration Authority
Administrators of the entire PacketiX VPN Server can create multiple Virtual HUBs on the
VPN Server. Also, when creating a new Virtual HUB, a password to administer that hub
can be set and passed to the persons responsible for its administration, thereby enabling
the delegation of authority for each hub's administration. In the event that no
administration password is designated upon the creation of a hub, there is no risk that
said hub can be remotely accessed by Virtual HUB Administration Mode. For details on
Virtual HUBs, please refer to 「3.4 Virtual HUB Functions」 and 「3.5 Virtual HUB
Security」 .
A X.509 certificate can be set as the server certificate (SSL certificate) on the PacketiX
VPN Server. This enables VPN client computers attempting to connect to the VPN Server
to carry out server authentication using the server certificate.
When designating an SSL certificate, the X.509 format file and RSA private key data of
the certificate to be set are required. These files may be bundled together as one file in
the PKCS#12 format. Where no particular SSL certificate is designated, the VPN Server
will automatically generate a random certificate (Self Signed Certificate) using random
numbers upon the initial launch of the VPN Server, so there is no problem with using this
default certificate as it is when there is only a small group environment and the digest
value and so on can safely be notified to the VPN Client's users.
To designate the X.509 certificate and private key to be presented to the client by the
VPN Server, click on [Encryption & communication settings] in the VPN Server Manager,
then click [Import certificate]. The same task can be performed in the vpncmd utility
using the command [ServerCertSet]. Once the SSL Server Certificate has been set, the
Administrator of the entire VPN Server can export the certificate data and private key
data.
To check whether the certificate is being used properly once set, access
https://server ip address:listener port number/ from the web browser and
confirm whether the certificate is properly recognized by said browser.
Fig. 3-3-4 X.509 certificate displayed on VPN Server

upon connection via web browser
The PacketiX VPN Server enables multiple TCP/IP ports to be set on standby and VPN
client computers can then establish a VPN connection and VPN session with those ports
via an Internet or other IP network. That is why it is essential for the VPN Server
Administrator to register the listener ports in advance.
Initially, the three TCP/IP port numbers 443, 992 and 8888 are allocated to the VPN
Server as listener ports. While as many listener ports as system resources allow can be
added, typically one or two ports are sufficient.
We recommend using TCP/IP port no. 8888 to connect to the VPN Server where no
hindrances exist, and port no. 443 where there is a firewall or proxy server which only
allows web or other partial protocol to pass. Port no. 443 is a port for https protocol, so
performing SSL transmission on this port usually enables passage even on networks with
stringent security settings. Meanwhile, 992 is a port number for the TELNET over SSL
(Telnets) protocol, which is practically unused today, and can pass through most
firewalls (although it often fails to pass through proxy servers). It is also possible to
register several listener ports and then disable some of them (suspend status).
To add, delete, enable or disable listener ports, click on [Create], [Delete], [Start] or
[stop] at [Management of Listeners] in the VPN Server Manage. In the vpncmd utility,
the same tasks can be carried out using the [ListenerCreate], [ListenerDelete],
[ListenerList], [ListenerEnable] or [ListenerDisable] commands.
When launching the VPN Server, all registered listener ports which are not disabled are
opened and put on standby. In addition, registering new listener ports also sees those
ports automatically put on standby. If a port cannot be put on standby, an [Error]
message will be displayed until the other process exclusively using that port is
terminated or until the port is released, and the VPN Server automatically secures the
port once either of these happens.
For UNIX operating systems excluding Windows, no TCP/IP port numbers below 1024
can be opened while the server is running on general user authority. This is a restriction
imposed by the operating system and not the PacketiX VPN.
Stopping or removing all of the available listener ports makes it impossible to connect
to that VPN Server again after that administration session has finished. Please
therefore avoid such actions as the Configuration file must be manually edited in order
to restore this status.
Fig. 3-3-5 Management of Listeners window
The PacketiX VPN Server retains all settings details within its memory and also
simultaneously saves them to disk settings files. This settings file is called either the
Config file or Configuration file.
The Configuration file is very similar to the Windows Registry files and UNIX's settings
files. The file has an excellent configuration data format with dual features, namely a
tree-like data structure similar to that of the Windows Registry files and a structure
which can be edited directly with a text editor like that of the UNIX settings files.
Role of the Configuration File
The Configuration file is created under the file name [vpn_server.config] which is
located in the same directory as that containing the VPN Server processes' executable
files. The Configuration file is invariably saved whenever the VPN Server settings are
changed or its internal structural data is modified (please note that the file may not be
saved immediately due to the disk cache running to reduce the number of disk
accesses). The VPN Server stops, and when booted the next time, reads the contents of
the vpn_server.config file and, based upon said contents, returns to its values prior to
termination. The Configuration file therefore allows the VPN Server's structural data to
be restored upon launch to how it was prior to shutdown, regardless of when said
shutdown occurs. If the Configuration file does not exist on the disk when the VPN
Server is launched, the default settings are applied. The default settings are as follows.
A Virtual HUB named "DEFAULT" is created. User objects, group objects or any
other objects do not exist within the Virtual HUB and all of the settings are default
ones (i.e. newly created Virtual HUB settings).
Three listener ports, numbers 443, 992 and 8888, are registered.
Local bridge and virtual layer 3 switch definitions are not registered.
A server certificate is automatically generated using random numbers.
The Internet connection keep-alive function's default values are set.
The Configuration file for the PacketiX VPN Bridge is named [vpn_bridge.config] and
the Virtual HUB created by default is named "BRIDGE".
Protecting the Configuration File

All of the structural data used by the VPN Server and Virtual HUB are written inside the
Configuration file. Contained within is the encrypted password and connection setting
certificate's private key in order to cascade to another VPN Server.
As such, it is necessary to protect the Configuration file with suitable security functions
where multiple users are able to log in either locally or remotely. The Configuration file
should not be able to viewed (read) let alone modified by any users other than the VPN
Server's System Administrator.
z The Windows version PacketiX VPN Server automatically sets the Configuration file
upon installation so that read/write can only be done by the Administrators group
users and SYSTEM (local system authority).
z The UNIX version PacketiX VPN Servers including the Linux version set permission at
700 (read/write for owner only) when creating the Configuration file.
z Use the operating system's file system function to manually change the file
permissions. For Windows, Explorer's properties and the [cacls] command can be
used. For UNIX, the [chmod] command is available.
z It is necessary to avoid the use of file system's which do not feature the FAT or FAT32
permission concepts. If the use of such file systems is inevitable, the file permissions
should be placed where physical contact with the server computer is not possible. It is
also necessary to implement settings to prevent them from being accessed by anyone
other than the Administrators even over a network.
Configuration File Format
The Configuration file (vpn_server.config) is stored in the UTF-8 format so its contents
can be edited with a common text editor. Note however, that directly editing the
contents of the Configuration file is not recommended (changes to the VPN Server
settings should be performed by the VPN Server Manager or by the vpncmd commands).
The Configuration file must only be directly edited in the following situations.
When all of the TCP/IP listener ports have been deleted.
When resetting passwords due to all of the VPN Server Administrator passwords
being forgotten/ lost.
When directly editing the Configuration file to perform very minor special settings.
When wishing to automatically process the Configuration file using separate software
for administrative reasons.
The Configuration file is stored in text format in default but the settings data volume
grows very large when carrying out processing such as the registration of a large
number of Virtual HUBs and users. String processing is required to write large volumes
of settings data, and this consumes CPU time so performance declines as the settings
data grows larger.
In this case, the format for writing the Configuration file can be changed to a binary file
format. Binary file formats are those which can be handled directly by the CPU so they
can be quickly processed. If the size of the Configuration file exceeds several tens of
megabytes, then handling it as a binary file is more efficient. Binary file formatting does
however, make it difficult to directly edit the Configuration file in a text editor.
To save the Configuration file in binary format, create an empty file named
[save_binary] in the same directory as the Configuration file. Once this file exists, the
Configuration file will automatically be saved in binary format the next time that the VPN
Server writes in it. In addition, when the [save_binary] file has been deleted, the
Configuration file will automatically be returned to text format the next time that the
VPN Server writes in it.
Please do not rewrite a binary format Configuration file using a binary editor or the
like.
Example of a Configuration File
Below is an actual example of a VPN Server Configuration file. The tree-like data is
administered in this manner in text format in order from the top of the tree-like
structure called "root".
# SoftEther Software Configuration File

# Copyright (C) 2004-2005 SoftEther Corporation. All Rights Reserved.
#
# You can edit this file when the program is not working.
#
# http://www.softether.co.jp/
declare root
{
uint ConfigRevision 1
declare LicenseManager
{
}
declare ListenerList
{
declare Listener0
{
bool Enabled true
uint Port 443
}
declare Listener1
{
bool Enabled true
uint Port 992
}
declare Listener2
{
bool Enabled true
uint Port 8888
}
}
declare LocalBridgeList
{
}
declare ServerConfiguration
{
uint64 AutoDeleteCheckDiskFreeSpaceMin 104857600
uint AutoSaveConfigSpan 300
string CipherName RC4-MD5
bool DisableDosProction false
byte HashedPassword +WzqGYrR3VYXrAhKPZLGEHcIwO8=
string KeepConnectHost keepalive.se2.softether.com
uint KeepConnectInterval 50
uint KeepConnectPort 80
uint KeepConnectProtocol 0
byte ServerCert ***
byte ServerKey *** uint ServerType 0
bool UseKeepConnect true
declare ServerTraffic
{
declare RecvTraffic
{
uint64 BroadcastBytes 0
uint64 BroadcastCount 0
uint64 UnicastBytes 0
uint64 UnicastCount 0
}
declare SendTraffic
{
}
}
}
declare VirtualHUB
{
declare DEFAULT
{
byte HashedPassword +WzqGYrR3VYXrAhKPZLGEHcIwO8=
uint64 LastCommTime 1133735260692
uint64 LastLoginTime 1133735260692
uint NumLogin 0
bool Online true
uint RadiusServerPort 1812
byte SecurePassword bpw3X/O5E8a6G6ccnl4uXmDtkwI=
uint Type 0
declare AccessList
{
}
declare AdminOption
{
uint allow_hub_admin_change_option 0
uint deny_bridge 0
uint deny_change_user_password 0
uint deny_empty_password 0
uint deny_routing 0
uint max_accesslists 0
uint max_bitrates_download 0
uint max_bitrates_upload 0
uint max_groups 0
uint max_sessions 0
uint max_users 0
uint no_cascade 0
uint no_change_access_control_list 0
uint no_change_access_list 0
uint no_change_admin_password 0
uint no_change_cert_list 0
uint no_change_crl_list 0
uint no_change_groups 0
uint no_change_log_config 0
uint no_change_log_switch_type 0
uint no_change_users 0
uint no_delete_iptable 0
uint no_delete_mactable 0
uint no_disconnect_session 0
uint no_enum_session 0
uint no_offline 0
uint no_online 0
uint no_query_session 0
uint no_read_log_file 0
uint no_securenat 0
}
declare CascadeList
{
}
declare LogSetting
{
uint PacketLogSwitchType 4
uint PACKET_LOG_ARP 0
uint PACKET_LOG_DHCP 1
uint PACKET_LOG_ETHERNET 0
uint PACKET_LOG_ICMP 0
uint PACKET_LOG_IP 0
uint PACKET_LOG_TCP 0
uint PACKET_LOG_TCP_CONN 1
uint PACKET_LOG_UDP 0
bool SavePacketLog true
bool SaveSecurityLog true
uint SecurityLogSwitchType 4
}
declare Option
{
uint MaxSession 0
bool NoArpPolling false
bool NoEnum false
}
declare SecureNAT
{
bool Disabled true
bool SaveLog true
declare VirtualDhcpServer
{
string DhcpDnsServerAddress 192.168.30.1
string DhcpDomainName $
bool DhcpEnabled true

uint DhcpExpireTimeSpan 7200
string DhcpGatewayAddress 192.168.30.1
string DhcpLeaseIPEnd 192.168.30.200
string DhcpLeaseIPStart 192.168.30.10
string DhcpSubnetMask 255.255.255.0
}
declare VirtualHost
{
string VirtualHostIp 192.168.30.1
string VirtualHostIpSubnetMask 255.255.255.0
string VirtualHostMacAddress 00-AC-80-C3-BA-5E
}
declare VirtualRouter
{
bool NatEnabled true
uint NatMtu 1500
uint NatTcpTimeout 7200
uint NatUdpTimeout 60
}
}
declare SecurityAccountDatabase
{
declare CertList
{
}
declare CrlList
{
}
declare GroupList
{
}
declare IPAccessControlList
{
}
declare UserList
{
}
}
declare Traffic
{
declare RecvTraffic
{
}
declare SendTraffic
{
}
}
}
}
declare VirtualLayer3SwitchList
{
}
}
Data Structure of the Configuration File
The Configuration file defines new nodes in areas bounded by declare and can store
several data models and nodes therein. Node name and data list schemas are
determined, and non-compatible data structures are ignored. These ignored data
structures are automatically deleted from the Configuration file so there is a chance that
its contents can be significantly compromised if even one character is entered incorrectly
when directly operated. This is why a backup needs to be made in advance if the
Configuration file must be edited.
A list of the data models within the Configuration file is as follows.
Data Model Contents Data Structure Size

uint Unsigned 32-bit integer 32-bit
uint64 Unsigned 64-bit integer 64-bit
bool Bool 1-bit
string Unicode string (UTF-8 encoded) 0-bit - unlimited
byte Binary (Base 64-encoded) 0-bit - unlimited
The unrestricted area in the table below means within the scope of the architectural and
memory limits.
SoftEther Corporation does not guarantee operation when directly rewriting the
contents of the Configuration file. As such, we do not recommend directly rewriting the
contents of the Configuration file using a text editor or the like.
Replacing the Configuration File
When seeking to manually backup the contents of the Configuration file at a certain
point to restore at a later date, the following procedure must be carried out when
restoring the [vpn_server.config] file.
1. Stop the VPN Server program completely if it is operating. A complete stop means
ensuring that the vpnserver process is not operating.
2. Replace the [vpn_server.config] file.
3. Start the VPN Server program.
4. Confirm that Configuration has been replaced correctly.
Transferring the Configuration File to Another Computer
Where a Configuration file has been created on the VPN Server of one computer, by
copying its contents verbatim to another computer, it is possible to launch the VPN
Server of the other computer using equivalent configuration information.
z Even if the operating systems and CPUs used for the copy source VPN Server and the
copy destination VPN Server are different, the configuration information is copied
verbatim and the compatibility of the Configuration file is maintained between the
two. Note that functions only supported on the copy source system are not supported
on the new system even if the Configuration file is copied.
z Transfer between computers is also possible even when the Configuration file is in
binary format. Because the binary format Configuration file has undergone proper
endian conversion so as not to rely on the type of CPU or OS, the system and
machine architecture should not, in principal, affect operation.
z The Configuration file may contain license information (list of license keys). Running
the VPN Server on both the copy source system and the copy destination system
means that both systems are using the license key, which is in breach of the PacketiX
VPN Server License Agreement. In order to avoid such an occurrence, it is necessary
to launch one of the systems first and delete the license key using the VPN Server
Manager or the vpncmd utility. Subsequently registering a license key obtained for
use with that server computer will prevent violation of the license.
Remotely Reading & Rewriting Configuration File Contents
The contents of the Configuration file (vpn_server.config) can normally not be obtained
or changed without first logging into the computer running the VPN Server and opening
it in text editor or connecting using file sharing and directly downloading and uploading
said file.
However, the PacketiX VPN Server makes it possible for the overall VPN Server
Administrators to remotely read and/or change the Configuration file at any time.
Clicking on [Edit Config.] in the VPN Server Manager displays the contents of the current
VPN Server Configuration file. It is also possible save the file in UTF-8 format. The same
function can also be used to upload a Configuration file prepared on the Administrator's
client terminal. When uploading and writing the Configuration file, the server function of
the VPN Server automatically reboots and reads the contents of the new Configuration
file. Manual rebooting or rebooting of the VPN Server process itself are not required.
Upon completion of the reboot and Configuration file read, the VPN Server commences
operation based on the contents of the new Configuration file.
The same task can be carried out using the vpncmd utility's [ConfigGet] and
[ConfigSet] commands.
When requesting the VPN Server to obtain the Configuration file by remote
administration, the contents of the obtained files will always be in UTF-8 format text
data even when, for instance, a [save_binary] file exists. In addition, issuing this
request actually involves the VPN Server converting its internal status to text data
upon receipt of the request process and returning it to the Administrator's terminal,
rather than reading the vpn_server.config file on the local disk. This makes it possible
to obtain the latest Configuration file data at any time.
Configuration Version Numbers
The contents of the VPN Server's Configuration file is automatically replaced in the
following situations.
1. When the configuration data of the VPN Server is changed as a result of the VPN
Server or Virtual HUB Administrators performing tasks using the VPN Server
Manager or vpncmd utility. When a new user is created or the settings are
changed, for instance.
2. When the statistical data such as communications traffic of the users or group,
Virtual HUBs and VPN Server is updated, as explained in 「3.3.10 Administration
of Statistical Information」 .
While the contents of the Configuration file are replaced in the case of both 1 and 2
above, the renewed data in 1 is part of the VPN Server settings data and is thus
essential by definition, while in 2, the renewed data is often not overly important. As
such, by incrementing (increasing) the value of the Configuration file version information
one at a time only when a change to the settings is carried out on the VPN Server, as is
the case in 1, the System Administrator is able to know how many times the
Configuration file settings have been modified.
When wishing to adopt a method of specifying an external script, for instance, when
automatically backing up the Configuration file only when its settings have been changed
(as in the case of 1), and not backing up when only statistical data has been updated (as
is the case in 2), it is advisable to check the version information within the Configuration
file each time, and if its value has increased on that of the previous check, to perform a
backup of said file.
Location of the Configuration Version Number
The configuration version number is written in the upper part of the Configuration file by
the [uint type] named [ConfigRevision].
declare root
{
uint ConfigRevision 120
:
:
In the example above, it can be seen that the settings of the Configuration file have
been changed 120 times since it was first created. The ConfigRevision value may
increase by one each time the VPN Server is launched.
The ConfigRevision value is only necessary for those System Administrators with a
high level of knowledge writing programs to receive Configuration file settings change
events and the like, and is not required for general users or Administrators.
The contents of the Configuration file are created by the time and effort of the VPN
Server and Virtual HUB Administrators and as such, are very valuable. A great deal of
work is required in order to restore the settings of the Configuration file in the event of
corruption due to a hardware or software bug, or becoming unable to be returned to its
original settings due to erroneous settings changes.
That is why the VPN Server records the history of the Configuration file contents at
regular intervals and automatically backs it up. The Configuration history backup is
saved in the directory named backup.vpn_server.config which contains the
Configuration file, with the time and date as its file name.
If the VPN Server settings information is corrupted or erroneous settings (such as

deleting an important Virtual HUB) are performed, the most recently saved Configuration
file backup can be restored manually. Please refer to the section in 「3.3.7 Configuration
File」 entitled "Replacing the Configuration File" for details on how to restore the
Configuration file.
A Configuration file backup is created automatically once every 60 minutes. However, as

a general rule, no backup is created when there have not been any changes made to the
contents of the Configuration file. In default, the backup folder is automatically protected
using the same permission settings as the Configuration file.
When automatic backups are not required, the backup function can be stopped by
changing the permission settings to deny access to the backup.vpn_server.config
directory to all parties.
Fig. 3-3-6 Automatically saved Configuration history
What is Statistical Information?
In addition to recording settings entries for the entire VPN Server settings, Virtual HUB
and user groups settings, the configuration data administered by the VPN Server also
records statistical information on each of these objects. Statistical information refers to
the following types of data (differs depending on the object recorded).
Outgoing unicast packets
Outgoing unicast total size
Outgoing broadcast packets
Outgoing broadcast total size
Incoming unicast packets
Incoming unicast total size
Incoming broadcast packets
Incoming broadcast total size
Time & date of last log-in
Time & date of last communication
Number of logins
The objects for which statistical data is administered are as follows.
z Entire VPN Server
z Virtual HUBs
z User objects
z Group objects
The above information is statistically processed by the VPN Server automatically and
written as part of the Configuration file (the ConfigRevision value does not increase even
if the statistical information alone is changed as previously stated).
The statistical information for the entire VPN Server can be read by overall System
Administrators or a Virtual HUB Administrator. Statistical information on a Virtual HUB
and its individual objects can only be read by an Administrator with Virtual HUB
administration authority for that hub (including the overall System Administrators).
This information is fundamentally read only, and cannot be rewritten using the VPN
Server Manager or vpncmd utility. It is technically possible however, to directly rewrite
the Configuration file using a text editor.
Purposes of Statistical Information
The statistical information provides a range of information to the System Administrator

such as how often the VPN Server and Virtual HUB users communicated, how many
times they connected to the VPN Server and when the last connection and
communication occurred.
This information makes the following possible.
Obtaining information on and statistical processing of the frequency with which each
Virtual HUB and user are using the VPN Server and the amount of data involved.
Removal / invalidation of users not accessing the server for a given period of time
and other administration tasks.
ISP and other charges corresponding to the number of connections and

communication data volume of the Virtual HUB hosting service.
For those users whose login access is clearly large, the information can provide the
first hints as to whether a user password has been stolen and a third party is
accessing and using the server illegitimately.
By using the vpncmd utility to automatically acquire differences in statistical

information, it is possible to automatically create VPN Server usage information
reports.
To derive a sense of satisfaction from the knowledge that VPN Server which you
worked so hard to set up is being used by many users to communicate large
quantities of data.
Real Time Statistical Data
The VPN Server updates all statistical data in real time. This means that if a request to
obtain statistical data from the VPN Server Manager or vpncmd utility occurs, then the
latest up-to-the-minute statistical data can be acquired. Successively clicking on
[Refresh] with the mouse in the VPN Server Manager GUI if the object in question is
established clearly shows the values being constantly updated.
Acquiring Statistical Information
Statistical information can be displayed on the GUI window using the VPN Server
Manager by selecting the VPN Server Virtual HUB user object and group object. It is also
a simple task to acquire the Configuration file and process that mechanically. To obtain
statistical information with the vpncmd utility, use the [ServerStatusGet],
[StatusGet], [UserGet], and [GroupGet] commands.
Fig. 3-3-7 Virtual HUB statistical information window
Obtaining Statistical Information on Entire Cluster during Cluster

Configuration
When configuring a cluster from a plurality of VPN Servers, real time statistical
information on the entire cluster is regularly gathered by the VPN Server which is the
cluster controller. Therefore, when wishing to know the communication volume of the
entire cluster during its configuration, establish an Administrator connection and acquire
the necessary statistical information. The total values of the Virtual HUB and user/group
statistical information can also be displayed in the cluster environment.
Contents of Log Files Written by the PacketiX VPN Server
The VPN Server writes the following files in the same directory as the vpnserver
executable file or its subdirectory while running.
VPN Server log files
Security log and packet log files of each Virtual HUB
Configuration history backup files
These log files and history files consume a large amount of disk space when the VPN
Server has been operating over a long period. However, log files created by the VPN
Server should not be erased indiscriminately because data from the VPN Server log,
Virtual HUB packet log and security log is crucial when examining the causes of
unauthorized access and other trouble.
In this case, the VPN Server Administrator should automatically backup the log files to
external media (DVD-R, tape, etc.) starting with the oldest and store these backups
before removing them from the hard disk. It is also possible to automate their
processing.
Security Risks Posed by Insufficient Disk Space
However, when not carrying out the above processing or when forgetting to back up or
delete old log data, disk space becomes constricted and eventually reaches 0 bytes.
When available disk space reaches 0 bytes, the VPN Server becomes unable to write new
log data onto the disk. This situation represents a major risk to security because an
intruder can commit any type of attack they please and it will not be recorded on the log
so the VPN Server Administrator has no way of knowing later on that an attack has
taken place.
To counter this risk, the PacketiX VPN Server incorporates a feature whereby all of the
log files and configuration files written by the VPN Server are automatically deleted
starting from the oldest file whenever the available disk space falls below a preset level
due to constriction of disk space caused by a large amount of saved log files and history
files. By deleting old log files of less importance, it is possible to continually ensure a
prescribed amount of available disk space thereby maintaining the ability to write log
files as much as possible. By taking advantage of this function of automatically deleting
old log files to keep disk space above a certain level, it is possible to realize maintenance
free operation even when not performing the administrative task of backing up and
deleting old log files.
This function is a type of fail safe function set up in order to prevent the worst case
situation of the VPN Server not being able to write new log files due to a shortage of
available hard disk space. Despite this function, we still recommend constantly backing
up all log files on the VPN Server computer written by the PacketiX VPN Server to a
safe place such as external media.
Minimum Disk Space Settings Values
The VPN Server is set by default to delete old log files starting with the oldest until the
space available on the drive to which the log files are being written is restored to 100MB
or greater (104, 857,600 bytes to be precise).
This value can be modified arbitrarily by changing the

[AutoDeleteCheckDiskFreeSpaceMin] value located in the [ServerConfiguration]
node within the Configuration file. It should be noted that the minimum value is 1MB
(precisely 1,048,576 bytes) and it is not possible to set a value below this. Please refer
to the area below for details.
{
:
:
The VPN Server obtains the available disk space for saving the log files by calling up
the operating system's API.
On Windows 2000 or later OS versions where a disk quota is set in relation to the
account running the VPN Server, this disk quota's allocated space is used as the
available disk space. For Linux and UNIX systems, the disk quota space is not utilized.
Therefore, please note that there is a high probability that the automatic disk space
adjustment function is not working properly when the disk quota is set on UNIX
systems.
The PacketiX VPN Server attempts automatic recovery of failures occurring during the
operation of the VPN Server as far as possible using the following methods.
Program Error Failure Recovery
The Windows and Linux operating systems on which the PacketiX VPN Server program
and the VPN Server rely are carefully designed and implemented to realize a high level
of reliability and stability, and the number of errors which exist within their programs are
very few. However, it is impossible to guarantee above a certain extent that errors will
definitely not occur in any program, so System Administrators should always consider
what measures to take in the event that a serious error occurs. Even assuming that the
problem does not lie with the software, consideration should also be given to potential
hardware defects. For instance, it cannot be said with any certainty that the error is not
caused by the memory module or a mistaken calculation by the CPU.
In many cases where there is software or hardware defect, errors occur which are either
difficult or impossible to repair such as a memory access violation, calling up an
unknown directive or an unauthorized interrupt.
Whenever these program errors occur, the VPN Server immediately terminates the VPN
Server process and discards the process memory. It then re-launches the process, re-
reads the contents of the Configuration file and attempts to continue operation. These
processes are typically carried out in an instant (from a few milliseconds to a few
seconds) so, on the whole, there is no significant disturbance to the VPN Server. This
means that when an irreparable error occurs in the user's memory space, the VPN
Server program attempts failure recovery automatically, thereby eliminating the need
for the VPN Server Administrator to notice the error and re-launch the VPN Server
process and so on.
Still, self repair may not work properly in special cases where the contents of the
program error are very serious and the code of the portion to re-launch the VPN
Server process has been dumped, or when the cause of the error stems from the
current contents of the VPN Server's configuration such that an error occurs for a
similar reason even when launched the next time around (which is especially likely to
occur when the Configuration file has been manually re-written). In addition, recovery
is not possible when a critical error occurs within the kernel-mode code being called by
the VPN Server, wherein a blue window appears for a Windows OS or a Kernel Panic
message is displayed in the case of UNIX, but both necessitating a reboot of the entire
computer system. The failure recovery is a function for critical errors which occur in
the user's space from which recovery is possible, and does not possess qualities which
eliminate the need for a system to monitor the operating status of external servers.
Moreover, there is a possibility that this function will not operate when the Windows
version PacketiX VPN Server is launched in Service Mode.
Protecting Configuration Data & Failure Recovery when Hardware

Failure Occurs
If a hardware failure (such as a sudden power outage) occurs when the VPN Server
program is attempting to write physical data to the Configuration file, the physical
contents of the Configuration file may be damaged. In preparation for such an
occurrence, the VPN Server always carries out a duplicate procedure when writing the
Configuration file.
First, it physically leaves the contents of the Configuration file on the disk, then it writes
the contents of the new Configuration file onto the disk. Once the write processing is
complete, it issues a command to the OS's write buffer to flash and goes on standby
until the data write is committed to physical disk. After the physical data is committed,
the old configuration data is then deleted. These processes are carried out in a location
of which the user is completely unaware.
When there is a chance that the Configuration file will be damaged upon the next launch,
an attempt is made to repair the contents of the configuration using the data from the
prior configuration backed up in the log immediately before writing the damaged
Configuration file. In most cases, this is successful and the contents of the configuration
are restored. These processes are performed automatically the next time the system is
restored, so the System Administrator does not have to perform them manually.
When this automatic failure recovery function does not work properly, the VPN Server's
Administrators must manually roll back to the previous Configuration file from the
Configuration file's backup directory. This function may also not work properly depending
on the specifications of the operating system and file system.
Configuration File Automatic Save
The VPN Server automatically saves the Configuration file (note that no automatic save
occurs when there has been no change whatsoever to the information contained in the
Configuration file including the statistical information). This means that it is possible to
restore to the configuration at the time of the previous automatic save even when the
VPN Server process suddenly terminates abnormally instead of shutting down normally.
The default interval for the automatic save is 300 seconds. This automatic save interval
can be modified by rewriting the [AutoSaveConfigSpan] value in the
[ServerConfiguration] node inside the Configuration file. Please refer to the area
below for details.
{
:
:
Automatic Defense against DoS Attack
Whenever the TCP/IP listener ports disclosed to the network by the VPN Server are
connected to a public IP network such as the Internet, they are constantly vulnerable to
attack from Internet hosts. The most dangerous attack is called SYN Flood, a type of
DoS attack ("Denial-of-service" attack) which sends a massive amount of connection
requests to the TCP/IP port.
Many operating systems are equipped with measures to defend against an attack from
SYN Flood. The SYN Flood attack can also be blocked on a network by firewalls and IDP
(Intrusion Detection & Prevention). However, the TCP/IP connection requests will reach
the VPN Server in the event that these mechanisms do not work properly or the settings
thresholds are too large.
When the VPN Server tries to process a large amount of incoming TCP/IP connection
requests, a large amount of system resources are required. That is why the VPN Server
is designed to detect when a SYN packet responsible for sending requests from an
identical source arrives at a listener port and discards that connection immediately
before processing to receive it begins. This is the VPN Server's automatic defense
function for dealing with DoS attacks. This function is enabled in default mode.
This function can be disabled by rewriting the [DisableDosProction] value within the
[ServerConfiguration] node in the Configuration file to [true]. The specific settings
are as follows.
{
bool DisableDosProction true
:
:
In order to enable the computer on which the VPN Server is installed to respond to a
VPN connection request from the Internet at any time, the VPN Server integrates a
function to constantly send packets to the Internet whenever it is operating. This
function makes it possible for VPN client computers to connect to the VPN Server over
the Internet at any time by constantly maintaining the server computer's connection to
the Internet without the line ever disconnecting, even in environments using some
ISDN, PHS and ADSL lines for their Internet connection, which disconnect when there
has been no communication for a certain period of time.
The Keep Alive Internet Connection Function allows TCP/IP or UDP/IP packets to be sent
to a designated host port number at prescribed intervals. The data size of these packets
is extremely small and their contents are generated using random numbers.
The Keep Alive Internet Connection Function is enabled by default, and employs the
following connection setting values.
Entry Initial setting values

Host keepalive.se2.softether.com
Host number 80
Packet Send 50 seconds
interval
Protocol TCP/ IP Protocol
To modify the Keep Alive Internet Connection function's settings, open the [Encryption &
Network] in the VPN Server Manager, then click [Keep Alive Internet connection
function] and enter the settings in the relevant boxes. In the vpncmd utility, the same
tasks can be carried out using the [KeepEnable], [KeepDisable], [KeepSet] and
[KeepGet] commands.
Fig. 3-3-8 Keep Alive Internet connection function settings window
Obtaining Server Status
The current dynamic status of the VPN Server can be obtained by clicking on [View
server status] in the VPN Server Manager. In the vpncmd utility, use the
[ServerStatusGet] command.
Fig. 3-3-9 Server status window
The displayed items are as follows.
Entry Contents
Server Type Usually a [Stand-Alone Server]. When using the cluster
function, this becomes either a [cluster controller] or
[cluster member server].
Number of TCP The VPN Server displays the total value of all TCP
Connections Connections connected as VPN sessions and
administration sessions. For the cluster controller, the
total value of all TCP connections for all other cluster
members is displayed in addition to two other items,
namely [This server's TCP connections] and [Other
cluster member's TCP connections].
Number of Virtual HUBs Displays the total number of Virtual HUBs operating on
the VPN Server. For the cluster controller, the total
number of Virtual HUBs defined in the cluster is
displayed, while for the cluster member server, the
individual number of Virtual HUBs for which an instance
currently exists inside that server is displayed. In
addition, both the number of [Static Virtual HUBs] and
[Dynamic Virtual HUBs] are displayed for the cluster
environment.
Number of Sessions Displays the number of VPN sessions currently connected
to the VPN Server. The total number of connected
sessions for the entire cluster is displayed for the cluster
controller, as well as [This server's sessions] and [Other

cluster member's server sessions].
MAC Address Tables Displays the total number of MAC Address Tables within
all Virtual HUBs administered by the VPN Server. The
total number of all MAC Address Tables administered by
the VPN Server within clusters is displayed for the cluster
controller.
Number of IP Address Displays the total number of IP address tables within all
Tables Virtual HUBs administered by the VPN Server. The total
number of all IP address tables administered by the VPN
Server within clusters is displayed for the Cluster
Controller.
Number of Users Displays the total number of user objects defined within
cluster member server always displays 0 because it does
not hold any user databases.
Number of Groups Displays the total number of group objects defined within
Cluster Member Server always displays 0 because it does
not hold any group databases.
Using Client Connection Displays the number of client connection licenses
Licenses currently consumed (counts connections requiring
licenses) by the VPN Server. Please refer to 「1.3
PacketiX VPN 2.0 Product Configuration and License」 for
details on connection licenses. Displays both the number
of client licenses consumed by the entire cluster and the
number of client licenses consumed by that computer
alone for the cluster controller.
Using Bridge Connection Displays the number of bridge connection licenses
Licenses currently consumed (counts connections requiring
licenses) by the VPN Server. Please refer to 「1.3
PacketiX VPN 2.0 Product Configuration and License」 for
details on connection licenses. Displays both the number
of bridge licenses consumed by the entire cluster and the
number of bridge licenses consumed by that computer
alone for the cluster controller.
Statistical Information Displays statistical information on the communication
volume to date.
Server Start Time Displays the time that the VPN Server was launched.
Current Time Displays the current time of the VPN Server computer.
Converts to local time when displayed.
64-bit High Precision Displays the 64-bit time data administered internally by
Logical System Clock the VPN Server.
Memory Usage Status Displays the usage status of both the physical and virtual
memory of the computer running the VPN Server. This

can only be displayed on Windows operating systems.
VPN Server Information
Static information on the VPN Server can be obtained by clicking on [PacketiX VPN
Server information] in the VPN Server Manager. In the vpncmd utility, use the
[ServerInfoGet] command.
VPN Server static information displays information on the VPN Server version and the
product name's operating system as well as a list of functions and list of specifications
which are currently available on the server. The maximum simultaneous number of
connections, for instance, is also shown here.
Fig. 3-3-10 VPN Server information window
The VPN Server sets the RC4-MD5 algorithm as the default encryption and electronic
signature algorithm for use in SSL transmission. It is also possible to select other
algorithm.
Opening [Encryption & Networks] in the VPN Server Manager, then selecting from the
[Encryption algorithm Name] drop down box. In the vpncmd utility, use the
[ServerCipherSet] command.
Fig. 3-3-11 Selection window for SSL transmission encryption algorithms
3.3.16 Initializing the VPN Server Service Reboot & Configuration

Information
The VPN Server can be remotely rebooted. However, there is no command in the VPN
Server Manager equivalent to a reboot command. Instead, it is necessary to use the
[Reboot] command in the vpncmd utility in order to remotely reboot the VPN Server.
Designating Reboot /RESETCONFIG:YES restarts the VPN Server in its initial condition
by deleting the contents of the current Configuration file upon rebooting.
Where the VPN Server's Syslog Transmission function can be used, it is possible to send
the contents of the entire VPN Server's administration log or each Virtual HUB's security
and packet logs to external syslog servers using the syslog protocol, which is a standard
log delivery protocol.
Normally, each of the VPN Server's logs are recorded on the disk as files but using the
Syslog Transmission function enables the System Administrator to consolidate log
administration thereby reducing administration costs. The function can also send out
alerts when specific log contents are generated in the software of the syslog receiver.
The Syslog Transmission function is set to off in default mode, and can be activated by
accessing the [Encryption and communication settings] in the VPN Server Manager. In
the vpncmd utility, use the [SyslogEnable] command or the [SyslogDisable].
Once the Syslog Transmission function is activated, the sent logs are no longer saved on
the local hard disk. Therefore, please be aware that when the syslog server does not
launch or when problems arise between the communicating syslog servers, or when the
processing capacity of the syslog server and any intermediate networks or protocol
stacks is insufficient, the contents of these logs which should essentially be saved will
instead be lost, regardless of whether the syslog function is enabled.
Fig. 3-3-12 Syslog Transmission function settings window
3.3.18 Restricting IP Address Remote Administration Connection

Sources
Ensuring Security by Limiting Administration Connection Sources
The PacketiX VPN Server enables remote administration (Server Administration Manager
and vpncmd utilities) via a network. As described in 「3.3.4 Administration Authority」 ,
there are two types of remote administration, i.e. entire VPN Server administration
mode and individual Virtual HUB administration mode.
In order to prevent unauthorized users from connecting to the VPN Server and
performing administration tasks, the VPN Server is protected by two passwords, one for
connection to the entire VPN Server Administration Mode and the other for connection to
individual Virtual HUB Administration Mode. However, password protection alone may
not always be sufficient to protect against unauthorized administration access. For this
reason, access can be limited to those administration connection sources with a pre-
designated IP address.
By creating a text file named [adminip.txt] on the directory on which the VPN Server is
installed (the directory containing the vpnserver executable files) and performing a
suitable description on said text file, it is possible to set IP addresses which permit
access to the entire VPN Server or to each of the Virtual HUBs from the Server
Administration Manager or vpncmd utility.
Create the [adminip.txt] file on the same directory as the vpnserver program.
Rewriting of this file is recognized by the vpnserver in real time so the VPN Server
does not have to be relaunched after setting up the file or rewriting its contents (the
set contents are automatically reflected).
When an adminip.txt file does not exist, the IP addresses of administration connection
sources are not filtered so administration access is permitted for all IP addresses (no
adminip.txt file exists in default).
How to Write adminip.text Files
The adminip.txt file should contain one rule per line. When end of a line starts with #
or //, the line is treated as a comment and is ignored. When an adminip.txt file exists,
all source IP addresses are denied administration access in default. Write the source IP
addresses for which administration access is to be granted in the adminip.txt file, with
one IP address to each line.
Designating Source IP Addresses for each Virtual HUB in Virtual HUB

Administration Mode
Write each IP address one per line followed by a space of more than one character using
either the space or tab character, then insert the name of the Virtual HUB to which
administration access from said IP address is to be permitted.
For example, granting administration access to Virtual HUB "HUB1" from two IP
addresses 192.168.3.10 and 130.158.87.87, and to Virtual HUB "HUB2" from IP address
61.197.235.210 would be described as follows.
192.168.3.10 HUB1
130.158.87.87 HUB1
61.197.235.210 HUB2
Inserting * (asterisk mark) in place of the IP address matches all source IP addresses to
that line. In other words, administration access in Virtual HUB Administration Mode to
HUB3 as described below is permitted for all of the source IP addresses.
192.168.3.10 HUB1
130.158.87.87 HUB1
61.197.235.210 HUB2
*
Designating Source IP Addresses in Entire Virtual HUB Administration

Mode
Writing only the IP addresses on each line allows administration access to the entire VPN
Server and all of the Virtual HUBs from that IP address. In the following description, for
instance, IP address 192.168.10.10 is the only source IP address from which
administration access is possible in entire VPN Server Administration Mode. Furthermore,
192.168.10.10 is the only address from which administration access is possible for all
Virtual HUBs.
192.168.10.10
192.168.3.10 HUB1
130.158.87.87 HUB1
61.197.235.210 HUB2
* HUB3
adminip.txt File Permission
The adminip.txt file is saved with the appropriate permissions. For example, when
general users are able to log onto the VPN Server computer in addition to System
Administrators, sufficient precautions should be taken to prevent these other users from
rewriting the adminip.txt file.
< 3.2 Operating Modes 3.4 Virtual HUB Functions>
< 3.3 VPN Server Administration 3.5 Virtual HUB Security>
PacketiX VPN Server 2.0 makes it possible to create a plurality of Virtual HUBs, and to
separate administration objects and VPN session layer 2 communication between each
Virtual HUB. This manual explains Virtual HUBs in two parts: general operations &
administration methods, and security functions. First is an explanation of the general
operations and methods for administration of Virtual HUBs.
Multiple Virtual HUBs can be created in the PacketiX VPN Server, but they can only be
created or deleted by entire VPN Server Administrators. When the VPN Server creates a
Virtual HUB, it is possible to delegate the authority for its administration to another party
by providing them with the Virtual HUB administration password.
To create a new Virtual HUB, click on the [Create Virtual HUB] tab in the VPN Server
Manager and enter the relevant details. Alphanumeric characters and some symbols can
be used in the Virtual HUB name. It is also possible to designate a Virtual HUB
administration password when creating the Virtual HUB (this can also be designated at a
later date). Not designating an administration password makes it impossible to carry out
remote administration connection to the Virtual HUB in Virtual HUB Administration Mode.
In the vpncmd utility, use the [HubCreate] command. When using the clustering
function (refer to 「3.9 Clustering」 ), use either the [HubCreateDynamic] or
[HubCreateStatic] commands instead.
Fig. 3-4-1 Create New Virtual HUB window
After creating the Virtual HUB, select it and display the Administration window to carry
out administration. Double clicking on the Virtual HUB name in the VPN Server Manager
opens a new window for the administration of that hub. In the vpncmd utility, the Virtual
HUB can be selected using the [Hub] command. The following explanations of the
Virtual HUB all assume that the Virtual HUB's Administration window is open or that the
Virtual HUB being administered has been selected using the [Hub].
Fig. 3-4-2 Virtual HUB list display
The Virtual HUB has both online and offline status. While the Virtual HUB is normally
online, it can also be set to offline status when wishing to temporarily halt its functions.
Status Description
Online The mode in which VPN connection to the Virtual HUB from the VPN
client computer is possible. In addition, when the Virtual HUB contains
cascade connection settings and SecureNAT settings, these functions
also operate. Virtual layer 3 switches and local bridge connections
associated with the Virtual HUB also run.
Offline The mode in which VPN connection to the Virtual HUB from the VPN
client computer is not possible. An error occurs when a VPN connection
to the Virtual HUB is attempted. Moreover, all cascade connections and
SecureNAT settings within the Virtual HUB cease. Virtual layer 3
switches and local bridge connections associated with the Virtual HUB
also stop.
When changing a Virtual HUB from online mode to offline mode, first
disconnect all of the VPN sessions connected to that Virtual HUB before
proceeding. While it may take time for the mode to change, no VPN
connections to that Virtual HUB are made in the interim.
Although a Virtual HUB in offline mode cannot carry out VPN

communication, the administration of the hub can still be performed
without any problems.
To change the Virtual HUB status, open [Virtual HUB property] in the VPN Server
Manager and select either [Online] or [Offline] from the [Virtual HUB status] window. In
the vpncmd utility, use [Online] or [Offline] command.
It is possible to set the maximum number of sessions which can be simultaneously

connected to the Virtual HUB. When this value is set, all VPN sessions exceeding the
number designated in the Virtual HUB will not be able to connect (all subsequent
sessions attempting to connect will be denied).
The number of maximum simultaneous connections does not include local bridge
sessions, cascade sessions (virtual sessions created by the cascading side), SecureNAT
sessions or virtual layer 3 sessions. That is to say, the maximum number of cascade
connections from the VPN Server / VPN Bridge / VPN Client and regular VPN connections
connected to the Virtual HUB are limited.
To set the number of maximum simultaneous connections, open the [Virtual HUB
properties] window in the VPN Server Manager and check the box in [Limit Max VPN
Sessions], then enter the desired value in the [Max Number of Sessions] box. In the
vpncmd utility, use the [SetMaxSession] command.
Fig. 3-4.3 Settings window for maximum simultaneous Virtual HUB

connection sessions
Where the max_sessions, max_sessions_client and max_sessions_bridge options have

been set in the Virtual HUB Administration Options, these option values are always
applied regardless of whether or not the number of maximum simultaneous connection
sessions has been set. See 「3.5.12 Virtual HUB Administration Options」 for details.
As explained in 「1.6.8 Client Mode Session」 and 「1.6.9 Bridge/Router Mode

Session」 , the two types of sessions connected to the Virtual HUB from the VPN source
computer are the client mode session and the bridge / router mode session.
When using the PacketiX VPN Server product version (Standard Edition / Enterprise
Edition), then the total number of client mode sessions and bridge mode sessions is
related to the number of required licenses.
It is possible to display a list of the VPN sessions currently connected to the Virtual HUB,
to display detailed information on each of them, and to forcibly disconnect them.
Displaying Session Lists

A list showing the VPN sessions connected to the Virtual HUB and internally generated
sessions can be displayed. Simply clicking on the [Manage Sessions] button in the VPN
Server Manager displays a list of the sessions. A session list can also be obtained using
the vpncmd utility with the [SessionList] command.
When connecting to a cluster controller using clustering, the sessions displayed in the
[Session list] include all of the cluster member server sessions.
Fig. 3-4-4 Session administration window
The following information is shown when displaying a session list.
Entry Description
Session The ID to specifically identify the session within the Virtual HUB.
The session name starts with "SID-" followed by words
indicating the user name and a sequential number.
Location [Local sessions] is displayed when clustering is not in use. When
clustering is used, the Cluster Controller session to which that
session pertains is displayed.
User The name of the user associated with the session, i.e the name
of the user successfully verified when carrying out VPN
connection for that session, is displayed. As explained in 「2.2.3
RADIUS Authentication」 and 「2.2.4 NT Domain and Active
Directory Authentication」 , when using asterisk user ("*" user),
user authentication is carried out and the name of the user
successfully authenticated by the RADIUS server or NT domain
controller is displayed here. Where the name on the user
database differs from that used in user authentication, the latter
is displayed.
When the user name is one of the following, that session refers
to the special session generated within the VPN Server and not
to a regular VPN connection session.
z Local Bridge
refers to a local bride session.
z Cascade
refers to a cascade session (session of the party performing
the cascade connection).
z SecureNAT
refers to a SecureNAT session.
z L3SW
refers to a virtual layer 3 switch session.
Source Host In the case of a session generated by a VPN session receiving a

regular VPN connection, the host name of the VPN source
computer is displayed. The IP address is displayed when reverse
DNS resolution fails.
TCP Connections In the case of a session generated by a VPN session receiving a
regular VPN connection, the number of TCP/IP connections used
in that VPN session's communication is displayed. Please refer to
「2.1 VPN Communications Protocol」 for details on the number
of TCP/IP connections.
Transfer Bytes Displays the total data size of virtual Ethernet frames
transferred in the current VPN session.
Transfer Displays the total number of virtual Ethernet frames transferred
Packets in the current VPN session.
Distinguishing Session Types with Icons
The session types in the session list display can be differentiated by looking at [User] or
by obtaining session information. When using the VPN Server Manager, it is possible to
distinguish between session types using the small icons displayed together with the
session name.
The following seven icon types are displayed in the session list.
Icon Corresponding Session Type

Indicates a general VPN session (i.e. a session created by receiving a
routine VPN connection, and not a bridge / router mode or monitoring
mode session).
Indicates a bridge/ router mode session.
Indicates a monitoring mode session.
Indicates a local bridge session.
Indicates a cascade connection session.
Indicates a SecureNAT session.
Indicates a virtual layer 3 switch session.
Obtaining Session Details Data
Double clicking on [Session name] from the session list of the VPN Server Manager
displays information relating to that session. The same information can be obtained in
the vpncmd utility using the [SessionGet] command.
This enables the identification of detailed information for each session as well as
information relating to the source computer (such as its VPN software version and OS).
Fig. 3-4-5 Session details data display window
Of the detailed session data, the following is important.
Entry Description
Source IP Displays VPN session's source IP address.
Address
Source Host Displays the name of the host obtained by reverse resolution of
Name the source IP address. When reverse resolution fails, the same
characters as the [Source IP address] are displayed.
User Name Indicates the name of the user connected to the VPN session. As
(Authentication) explained in 「2.2.3 RADIUS Authentication」 and 「2.2.4 NT
Domain and Active Directory Authentication」 , when using
asterisk user ("*" user), user authentication is carried out and
the name of the user successfully authenticated by the RADIUS
server or NT domain controller is displayed here. Where the
name on the user database differs from that used in user
authentication, the latter is displayed.
User Name Indicates the name of the user connected to the VPN session.
(Database) When using asterisk user ("*" user) and when the name on the
user database differs from that used in user authentication, the
name on the user database is displayed. Where the name on the
user database differs from that used in user authentication, the
latter is displayed.
Server Product Displays the product name of the PacketiX VPN Server accepting
Name the session.
Server Version Displays the version name of the PacketiX VPN Server accepting
the session.
Server Build Displays the server build number of the PacketiX VPN Server
accepting the session.
Connection Start Displays the time that the VPN session connection processing
Time commenced. Note that this is identical to the VPN Server's
[Initial session confirm time] and [Current session confirm
time].
Half-duplex TCP Indicates whether or not the PacketiX VPN protocol's
Connection communication mode in the VPN session is half-duplex
Mode connection mode.
VoIP / QoS Indicates whether or not the VoIP / QoS support function (see
Function 「1.9 VoIP / QoS Support Function」 for details) is valid in this
session.
Number of TCP Displays the current number of TCP/IP connections constituting
Connections the VPN session.
Maximum Displays the maximum number of TCP/IP connections which can
Number of TCP be used to constitute the VPN session.
Connections
Encryption Indicates whether the VPN session is protected by encryption
and electronic signature.
Use of Indicates whether or not communication compressed by data
Compression compression algorithms is being used.
Session Name Indicates the ID to identify the session.
Session Key Indicates the internal administration ID to specifically identify
(160bit) the session created by the VPN Server.
Bridge / Router Indicates whether the session type is a bridge / router mode
Mode session.
Monitoring Mode Indicates whether the session type is a monitoring mode
session.
Outgoing Data The bytes of data transmitted from the VPN source to the VPN
Size Server on the PacketiX VPN protocol (indicates the approximate
actual physical packet volume flowing over the IP network).
Incoming Data The bytes of data transmitted from the VPN Server to the VPN
Size source on the PacketiX VPN protocol (indicates the approximate
actual physical packet volume flowing over the IP network).
Statistical Indicates the sent/received virtual Ethernet frame type packets
Information and total data size (updated in real time).
Client Product Indicates the name of the VPN source software.
Name
Client Version Indicates the version number of the VPN source software.
Client OS Name Indicates the name and version of the operating system on
& Version which the VPN source software is running.
Client Host Indicates the client computer's host name as notified by the VPN
Name source software.
Client Port Indicates the client's TCP/IP port number as notified by the VPN
source software.
Server Host Indicates the name of the designated server that the VPN source
Name software is attempting to connect to.
Server IP Indicates the IP address as a result of forward resolution of the
Address designated server name that the VPN source software is
attempting to connect to.
Server Port Indicates the port number of the designated server that the VPN
source software is attempting to connect to.
Proxy Host Indicates the host name of the proxy server when the VPN
Name source software is using a proxy server to connect to the VPN.
Proxy IP Indicates the IP address of the proxy server when the VPN
Address source software is using a proxy server to connect to the VPN.
Proxy Port Indicates the TCP/IP port number of the proxy server when the
VPN source software is using a proxy server to connect to the
VPN.
Forced Disconnect of Session
It is possible for Virtual HUB Administrators to forcibly disconnect a connected session.

To disconnect a session, simply select the session to be disconnected in the VPN Server
Manager and click the [Disconnect] button. In the vpncmd utility, use the
[SessionDisconnect] command.
As explained in 「1.6.5 Association with MAC Address」 , the Virtual HUB supports the
exchange of virtual Ethernet frames between sessions by automatically learning the MAC
address table and associating the addresses with their corresponding connected session.
The Virtual HUB Administrators can display the contents of the latest Virtual HUB MAC
address table.
Displaying Virtual HUB MAC Address Tables
Clicking on the [MAC address Table List] button in the [Manage Sessions] window of the
VPN Server Manager displays the MAC address tables. In the vpncmd utility, the table
can be obtained using the [MacTable] command.
When requesting MAC address tables from the cluster controller in a cluster
environment, the cluster controller responds with MAC address tables on all of the
cluster member servers together.
Fig. 3-4-6 MAC address table administration window
The entries listed for each record (MAC address entry) in the MAC address table are as
follows.
Entry Description
Session Name Indicates the session name associated with the MAC address
entry.
MAC Address The actual MAC address shown by the MAC address entry.
Created Time Displays the time and date on which the entry was created in
the MAC address table.
Updated Time Displays the time & date on which the existence of the network
node with the subject MAC address was confirmed in the session
to which the Virtual HUB last responded. MAC address entries on
which 600 seconds have elapsed since the update are deleted
from the table at the next aging-time.
Location Indicates the name of the VPN Server host within which that
MAC address table actually exists within the cluster.
Deleting Virtual HUB MAC address tables
Although not normally required, the Virtual HUB Administrator can arbitrarily delete MAC
address table entries. To delete a MAC address table entry, select the entry with the VPN
Server Manager and click the [Delete selected entry] button. In the vpncmd utility, the
entry can be deleted using the [MacDelete] command.
Listing the MAC Address Table associated with a Specific Session

In the VPN Server Manager's [Manage Sessions] window, select the desired session and
click [MAC table of This Session] button. This displays a list of only those MAC address
table entries associated with the selected session. It is also possible to designate a
session and find out which MAC addresses are being used by the VPN client computer for
that session. The same task can be carried out using the vpncmd utility by attaching the
session name as an argument to the [MacTable] command.
Fig. 3-4-7 Session-specific MAC address table
The Virtual HUBs automatically create and administer MAC address tables, but when the
virtual Ethernet frames transmitted in the VPN are IP packets, they also automatically
learn and session-associate not only the MAC addresses but also the IP addresses at the
same time by reading the IP packet header. The internal table for this purpose is a
database called the IP address table.
While the IP address table is not used for virtual Ethernet frame switching between
sessions, it is possible to apply rigorous security policies to each user by supporting real-
time data on which session sent packets based on which IP address thus far.
The Virtual HUB Administrators can display the contents of the latest Virtual HUB MAC
address table. This makes it possible to find out at any time which VPN session computer
is communicating using which IP address.
Displaying Virtual HUB IP Address Tables

Clicking on [IP Address Table List] button in [Manage Sessions] window of the VPN
Server Manager displays the IP Address Table. In the vpncmd utility, the table can be
obtained using the [IpTable] command.
When requesting IP address tables from the cluster controller in a cluster environment,
the cluster controller responds with IP address tables on all of the cluster member
servers together.
Fig. 3-4-8 IP address table administration window
The entries listed for each record (IP address entry) in the IP address table are as
follows.
Entry Description
Session Name Indicates the session name associated with the IP address
entry.
IP Address The actual IP address shown by the IP address entry.
"(DHCP)" may appear in the portion after the IP address. This
indicates that the IP address is one assigned by the DHCP
Server in the VPN.
Created Time Displays the time & date on which the entry was created in the
IP address table.
Updated Time Displays the time & date on which the existence of the network
node with the subject IP address was confirmed in the session
to which the Virtual HUB last responded. IP address entries on
which 60 seconds have elapsed since the update are deleted
from the table at the next aging-time.
Location Indicates the name of the VPN Server host within which that IP
address table actually exists within the cluster.
Deleting Virtual HUB IP Address Tables
Although not normally required, Virtual HUB Administrators can arbitrarily delete IP
address table entries. To delete an IP address table entry, select the entry with the VPN
Server Manager and click the [Delete selected entry] button. In the vpncmd utility, use
the [IpDelete] command.
Listing the IP Address Table associated with a Specific Session
In the VPN Server Manager's [Manage Sessions] window, select the desired session and
click [IP Table of This Session] button. This displays a list of only those IP address table
entries associated with the selected session. This makes it easy to find out which IP
addresses are being used by the VPN client computer for a designated session. The
same task can be carried out using the vpncmd utility by attaching the session name as
an argument to the [IpTable] command.
For VPN sessions where a router is connected at the session destination, all of the IP
addresses of packets arriving from the other side of the router (such as the Internet)
may be associated. This is because there is no way to distinguish whether each IP
address in a Virtual HUB operating in layer 2 has been routed via a router or whether
they have been transmitted from a node directly connected by layer 2.
Fig. 3-4-9 Session-specific IP address table
As explained in 「3.4.7 IP Address Table」 , the Virtual HUBs have IP address table
databases to constantly administer which sessions are communicating using which IP
addresses. Additionally, in order to check whether an IP address registered on the IP
address table database actually exists on the layer 2 local segment to which the Virtual
HUB belongs, poll packets to confirm the existence of the IP address (survey packets)
are sent out at regular intervals using the ARP protocol, and those IP address table
entries which respond have their expiration date updated, while those entries which do
not respond are deleted from the IP address table database after a certain period (60
seconds), thereby maximizing the accuracy of IP address existence confirmation.
At this time, the Virtual HUB sends a unicast of the ARP request packet for the known IP
address to the corresponding session based on the IP address table entry. The sending
IP address for this ARP request packet is "172.31.0.0/16" and the destination IP address
is the IP address subject to the survey.
This operation normally allows ongoing verification of IP address lists on the layer 2
segment, but some operating systems (including FreeBSD) receiving an ARP packet with
the sending IP address of "172.31.0.0/16" simply do not respond or leave a warning
message in their syslog etc. stating that they received an unauthorized ARP packet with
a sending IP address of "172.31.0.0/16".
While there is typically no problem with ignoring such warning messages, it is possible to
stop the poll packet confirming the existence of IP addresses when many computers
running BSD exist on the same segment and complaints start to arrive from the
Administrators. To stop the poll packet from confirming the existence of IP addresses in
a Virtual HUB, rewrite the VPN Server's Configuration file as follows.
Because [false] is set as the default for [NoArpPolling] within the [Virtual HUB]
[Virtual HUB name] [Options] nodes in the Configuration file, rewrite this to [true].
<
declare Option
{
uint MaxSession 0
bool NoArpPolling true
bool NoEnum false
}
Changing this setting as above stops the Virtual HUB from regularly unicasting poll
packets using the ARP protocol.
Setting NoArpPolling to true means that there is no guarantee that the contents of the IP
address database administered by the Virtual HUB are up-to-date. As such, it is possible
that the following items from the user and group security policy items will not be applied
correctly, and as such, the following security policy items should not be used when using
the Virtual HUBs with NoArpPolling set to true.
Please refer to 「3.5.9 Security Policies」 for details on security policy items.
[Enforce DHCP Allocated IP address] policy
[Deny MAC Address Duplication] policy
[Deny IP address Duplication] policy
[Maximum Number of IP addresses] policy
As explained in 「1.6.7 VPN Session Connection Modes」 , bridging and routing is denied
for VPN Client-connected sessions in client mode sessions. Accordingly, it is possible to
protect against actions such as unauthorized bridge connections and routing between the
virtual Network Adapter and the physical network adapter connected to a VPN session on
the computer on which the VPN Client is installed.
When the VPN Client enables the [Bridge / Router Mode] in the [Advanced Settings]
connection settings tab or in the case of a cascade connection from the VPN Server /
VPN Bridge, the session is connected using the Bridge / Router Mode. For sessions
connected by the Bridge / Router Mode, basically all communication is permitted
regardless of the size of layer 2 network to which it is bridged at that session destination
(connection source side), when routed to the Internet and even when cascade connected
to another Virtual HUB.
Please refer to 「4.4.17 Selecting the Connection Mode」 for specific methods to
connect the VPN Client to a Virtual HUB in Bridge / Router Mode.
As described in 「1.6.9 Bridge/Router Mode Session」 , when a monitoring mode session

is connected to a Virtual HUB, all virtual Ethernet frames flowing within the Virtual HUB
are automatically copied and distributed to the monitoring mode session. As such, it is
possible to intercept all virtual Ethernet frames flowing within a Virtual HUB when
connected to the Virtual HUB via a monitoring mode session. This comes in handy for
Network Administrators when troubleshooting and setting up an IDS.
Although a monitoring mode session can receive all communication within a Virtual HUB,
it can not transmit communication to the Virtual HUB.
Please refer to 「4.4.17 Selecting the Connection Mode」 for specific methods to
connect the VPN Client to a Virtual HUB in monitoring mode.
When the number of virtual Ethernet frames flowing within the Virtual HUB exceeds
the processing capacity of the computer and its peripheral devices or when the frame
buffer does not have enough available memory, the PacketiX VPN Server software may
discard those frames to protect overall system stability. That is why it may not be
possible to receive all frames depending on the circumstances.
Cascade Connections
The mechanisms of and methods for creating cascade connections are very important in
creating a site-to-site VPN using PacketiX VPN.
Using the cascade connection function enables the cascade connection of a Virtual HUB
within the VPN Server to other Virtual HUBs operating on the same or separate
computers.
When two Virtual HUBs are running on separate computers or even when they are
running on the same computer, those hubs are originally not connected in any way so
they are two completely isolated segments from the perspective of a layer 2 network.
However, in many cases there may be a desire to run two Virtual HUBs as a single
segment over a public IP network such as the Internet. For instance, a cascade
connection is essential to build a site-to-site VPN (see 「1.4.8 Base-to-Base VPN of
Ordinary Scale」 ). Using a cascade connection enables the connection of two or more
Virtual HUBs as if connecting them with a very long network cable.
Cascading a remotely located Virtual HUB A with Virtual HUB B enables free layer 2
(Ethernet level) communication between a Virtual Network Adapter connected to A and a
network computer locally bridged to A and a network adapter connected to B and a
network computer locally bridged to B. In other words, the computers connected to each
other's Virtual HUBs can communicate freely on a layer 2 level irrespective of the actual
network topology, wherein that connection may be a virtual one by the VPN Client, or a
physical network adapter's destination may be locally bridged to a Virtual HUB and that
Virtual HUB is cascade connected to yet another hub so as to arrive at the destination
computer.
Fig. 3-4-10 Cascade connection between Virtual HUBs
Cascading obviously requires the existence of two Virtual HUBs, i.e. a Virtual HUB to
initiate the cascade connection and a Virtual HUB to receive it. From the perspective of
the Virtual HUB receiving the cascade connection, the incoming connection is processed
as a common VPN session (bridge / router mode session), in which case user
authentication is required just as though a VPN Client were carrying out a VPN
connection to a Virtual HUB.
Fig. 3-4-11 Initiating & receiving cascade connection
Creating a Cascade Connection

To create a cascade connection for a Virtual HUB to another Virtual HUB, click on the
[Manage Cascade Connections] button in the VPN Server Manager. This displays
[Cascade Connection on "Virtual HUB name"] window. Next click on [Create] and enter
the relevant details for the VPN Server host name, Virtual HUB and user authentication.
It is also possible to make the VPN connection via a HTTP or SOCKS proxy server in
addition to using a direct TCP/IP connection when cascading.
The items to be entered when creating a new cascade connection are practically the
same as those required for a creating a new VPN Client connection setting. Please
therefore refer to 「4.4 VPN Server Connection Method」 for the meanings of each
item.
All user authentication methods are available for cascade connections except smartcard
authentication.
The cascade connection settings are created on the Virtual HUB performing the
cascade, and it is not necessary to create a cascade connection on the receiving
Virtual HUB. Therefore, when cascading Virtual HUBs on two VPN Servers, both the
initiating side and receiving side should be selected before creating the connection.
When cascading a VPN Server's Virtual HUB and VPN Bridge, the Virtual HUB must be
set as the receiving side and a VPN Bridge Virtual HUB with the name "BRIDGE" must
be set as the initiating side. This is because the VPN Bridge cannot receive VPN
connections including cascade connections.
A cascade connection user must be created in advance on the Virtual HUB receiving
the cascade connection in order to enable receipt of the cascade. That user name and
authentication information must then be designated when creating a new cascade
connection on the Virtual HUB initiating the cascade.
Fig. 3-4-12 Cascade connection create & edit window
Online & Offline Status of Cascade Connection

Upon creating a new cascade connection on a Virtual HUB, that cascade connection is
offline. It is not possible to communicate on a cascade connection which is offline. To
start communication using a cascade connection, select the desired cascade connection
in the [Cascade Connection on "Virtual HUB name"] window of the VPN Server Manager
and click the [Online] button.
Upon setting the cascade connection to online status, the Virtual HUB attempts to
maintain the cascade connection as far as possible in line with the cascade connection
settings. The cascade is successful once the connection to the destination VPN Server
Virtual HUB is confirmed, and [Online (connected)] appears in the [Status] display.
When an error occurs, the error code will appear in this [Status] display. When the
cause of the error is attributed to an input error in the cascade connection settings, first
take the cascade connection offline, correct the connection settings by clicking on the
[Edit] button, and click the [Online] button once again.
As explained in 「2.1.3 Communication Efficiency and Stability」 on reconnect settings

where the VPN connection fails or is disconnected during communication, an attempt to
reconnect is made every 10 seconds when the VPN session connection fails or is
disconnected while cascading. In this way, the Virtual HUB attempts to maintain a
constant connection with the cascade destination Virtual HUB as far as the latter's
network allows.
Any change in the cascade connection status is recorded on the VPN Server's server log
and Virtual HUB security log. Regularly checking these logs provides knowledge on
cascade connection success and failure records and enables an understanding of the line
status. Please refer to 「3.10 Logging Service」 for details on how to view the VPN
Server's server log and Virtual HUB security log.
Fig. 3-4-13 Cascade connection management window
Cascade Connection Security Policies
Security policies can be set as desired for cascade connection users so that the virtual
Ethernet frames which travel over the cascade connection are subject to scrutiny on the
hub receiving the cascade.
To apply security policies in relation to the virtual Ethernet frames which travel over the
cascade connection on the hub initiating the cascade, click on the [Security policy]
button in the cascade connection's connection settings window and set as desired.
Fig. 3-4-14 security policy settings applicable to Cascade sessions window
Creatable Number of Cascade Connections
A maximum of 128 cascade connections can be created in a Virtual HUB, although in

reality, it is not necessary to connect a large amount of cascade connections from a
single Virtual HUB.
Cascade Connection Status
The cascade connection status of the hub initiating the cascade can be obtained at any
time. Selecting the desired cascade connection in the [Cascade Connection on "Virtual
HUB name"] window of the VPN Server Manager and clicking the [Status] button
displays the communication status for that cascade connection session in real time. The
communication status displayed here is virtually the same as the connections settings'
communication status shown in the VPN Client Manager. For details, please refer to
「4.5.2 Checking the Connection Status」 .
The hub receiving the cascade connection recognizes it as being a Bridge / Router Mode
session, which means that it is shown in the Virtual HUB session list. Note that the
cascade is not automatically displayed in the [Cascade connection] list of the receiving
hub. For details, please refer to 「3.4.5 Session Management」 .
Points to Note when Performing a Cascade Connection
Cascading is a very convenient and useful function without which the value of the
PacketiX VPN 2.0 software would be halved. However, the following points should be
observed in order to use the cascade connection properly.
Before creating the cascade connection, careful consideration should be given to the
design of the VPN network topology and notes should be taken to ensure the
connection is used in a suitable manner. For instance, where three Virtual HUBs are
each attached to their own site and those sites are in turn locally bridged to a
physical LAN, cascading each of the Virtual HUBs results in a looped layer 2 network
topology which can cause communication paralysis and give rise to broadcast storms.
As such, any actions which result in the creation of a layer 2 loop should definitely be
avoided when using the cascade connection.
The PacketiX VPN Server's cascade connection function does not support the
Spanning Tree Protocol.
It is necessary to create a cascade connection setting for the Virtual HUB performing
the cascade connection and to put it online. It is necessary to predefine the users to
receive the cascade connection on the receiving Virtual HUB.
The hub initiating the cascade treats the cascade connection the same as it treats a
VPN connection by the VPN Client, so the settings for creating a cascade connection
are similar to those for creating a new connection on the VPN Client.
Creating, Deleting, Modifying & Controlling a Cascade Connection with

the vpncmd Utility
To control the cascade connection with the vpncmd utility, use commands beginning
with "Cascade". These commands enable the same tasks performed by VPN Server
Manager's GUI settings to be carried out with the vpncmd utility. Please refer to 「6.4
VPN Server / VPN Bridge Management Command Reference (For Virtual HUB)」 for
details on how to control a cascade connection using the vpncmd utility.
Server authentication processing by the inspection of server certificates as explained in

「2.3 Server Authentication」 is also supported for cascade connections in a manner
similar to that of a VPN Client connection, whereby it is possible to check whether the
cascade destination VPN Server has the proper certification when connecting.
To register the destination VPN Server's certificate, click the [Specify individual Cert]
button in the cascade connection settings' edit window and select an arbitrary X.509
certificate. When using signed certificate authentication, register a trusted root
certificate (or intermediate certificate) in the cascade-initiating Virtual HUB's [Trusted
certification authority certificates].
Signed certificate authentication is not available as one of the server authentication

methods when making a cascade connection from a PacketiX VPN Bridge Virtual HUB
(with the fixed name "BRIDGE") to the PacketiX VPN Server. This is a restriction
imposed by the PacketiX VPN Bridge.
3.4.13 Local Bridge
The setting of the local bridge function as explained in 「1.4.5 Bridge Connection of
Virtual Network and Physical Network」 can only be performed by the entire PacketiX
VPN Server Administrator. It is therefore not possible to bridge a Virtual HUB and a
physical network adapter of the computer running the VPN Server with Virtual HUB
Administrator authority alone. For details on how to create and delete local bridges,
please refer to 「3.6 Local Bridges」 .
Multiple users and groups can be added to a Virtual HUB (please refer to 「3.4.3
Maximum Simultaneous Connections」 for specific administration methods). Remotely
connecting to a Virtual HUB over a VPN typically requires the designation of a user name
registered in advance by the Virtual HUB Administrator.
The exception to this is when a Virtual HUB Administrator designates Administrator as

the user and that Virtual HUB's Administrator password as the password to enable
the VPN connection. This VPN connection is always possible even when no users exist on
the Virtual HUB. Virtual HUB Administrators can therefore make a VPN connection to the
Virtual HUB for which they are responsible at any time (cascade connections from the
VPN Server / VPN Bridge are possible in addition to connection from the VPN Client).
The Administrator user is special and this user name cannot be manually added to a
Virtual HUB.
The following security policies are applied to VPN connection to a Virtual HUB by the
Administrator.
[No Limit on Number of broadcasts] is enabled
[Allow Monitoring Mode] is enabled
All other security policies therein are regarded as default security policies (please see
「3.5.9 Security Policies」 ).
Accordingly, Administrators can always make a VPN connection to the Virtual HUB with
the minimum amount of limitations. VPN connections are also possible with [Monitoring
Mode] enabled.
Virtual HUB Administrators can acquire the latest information on the Virtual HUBs by
accessing [View status] in the Virtual HUB administration window. Clicking on the
[Refresh] button provides an understanding of the Virtual HUB's status as it changes in
real time.
In the vpncmd utility, Virtual HUB information can be obtained using the [StatusGet]
command.
Fig. 3-4-15 Virtual HUB information display window
< 3.3 VPN Server Administration 3.5 Virtual HUB Security>
< 3.4 Virtual HUB Functions 3.6 Local Bridges>
This section explains the Virtual HUB security functions, methods for their setting and
important points to be aware of.
Entire VPN Server Administrators & Virtual HUB Administrators
Administrators of the entire PacketiX VPN can set passwords for Virtual HUBs and
delegate the authority for their individual administration to Virtual HUB Administrators.
The Virtual HUB Administrators are then required to use the Virtual HUB name and
password which they are assigned to connect to the VPN. Moreover, the areas which can
be administered are limited by their own Virtual HUB's settings, which cannot be enabled
to obtain information on other Virtual HUBs.
While individual Virtual HUB Administrators may view the settings of the entire VPN
Server, they are not able to change them. Furthermore, no access whatsoever is
possible to data containing confidential items such as the VPN Server's Configuration file
and SSL Certificate private key file.
Virtual HUB Administrator Authority
Administrators to whom the administration of a Virtual HUB has been delegated can
change their own administration password at any time. They can also change the Virtual
HUB's online / offline status at any time. In addition, it is also possible to change various
settings relating to the Virtual HUB, create cascade connections and define user and
group objects. However, these settings changes may become subject to limitations
imposed by the entire VPN Server Administrator. Please refer to 「3.5.12 Virtual HUB
Administration Options」 for details on how the VPN Server Administrator can restrict
the contents of tasks which can be performed by the Virtual HUB Administrators.
Note that the Virtual HUB Administrator cannot alter that Virtual HUB's type (Static/
Dynamic) in a clustering environment, and this setting can only be changed by the entire
VPN Server Administrator.
Entering the host name and port number of the destination VPN Server in the Windows
version PacketiX VPN Client Manager or VPN Server Manager automatically acquires a
list of the Virtual HUBs registered on that VPN Server and displays them in a drop-down
list box. This is known as "Virtual HUB anonymous enumeration", which indicates that it
is possible to enumerate a list of Virtual HUBs registered on an anonymously-designated
VPN Server even if the user is not actually logged onto the VPN Server.
Fig. 3-5-1 Virtual HUB anonymous enumeration
However, some Virtual HUB Administrators may not wish for the name of the Virtual
HUB which they administer to be able to be seen by anonymous users. In this case,
opening the [Security settings] box in the [Virtual HUB properties] with the VPN Server
Manager and enabling the [Don't Enumerate This HUB for Anonymous Users] checkbox
prevents the Virtual HUB name from being displayed on the VPN Server Virtual HUB list
enumerated by anonymous users.
The same task can be performed in the vpncmd utility using the command
[SetEnumDeny].
Fig. 3-5-2 Settings window for Virtual HUB administration password
Carrying out this setting means that a Virtual HUB for which the [Do not enumerate this
Virtual HUB to anonymous users] checkbox is enabled is also no longer displayed to
other individual Virtual HUB Administrator users who are neither entire VPN Server
Administrators nor the Administrators of that Virtual HUB, when they acquire a list of
Virtual HUBs registered on the VPN Server using either the initial Virtual HUB list window
in the VPN Server Manager or the [HubList] command in the vpncmd utility. In other
words, users who are not aware of the existence of that Virtual HUB are not even able to
view the hub's name. This is effective when the name of the Virtual HUB itself has a
meaning which the Administrator wishes not to disclose.
Virtual HUB Administrators wishing to authenticate users with RADIUS authentication

need to set the RADIUS server to be used in advance and this can be done by clicking
the [Authentication server settings] button. In the vpncmd utility, this setting can be
made using [RADIUSServerSet] command.
Please refer to 「2.2.3 RADIUS Authentication」 for details on the items which need to
be set. There is no need to perform domain controller settings when using NT domain or
Active Directory authentication. For details, please refer to 「2.2.4 NT Domain and
Active Directory Authentication」 .
Fig. 3-5-3 RADIUS server settings window
Users and Groups
A plurality of users and groups can be registered on a Virtual HUB. Users are able to not
participate in groups or to participate in only one group. A single user cannot participate
in two or more groups at the same time.
Groups administer a collection of multiple users and are useful when wishing to apply
the same security policies to all users registered in that group. Please refer to 「3.5.9
Security Policies」 for details on security policies.
Deleting a group causes all users participating in that group to cease to belong to any
group.
To display a list of users with the VPN Server Manager, click on the [Manage Users]
button. To display a list of groups, click on the [Manage Groups] button. Administration
of users and groups is carried out on the windows displayed by clicking these buttons. A
list of registered users and groups can be obtained using the vpncmd utility with the
[UserList] and [GroupList] commands respectively.
User List
Opening the [Manage Users] window with the VPN Server Manager or calling up the
[UserList] command with the vpncmd utility displays a list of users registered on the
Virtual HUB. In addition to the user's name, their actual name, group to which they are
attached, description, selected user authentication method, number of logins to date and
most recent login time & date are also displayed.
Fig. 3-5-4 Manage Users window
Creating Users
Click on the [Create] button in the VPN Server Manager to create a new user. In the
vpncmd utility, use the [UserCreate] command.
When creating a new user, it is necessary to decide on a user name. Alphanumeric

characters and some symbols can be used for user names but special names used
internally by the VPN Server cannot be designated (designating these names causes an
incorrect parameter error). Arbitrary characters can be designated for the [Real name]
and [Description] entry columns because they are not related to operation of the VPN
Server. The items set when creating a new user can be changed at a later date.
An [Expiration date] can also be set for user objects. Users on whom an expiration date
has been set are no longer able to connect to the VPN Server after said date.
Fig. 3-5-5 User create & edit window
Authenticating Users
User authentication methods have to be selected. Please refer to 「2.2 User
Authentication」 for details on each method. At the same time, parameters
corresponding to the authentication method must also be designated. These parameters
can be set simply with the GUI in the VPN Server Manager, while the same tasks can be
carried out in the vpncmd utility using the [UserAnonymousSet],
[UserPasswordSet], [UserCertSet], [UserSignedSet], [UserRADIUSSet] and
[UserNTLMSet] commands.
Certificate Create Tool
The window in the VPN Server Manager tool for creating new users and editing user
information contains a [Create Certificate] button. This tool enables the simple
generation of an X.509 Certificate and private key pair.
Displaying User Information

Statistical information on each user can be obtained. Select the user with the VPN Server
Manager and click on the [View user Info] button. In the vpncmd utility, use the
[UserGet] command.
The user information includes the time & date on which the user object was created,
time of last update and number of logins as well as statistical information on network
communication.
Fig. 3-5-6 User information window
Group List
Opening the [Manage Groups] window with the VPN Server Manager or executing the
[GroupList] command with the vpncmd utility displays a list of groups registered on the
Virtual HUB. In addition to each group's name, their actual name, description and
number of participating users are also displayed.
Fig. 3-5-7 Manage Groups window
Creating and Editing Groups

To create a new group, click on the [Create new] button in the [Manage Groups] window
of the VPN Server Manager. To edit the information of an existing group, click the [Edit]
button. In the vpncmd utility, the [GroupCreate] and [GroupSet] commands can be
used.
Fig. 3-5-8 Manage Groups window
Adding Users to a Group

To add a user to a group using the VPN Server Manager, enter the name of the group to
which the user is to be attached in the [Group name] box of the user information edit
window or select from the list in [Browse Groups]. When deleting a user from a group,
leave the [Group name] box blank. In the vpncmd utility, the [GroupJoin] and
[GroupUnjoin] commands can be used.
Displaying Group Information
When there are users participating in a group, the VPN Server also records statistical
information on the communication volume for that group when communication occurs in
a VPN session connected by its users. To view this information, open the desired group's
edit window in the VPN Server Manager and select [Statistical information of this group].
In the vpncmd utility, use the [GroupGet] command.
A list of the trusted certification authority certificates can be administered on the Virtual
HUB. This certificate list can be used for the functions in 「3.4.12 Server Authentication
in Cascade Connections」 , in addition to its use for checking whether the certificate
submitted by a user is trusted by signed certificate authentication in user authentication
(#2.2.6).
To register or delete a CA certificate trusted by a Virtual HUB, click on the [Trusted CA

Certificate] button in the VPN Server Manager and select [Add] or [Delete] or click the
[View Certificate] button. In the vpncmd utility, use the [CAList], [CAAdd],
[CADelete] and [CAGet] commands.
Fig. 3-5-9 Manage Trusted CA certificate window
Role of the Certificates Revocation List
A list of disabled certificates can be administered on the Virtual HUB. An invalid

certificate definition has priority over a trusted CA certificate definition. When one of
several certificates issued by a root certification authority is compromised or the user of
that certificate resigns the company and so on, this function can be used to forcibly
disable the certificate on the server side by registering its serial number and other
details.
When a user submits a certificate which matches the conditions registered on the
Certificates Revocation List, user authentication is denied even if that certificate was
signed by a certificate registered in the trusted CA certificates list.
Adding to, Deleting & Editing the Certificates Revocation List
To add a new definition to a Virtual HUB's disabled certificates list, or to edit or delete an
existing definition, click on the [Invalid Certificate] button in the VPN Server Manager
and click either the [Add], [Delete] or [Edit] button. In the vpncmd utility, use the
[CrlList], [CrlAdd], [CrlDel] and [CrlGet] commands.
Fig. 3-5-11 Certificates Revocation List window
Registering Certificates Revocation Data
In order to define a new disabled certificate, it is necessary to designate that certificate's

subject field values, its serial number and MD5 or SHA-1 digest values. In addition,
when the certificate to be disabled has an X.509 file, it is also possible to disable the
certificate by having it read from the VPN Server Manager.
For data registered as a disabled certificate, certificates matching all of the contents of
the defined items are disabled. If the serial number and digest values of the certificate
to be disabled are already known, it is possible to disable only that certificate with a high
degree of certainty by inserting this information. For all other cases, designating the
CN / O / OU / C / ST / L subject field values and performing filtering then disabling those
certificates caught by the filter is an effective measure.
When the connection from a VPN Client using the certificate to be disabled has been
successful to date, the subject fields, serial number and digest values of the certificate
submitted by the user when successfully authenticated are recorded in the Virtual HUB
security log and the VPN Server's server log, so carrying out the disable settings based
on this information is an assured method.
When the authentication type of a user registered on the Virtual HUB is signed certificate
authorization, it is possible to allow connection only when the CN (Common Name) and
serial number of the X.509 certificate submitted by the user are examined and found to
match completely the predefined user object setting values. Please refer to section
「2.2.6 Signed Certificate Authentication」 entitled [Limit of connectable certificate by
Common Name or serial number].
3.5.8 Setting an Alias in RADIUS Authentication or NT Domain & Active

Directory Authentication
It is possible to designate an alias for the user name registered as the Virtual HUB user
object during RADIUS authentication or NT Domain & Active Directory authentication,
and carry out user authentication using this alias by requesting authentication from the
RADIUS authentication server and domain controller. For details, please refer to 「2.2.3
RADIUS Authentication」 and 「2.2.4 NT Domain and Active Directory Authentication」 .
Definition of Security Policy
The security policy function is one of the PacketiX VPN Server Virtual HUB's sophisticated
functions which allows only packets which have passed packet content inspection and
policies to pass. In applying a security policy, the Virtual HUB interprets the header
information of all virtual Ethernet frames flowing over it internally to a high layer
(automatic recognition of ARP / IP / TCP / UDP / ICMP / DHCP etc) and determines
whether their communication content conforms to a security policy based on the results
of that interpretation. As a result, any virtual Ethernet frames which breach the security
policies set for users by the Virtual HUB Administrator are discarded. In addition, these
security policy violations are, depending on their contents, recorded in the Virtual HUB's
security log where they can later be inspected by the Virtual HUB Administrator.
Utilizing security policies also enables detailed VPN communication control such as band
control.
Sequence for Applying Security Policies
Security policies can be set for users who can be defined on the Virtual HUB. Where a
plurality of users are grouped together, security policies can also be applied to the
group. The decision on what type of security policies will be applied to a session when a
VPN connection is made to a Virtual HUB is decided automatically by the VPN Server.
The order of priority in determining this application is as follows.
1. When security policies are set for a user attempting to connect to the VPN, those
settings is adopted.
2. When security policies are not set for a user attempting to connect to the VPN and
that user belongs to a group, the security policies set for that group are applied to
the user.
3. Where the user is the Administrator in 「3.4.13 Local Bridge」 , special
Administrator security policies are set.
4. For all other scenarios, the default security policies (see next section) are applied.
Default Security Policies
The default security policy values are as follows.
[Allow access ] is enabled
[Maximum Number of TCP connections] is 32
[Time-out Period] is 20 seconds
Setting Security Policies for Users & Groups
To apply security policy settings to user objects or group objects using the VPN Server
Manager, enable [Set Security Policy] checkboxes in the user or group edit window, then
click the [Security Policy] button and edit as desired.
Fig. 3-5-12 User & group security policy edit window
List of Security Policy Items
The PacketiX VPN Server's security policy settings have the following 20 policy items
which can be modified.
Allow Access policy

Description Users for whom this policy is set are allowed to make a VPN
connection to the VPN Server.
Settable Values [Enabled] and [Disabled]
Default Values [Enabled]
Remarks This security policy cannot be designated together with the
connection settings of a cascade connection.
Filter DHCP Packets policy
Description Filters all DHCP packets in sessions for which this policy is
set.
Default Values [Disabled]
Remarks None
Deny DHCP Server Operation policy
Description Forbids the computer connected to sessions for which this
policy is set from acting as a DHCP Server and distributing
IP addresses to DHCP clients.

Remarks None
Enforce DHCP Allocated IP address policy
Description Prevents computers within sessions for which this policy is
set from using any IP addresses other than those assigned
by the DHCP Server on the virtual network.
Remarks None
Deny Bridge Operation policy
Description Denies bridge connections in user sessions for which this
policy is set. Communication is not possible even if an
Ethernet bridge is set up on the user's client side.
Note that sessions connected by users on whom both the
deny bridge and deny router operation policies are
[Enabled] cannot connect to the virtual hub as a [Router/
Bridge Mode] session. Contrarily, it is important to note that
when either one or both of the deny bridge and deny router
operation policies are [Disabled], the user is able connect to
the virtual hub as a [Router/ Bridge Mode] session.
Deny Routing Operation policy
Description Denies IP routing in sessions for which this policy is set.
Communication is not possible even if an IP router is
operating on the user's client side.
Note that sessions connected by users on whom both the
deny bridge and deny router operation policies are
[Enabled] cannot connect to the virtual hub as a [Router/
Bridge Mode] session. Contrarily, it is important to note that
when either one or both of the deny bridge and deny router
operation policies are [Disabled], the user is able connect to
the virtual hub as a [Router/ Bridge Mode] session.
Deny MAC Addresses Duplication policy
Description Prevents the use of MAC address tables currently in use by
a computer in a separate session in sessions for which this
policy is set.

Remarks None
Deny IP addresses Duplication policy
Description Prevents the use of MAC address tables currently in use by
a computer in a separate session in sessions for which this
policy is set.
Remarks None
Deny Non-ARP/ DHCP broadcasts policy
Description Denies the transmission and receipt of all broadcast packets
on the virtual network other than ARP protocol and DHCP
protocol broadcast packets in sessions for which this policy
is set.
Remarks None
Privacy Filter Mode policy
Description Filters all direct intersession communication in sessions for
which the Privacy Filter Mode policy is set.
Deny Operation as TCP/IP server policy
Description Denies computers in sessions for which this policy is set
from operating as servers in TCP/IP protocol. In other
words, that session is unable to respond to a SYN packet in
TCP from a separate session.
Remarks None
No limit on Number of Broadcasts policy
Description Does not automatically limit the number of broadcast
packets sent to the virtual network from computers for
which this policy is set, even if said number differs greatly
from one which would be considered normal.
Remarks None
Allow Monitoring Mode policy

Description Allows users for whom this policy is set to connect to a
virtual hub in Monitoring Mode. Monitoring Mode sessions
can monitor (intercept) all packets flowing within the virtual
hub.
Maximum Number of TCP Connections policy
Description Sets the maximum number of TCP connections which can
be assigned for each session in sessions for which this
policy is set.
Settable Values 1 - 32 (connections)
Default Values 32 connections
Time-out Period policy
Description Sets the timeout time in seconds until a session disconnects
when a failure occurs in communication between the VPN
Client and the VPN Server in sessions for which this policy is
set.
Settable Values 5 - 60 (seconds)
Default Values 20 seconds
Maximum Number of MAC Addresses policy
Description Sets the number of MAC addresses which can be registered
per session in sessions for which this policy is set.
Settable Values [No setting] or 1 - 65,535 (addresses)
Default Values [No setting]
Remarks None
Maximum Number of IP Addresses policy
Description Sets the number of IP addresses which can be registered
per session in sessions for which this policy is set.
Settable Values [No setting] or 1 - 65,535 (addresses)
Remarks None
Upload Bandwidth policy
Description Limits the bandwidth of external traffic entering the virtual
hub in sessions for which this policy is set.
Settable Values [No setting] or 1 - 4,294,967,295 bps (about 4 Gbps)

Remarks None
Download bandwidth policy
Description Limits the bandwidth of internal traffic leaving the virtual
hub in sessions for which this policy is set.
Settable Values [No setting] or 1 - 4,294,967,295 bps (about 4 Gbps)
Remarks None
Deny Changing Password policy
Description Denies users for whom this policy is set from changing their
own password using the VPN Client Manager and so on at
user password verification.
Remarks There is no point in applying this policy to a group. In
addition, this security policy cannot be designated together
with the connection settings of a cascade connection.
Maximum Number of Multiple Logins policy
Description Denies users for whom this policy is set from performing
more than a set number of simultaneous logins. This
security policy can only be enabled in the VPN Server 2.0
which features the multiple login limit function.
Settable Values [No setting] or 1 - 65,535 (logins)
Remarks This security policy value is only valid for VPN Servers with
a registered PacketiX VPN 2.0 Option Pack license.
Deny VoIP / QoS Function policy
Description Denies use of VoIP / QoS response function in user VPN
connection sessions for which this policy is set. This security
policy can only be enabled in the VPN Server 2.0 which
features the VoIP / QoS response function.
Remarks This security policy value is only valid for VPN Servers with
a registered PacketiX VPN 2.0 Option Pack license.
Confirming Contents of Applied Security Policies
Users are able to confirm the values of security policy settings applied to the current
session when a VPN Client is connected to a VPN Server Virtual HUB. For details, please
refer to 「4.5.2 Checking the Connection Status」 .
Role of the Access List
Up to 4,096 access list entries can be defined in a Virtual HUB. An access list is a
function which either passes or discards IP packets passing through network devices
according to designated rules commonly referred to as packet filtering rules.
Fig. 3-5-13 Access list administration window
Data which can be Defined by Access List Entries
The following data can be defined by the access list registered in the Virtual HUB.
Access List Memo

Enter a description of the access list entry. This entry enables the setting of an
arbitrary character string to clarify the entry for the Virtual HUB Administrator, and its
contents has no effect on packet filtering operation.
Action
Designates how an IP packet should be treated when a matching entry definition is
found in the access list. Sets to [Pass] or [Discard].
Priority
Designates the priority of an entry within the access list as an integer. The lower the
integer, the higher the priority. If there are access list entries with the same priority,
it is undefined as to which is applied first.
Source IP address
Designates the sending IP address as the packet's matching criteria. It is also
possible to designate a subnet range including multiple IP addresses by designating
the network address and subnet mask. All sending IP addresses match when no
range is designated.
Destination IP address
Designates the destination IP address as the packet's matching criteria. It is also
possible to designate a subnet range including multiple IP addresses by designating
the network address and subnet mask. All destination IP addresses match when no
range is designated.
Protocol Type
Designates the protocol number of that IP packet as the packet's matching criteria. It
is possible to match all IP protocols. The numbers which can be designated can be
entered as integers although 6 (TCP/IP), 17 (UDP/IP) and 1 (ICMP) are already
defined.
Source / destination port number range

Minimum or maximum source port and destination port numbers can be designated
as the packet's matching criteria when TCP/IP or UDP/IP is selected as the protocol
type. All port numbers are regarded as matching when no values are designated.
Source user name

A user name can be designated as the packet's matching criteria when wishing to
match only those packets sent by a specific user (strictly speaking, it is the packet
sent by the VPN session of a specific user name). Sending user names are not
checked when no name is designated.
Destination user name

A user name can be designated as the packet's matching criteria when wishing to
match only those packets to be received by a specific user (strictly speaking, it is the
packet intended to be received by the VPN session of a specific user name).
Destination user names are not checked when no name is designated.
When none of the Access List Entries Match
When multiple access lists are registered on a Virtual HUB and the IP packet does not
match any of the entries contained therein, a [Pass] action is decided by default.
Adding, Deleting & Editing Access List Entries

To add, delete or edit entries in the access list, click on the [Manage Access lists] button
in the VPN Server Manager. Next click on the [Add], [Delete] or [Edit] buttons. Be sure
to click the [Save] button after completing any changes to the access list, as changes
are not applied to the Virtual HUB unless saved. Furthermore, the access list is enabled
from the instant it is set (also applies to VPN sessions which are already connected).
To modify the access list with the vpncmd utility, use the [AccessAdd], [AccessList],
[AccessDelete], [AccessEnable] and [AccessDisable] commands.
Fig. 3-5-14 Access list entry edit window
IP Access Control List
Using the IP access control list makes it possible to allow or deny a VPN source computer
attempting to make a VPN connection to a Virtual HUB depending on the computer's
physical IP network address.
The IP access control list is similar to the access list in terms of its name and settings
but the two differ completely by nature. While the access list controls IP packets flowing
in a Virtual HUB using their IP addresses, protocol port numbers and so on, the IP access
control list is used to refine the physical IP addresses of connection sources which can
make a VPN connection to the Virtual HUB.
This may involve, for instance, setting up a permanent cascade connection to the VPN
server from the VPN Bridge of a separate hub when connecting company sites to the
VPN. However, where security concerns exist, it is possible to set the IP access control
list of the Virtual HUB receiving the VPN Server cascade connection to refuse any VPN
connections to the Virtual HUB other than from the physical IP address of the site in
which the VPN Bridge is set up. Put simply, it is possible to perform authentication based
on the connection source's IP address. This significantly enhances security because it
prevents connection source VPN client computers which are denied based on their source
IP address from proceeding even to the user authentication phase.
IP Access Control List Rules
Multiple rules can be added to the IP access control list, and the values which can be
defined in these rules are as follows.
Source IP address (single or subnet)
Action (Permit connection / Deny Connection)
Priority (Designate with integers. As is the case for access list entries, the lower the
priority, the higher the integer.
Designating a source IP address of 0.0.0.0 / 0.0.0.0 enables the creation of rule entries
to apply to all IP addresses.
Examples of IP Access Control List Settings
Create the following two entries when wishing to allow connections from the IP address
130.158.6.51, for instance, but deny all other IP addresses.
Entry with priority of 10

allows connections from IP address 130.158.6.51 (single host)
Entry with priority of 20

denies connections from IP address 0.0.0.0 subnet mask 0.0.0.0
Making this setting allows VPN connection requests with the source IP address
130.158.6.51 and enables it to proceed to the user authentication phase. Connection
requests from sources with all other IP addresses are denied before the user
authentication phase, so using the IP access control list can enhance security,
particularly when using Virtual HUBs in a site-to-site VPN where the source IP addresses
and their ranges are known to a certain extent.
Adding, Deleting & Editing IP Access Control List Entries
To add, delete or edit entries in the IP Access Control List, first open [Virtual HUB
properties] in the VPN Server Manager and click on the [IP Access Control List] button.
Next click on the [Add Rule], [Edit Rule] or [Delete Rule] buttons. Be sure to click the
[Save] button after completing any changes to the IP access control list, as changes are
not applied to the Virtual HUB unless saved. The IP access control list is enabled from
the instant it is set, but this does not mean that all of those sessions already connected
to which the new changes are applied and which do not match the new rules are
immediately disconnected.
The IP access control list can be operated in the vpncmd utility using the [AcList],
[AcAdd] and [AcDel] commands.
Fig. 3-5-15 IP access control list window
Virtual HUB Administration Options

As explained in 「3.5.1 Delegating Virtual HUB Administration Authority」 , Virtual HUB
Administrators possess the authority to perform most settings on their own hub at their
own discretion. However, there may be situations where some functions need to be
disabled and made unavailable to the Virtual HUB Administrators such as disabling the
cascading function from one Virtual HUB to another or disabling the SecureNAT function.
In these situations, using the Virtual HUB Administration Options enables the VPN Server
Administrator to designate and control the details of the Virtual HUB Administrator's
authority.
Fig. 3-5-16 Virtual HUB Administration Option window
Virtual HUB Administration Option Values

The Virtual HUB Administration Options entry list is composed of alphabetic characters
(keywords) and their corresponding values. The initial value of a created hub is set at 0
for all entries. By setting this value as 1 or designating an arbitrary integer it is possible
to restrict the authority that a Virtual HUB Administrator can exercise.
The names of the Virtual HUB administration options entries follow naming conventions.
Designate a value of 0 or 1 for entry names beginning with "allow_", "deny_" and
"no_". Designating 0 disables the restriction placed by that Virtual HUB administration
options entry, whereas designating 1 enables it.
Designate a value of 0 or an arbitrary integer of 1 or more for entries beginning with

"max_". A value of 0 means no limitations, whereas a value of 1 or more restricts the
maximum to that value.
The following Virtual HUB administration options are available on the PacketiX VPN
Server versions at the time of writing.
z allow_hub_admin_change_option
This entry is special in that a value of 1 (Enabled) allows not only the entire VPN
Server Administrator but also the Virtual HUB Administrators to alter their own Virtual
HUB administration options.
z max_users
Designating a value of 1 or more for this entry restricts the maximum number of
users which can be registered on the Virtual HUB, and no user objects beyond this
value can be registered.
z max_groups
groups which can be registered on the Virtual HUB, and no group objects beyond this
value can be registered.
z max_accesslists
access lists which can be registered on the Virtual HUB, and no access lists entries
beyond this value can be registered.
z max_sessions
Designating a value of 1 or more for this entry restricts the maximum number of VPN
sessions which can be registered on the Virtual HUB, and any VPN connections
beyond this value are unable to be simultaneously processed.
z max_sessions_client
When the max_sessions_client_bridge_apply entry is 1 (Enabled), the number of
client connection sessions which can be simultaneously connected to this Virtual HUB
is not able to exceed the value set for max_sessions_client. The max_sessions_client
entry value is ignored when the max_sessions_client_bridge_apply entry is set at 0.
z max_sessions_bridge
When the max_sessions_client_bridge_apply entry is 1 (Enabled), the number of
bridge connection sessions which can be simultaneously connected to this Virtual HUB
is not able to exceed the value set for max_sessions_bridge. The
max_sessions_bridge entry value is ignored when the
max_sessions_client_bridge_apply entry is set at 0.
z max_sessions_client_bridge_apply
Only when this entry is 1 (Enabled) are the max_sessions_client and
max_sessions_bridge entries meaningful. The max_sessions_client_bridge_apply
entry is regarded as being permanently set as 1 when using the PacketiX VPN Server
2.0 Carrier Edition.
z max_bitrates_download
When this entry is set at 1 or more, the value of the [Download bandwidth] security
policy is forcibly changed to this entry value and download speed is restricted for all
VPN sessions connected to the Virtual HUB. For instance, setting this value at
1000000 means that all VPN connection sessions on this Virtual HUB are not able to
exceed the download speed of 1Mbps.
z max_bitrates_upload
When this entry is set at 1 or more, the value of the [Upload bandwidth] security
policy is forcibly changed to this entry value and upload speed is restricted for all VPN
sessions connected to the Virtual HUB. For instance, setting this value at 1000000
means that all VPN connection sessions on this Virtual HUB are not able to exceed the
upload speed of 1Mbps.
z max_multilogins_per_user
When this entry is set at 1 or more, the multiple login limit security policy for all
users connected to the Virtual HUB is permanently overwritten with this value
(although when the multiple login limit is set and is smaller than the value designated
in here then that multiple login limit value is used).
z deny_empty_password
When this entry is 1 (Enabled), users registered on the Virtual HUB are unable to set
empty passwords. If there are users who have set empty passwords, they are unable
to connect to the VPN (except connections from localhost, which are possible).
z deny_bridge
When this entry is 1 (Enabled), bridge is permanently denied for sessions connected
to the Virtual HUB regardless of the contents of the user's security policies when
connected. It is therefore not possible to connect to the Virtual HUB with the aim of
bridging.
z deny_qos
When this entry is 1 (Enabled), the VoIP / QoS support function is permanently
disabled for sessions connected to the Virtual HUB regardless of the contents of the
user's security policies when connected.
z deny_routing
When this entry is 1 (Enabled), routing is permanently denied for sessions connected
to the Virtual HUB regardless of the contents of the user's security policies when
connected. It is therefore not possible to connect to the Virtual HUB with the aim of
routing.
z deny_change_user_password
When this entry is 1 (Enabled), Virtual HUB users are unable to change their own
passwords in the password authentication mode.
z no_change_users
When this entry is 1 (Enabled), Virtual HUB Administrators are unable to add new
users or delete or edit existing users on the Virtual HUB.
z no_change_groups
When this entry is 1 (Enabled), Virtual HUB Administrators are unable to add new
groups or delete or edit existing groups on the Virtual HUB.
z no_SecureNAT
When this entry is 1 (Enabled), Virtual HUB Administrators cannot enable or disable
the SecureNAT function.
z no_SecureNAT_enabledhcp
When this entry is 1 (Enabled), Virtual HUB Administrators cannot enable the Virtual
DHCP Server in the SecureNAT function.
z no_SecureNAT_enablenat
When this entry is 1 (Enabled), Virtual HUB Administrators cannot enable virtual NAT
function in the SecureNAT function.
z no_cascade
When this entry is 1 (Enabled), Virtual HUB Administrators cannot create, delete or
edit cascade connections or put them online/ take them offline.
z no_online
When this entry is 1 (Enabled), Virtual HUB Administrators cannot put an offline
Virtual HUB online.
z no_offline
When this entry is 1 (Enabled), Virtual HUB Administrators cannot take an online
Virtual HUB offline.
z no_change_log_config
When this entry is 1 (Enabled), Virtual HUB Administrators cannot modify the save
settings of the Virtual HUB log files.
z no_disconnect_session
When this entry is 1 (Enabled), Virtual HUB Administrators cannot forcefully
disconnect designated VPN sessions connected to the Virtual HUB.
z no_delete_iptable
When this entry is 1 (Enabled), Virtual HUB Administrators cannot delete designated
IP address entries from the Virtual HUB's IP Address Table database.
z no_delete_mactable
When this entry is 1 (Enabled), Virtual HUB Administrators cannot delete designated
MAC address entries from the Virtual HUB's MAC Address Table database.
z no_enum_session
When this entry is 1 (Enabled), Virtual HUB Administrators cannot enumerate a list of
VPN sessions currently connected to the Virtual HUB.
z no_query_session
When this entry is 1 (Enabled), Virtual HUB Administrators cannot obtain detailed
information on a designated VPN session currently connected to the Virtual HUB.
z no_change_admin_password
When this entry is 1 (Enabled), Virtual HUB Administrators cannot change the Virtual
HUB administration password.
z no_change_log_switch_type
When this entry is 1 (Enabled), Virtual HUB Administrators cannot modify the settings
of the [Log file switch cycle] in the Virtual HUB log file save settings.
z no_change_access_list
When this entry is 1 (Enabled), Virtual HUB Administrators cannot operate the Virtual
HUB's access list.
z no_change_access_control_list
When this entry is 1 (Enabled), Virtual HUB Administrators cannot operate the Virtual
HUB's IP access control list.
z no_change_cert_list
When this entry is 1 (Enabled), Virtual HUB Administrators cannot operate the trusted
CA certificates list.
z no_change_crl_list
When this entry is 1 (Enabled), Virtual HUB Administrators cannot operate the
Certificates Revocation List.
z no_read_log_file
When this entry is 1 (Enabled), Virtual HUB Administrators are unable to enumerate
the Virtual HUB's log file or to remotely read it using an administration connection.
< 3.4 Virtual HUB Functions 3.6 Local Bridges>
< 3.5 Virtual HUB Security 3.7 Virtual NAT & Virtual DHCP Servers>
3.6 Local Bridges
The local bridge is a function often used by the PacketiX VPN to make VPN connections.
Local bridging is used to connect a virtual network and a physical network on the
Ethernet level. This section will explain local bridge concepts, methods for setting them
and precautions.
The local bridge connection function (herein referred to as local bridge) can connect a
Virtual HUB operating on the VPN Server or VPN Bridge and the physical network
adapter connected to that server computer on a layer 2 connection, thereby joining two
segments which originally operated as separate Ethernet segments into one.
Local bridging enables a computer connected to a Virtual HUB and a computer connected
to a physical LAN to communicate freely on an Ethernet level connected, in theory, to
the same Ethernet segment, regardless of whether each of them is physically linked to a
separate network.
Using a local bridge makes it possible to easily construct a remote-access VPN and site-
to-site VPN. For details, please refer to 「10.4 Setting Up a Generic Remote Access
VPN」 , 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」 and 「10.6
Setting Up a LAN-to-LAN VPN (Using IP Routing)」 .
Fig. 3-6-1 Local bridge function
Authority Required to Create a Local Bridge

A local bridge is defined by designating a combination of a network adapter (Ethernet
adapter) physically connected to a VPN Server or VPN Bridge and a Virtual HUB. The
creation of a new local bridge or the removal of an existing local bridge can only be
carried out by the entire VPN Server Administrator. A Virtual HUB Administrator cannot
arbitrarily create a local bridge even if it is for their Virtual HUB.
Local Bridge Operations
Once a local bridge is defined, it is possible to send and receive Ethernet packets
between the designated Virtual HUB and physical network adapter. The local bridge
function automatically terminates when the designated Virtual HUB name does not exist
or when the physical network adapter does not exist or has been disabled by the
operating system. However, it restarts automatically once the cause of the termination is
eliminated.
Creating a New Local Bridge
To define a new local bridge, click the [Local Bridge Settings] button in the VPN Server
Manager. This displays the [Local Bridge Settings] dialog box, so select the Virtual HUB
to be locally bridged from the [Virtual HUB] dropdown box and the name of the network
adapter to bridge to said hub from the [network adapter] box, then click the [Add Local
Bridge] button.
The same task can be carried out using the vpncmd utility's [BridgeDeviceList] and
[BridgeCreate] commands.
The Virtual HUB name should be designated when creating a new local bridge, but even
if a non-existent Virtual HUB name or an offline Virtual HUB is designated, the local
bridge is correctly registered without an error occurring. However, the local bridge will
remain in [Offline] status until the Virtual HUB with that name starts running.
Multiple local bridges can be created, although it is not possible to register the same
Virtual HUB/ physical network adapter combination more than once.
Fig. 3-6-2 Local bridge settings window
Local Bridge Status
There are three types of local bridge status as follows.
Operating
The local bridge is functioning normally and Ethernet frames are being transceived
between the Virtual HUB and the physical network adapter.
Error
An error occurs as a result of the request to the operating system to access the
physical network adapter, such as a "device does not exist" error.
Offline
The Virtual HUB designated as the local bridge does not exist or is offline.
Local Bridging with a Virtual Network Adapter
When a VPN Client is installed on the computer on which the VPN Server or VPN Bridge
is installed and a Virtual Network Adapter is registered on the system, this Virtual
Network Adapter should appear in the physical network adapter list. In this case it is
technically possible to configure a local bridge between the Virtual HUB and the Virtual
Network Adapter, although there are almost no benefits to such a configuration from a
practical perspective.
Adding a New Physical Network Adapter for use in a Local Bridge
Establishing a local bridge connection between a Virtual HUB and a physical network
adapter enables the Virtual HUB, as well as VPN Clients and other Virtual HUBs which are
remotely connected to that hub, to communicate directly with the locally bridged
physical network as the same segment.
In this case, the physical LAN to be designated as the local bridging destination is often
the same one used for regular communication by that VPN Server or VPN Bridge (i.e. for
VPN communication with other VPN software). For example, when wishing to set up a
VPN Bridge internally such as on an in-house LAN, and perform site-to-site connection
via the Internet with a LAN in a separate location, the LAN used by that VPN Bridge to
access the Internet and the LAN subject to the bridge connection would be one and the
same.
While it is possible to designate the physically communicating network adapter used by

the VPN Server or VPN Bridge for VPN communication as the physical network adapter to
locally bridge to the physical LAN, the following problems may arise.
The VPN Server or the VPN Bridge have to separate the frames used for VPN
communication such as for cascade connection with another VPN Server, and the
frames subject to local bridging, thereby consuming CPU time and slowing
communication speed.
The Ethernet frames inserted into the physical network adapter have to be copied by
both the frame buffer to the TCP/IP protocol stack in the OS and the frame buffer
required when inserting for local bridging, thereby placing a burden on CPU time and
memory and slowing communication speed.
Accordingly, when local bridging with a physical LAN, a physically new LAN should be
installed on the computer running the VPN Server or VPN Bridge and used exclusively for
local bridging if possible. However, this does not apply when there are no available PCI
slots on the computer or physical installation of an Ethernet port is not possible due to
embedded hardware.
Fig. 3-6-3 Preparing the local bridge network adapter
No Protocol Stack is Used for the Local Bridge Network Adapter
Where there is a network adapter prepared on the computer for use exclusively in local
bridging, it is recommended that the TCP/IP protocol and other protocol stacks be
disabled on that network adapter to enhance performance. The role of the local bridge
network adapter is to release Ethernet frames between the Virtual HUB and the physical
LAN, entirely without the need for intervention from the protocol stack of the OS running
the Virtual HUB.
In the case of Windows, it is possible to remove all protocols and services from the local
bridge network adapter including the TCP/IP protocol and other network protocols, and
the Microsoft Network Client file sharing service. To perform this setting, open the
network adapter property in the [Network connections] property and deselect all of the
protocol and service checkboxes.
Fig. 3-6-4 Removing protocol stacks from local bridge network adapter
Even when it is not possible to disable protocol stacks on the local bridge network
adapter for technical reasons, the TCP/IP protocol settings can be changed so that the
network adapter does not obtain IP addresses from the DHCP Server. If this setting is
not carried out, the local bridge network adapter automatically receives the assignment
of one IP address from the DHCP Server and, as a result, problems arise such as VPN
communication becoming unstable due to the collapse of the routing table.
Fig. 3-6-5 Setting a fixed IP address for the Local bridge network adapter
For Linux and Solaris, it is possible to use the [ifconfig] command to obtain a result
equivalent to assigning an IP address of 0.0.0.0 to the local bridge network adapter.
When a local bridge is associated with the Virtual HUB, displaying a list of that Virtual
HUB's sessions indicates the presence of the local bridge sessions (sessions with the
user name "Local Bridge"). Local bridge sessions are virtual sessions created
automatically for the Virtual HUB by the VPN Server in order to connect the Virtual HUB
and physical network adapter.
Fig. 3-6-6 Local bridge session status window
Requirements of Local Bridge Network Adapters
The local bridge function is compatible with network adapters satisfying the following
criteria.
Network adapter with a device driver recognizable by the operating system as an

Ethernet (IEEE802.3) device.
Able to send and receive MTU (excluding Ethernet header) of up to 1500 bytes
without incident.
Able to operate in promiscuous mode.
Has sufficient hardware and device drive performance and FIFO buffer capacity, and
able to withstand heavy loads without operating instability due to software or
hardware crashes or overheating.
Recommended Network Adapters
In-house testing carried out at SoftEther Corporation has shown the following network
adapters to possess very high performance worthy of recommendation. Please note,
however, that other network adapters generally pose no problems for use with a local
bridge. We recommend considering a change to one of the following network adapters if
the network adapter you are currently using lacks sufficient performance and is unable
to function as required during local bridging.
Manufacturer Product Series Communication

Standard
Intel Intel PRO series 100Base-TX

1000Base-T
1000Base-SX
1000Base-LX
10GBase-SR
10GBase-LR
Broadcom Broadcom NetXtreme series 100Base-TX
1000Base-T
3Com 3Com series 100Base-TX
1000Base-T
network adapters not supporting Promiscuous Mode
Some network adapters and network adapter drivers may not support promiscuous
mode. network adapters which do not support promiscuous mode cannot, in principle, be
used for local bridging with the VPN Server / VPN Bridge.
Most network adapters, however, do support promiscuous mode and can be used
without any problems.
Below are some typical examples of network adapters which do not support promiscuous
mode.
Wireless LAN (IEEE802.11) network adapters.
All other network adapters with device drivers incapable of moving to promiscuous
mode.
Forced Use of Network Adapters not Supporting Promiscuous Mode
It is possible to coercively use network adapters which do not support promiscuous

mode, although this method is not recommended as it gives rise to numerous
limitations. This method should only be used when compelled to use a network adapter
which does not support promiscuous mode for local bridging.
In order to perform this setting, it is necessary to open the [LocalBridgeList] node in

the VPN Server Configuration file after defining the local bridge, then open the local
bridge definition entry designating the intended network adapter defined by the name
[LocalBridge0] or so on, and overwrite [NoPromiscuousMode] to true. The specific
setting is described below.
{
declare LocalBridge0
{
string DeviceName Intel(R)$20PRO/1000$20MT
bool FullBroadcastMode false
string HubName SoftEther$20Network
bool MonitorMode false
bool NoPromiscuousMode true
}
}
PacketiX VPN supports the use of tagged VLAN frames. However, this support is
dependent upon the type of network adapter and the features of the device driver used
for the local bridge. In addition, SoftEther Corporation does not guarantee the correct
handling of the VLAN frames. Bridging a network handling tagged VLAN frames to a
Virtual HUB involves the following.
When the Local Bridge Network Adapter Supports Tagged VLAN Frames
Perform the network adapter's device driver settings followed by the relevant tagged
VLAN settings. Please refer to your network adapter hardware manual for settings
methods.
When the Local Bridge Network Aadapter does not Support Tagged
VLAN Frames
When the network adapter hardware does not support tagged VLAN frames, the tagged
portion is able to be read by software as part of a normal Ethernet frame even when the
tagged VLAN frame is inserted from the network adapter. In this case, the PacketiX VPN
virtualizes and encapsulates the Ethernet frame in which this frame is physically flowing
as is and sends its over the VPN. However, all frames including the tagged VLAN frames
cannot exceed 1514 bytes including the MAC header.
3.6.8 Outputting all Communication Data in the Virtual HUB to the

Network Adapter
Setting the Local Bridge to Monitor Mode
Using a function like the one described in 「3.4.10 Communicating in Monitoring Mode
Session」 enables users making a VPN connection to a Virtual HUB to receive (intercept)
all virtual Ethernet frames flowing within that Virtual HUB. A similar operation can be
performed for locally bridged Virtual Network Adapters.
Enabling monitor mode with a local bridging definition results in all Ethernet frames
flowing within that Virtual HUB being output from the locally bridged network adapter.
Setting up local bridging in monitor mode is not a normal task and may be hazardous
from a security perspective and as such, it is not able to be performed from the VPN
Server Manager or vpncmd utility as a precaution. To set up local bridging in monitor
mode, open the [LocalBridgeList] node in the VPN Server Configuration file after
defining the local bridge, then open the local bridge definition entry designating the
intended network adapter defined by the name [LocalBridge0] or so on, and overwrite
[MonitorMode] to true. The specific setting is described below.
{
declare LocalBridge0
{
string DeviceName Intel(R)$20PRO/1000$20MT
bool FullBroadcastMode false
string HubName SoftEther$20Network
bool MonitorMode true
bool NoPromiscuousMode false
}
Connecting a separate device to the LAN port of a network adapter set up in monitor
mode enables that device to intercept all packets flowing over that the Virtual HUB. As is
the case in monitoring mode (see 「3.4.10 Communicating in Monitoring Mode
Session」 ), packets cannot be transmitted within the virtual LAN.
Using a Network Adapter in Monitor Mode
By connecting external hardware to capture and log all Ethernet frames flowing over the
network and a security device such as IDS or IDP to the network adapter locally bridged
to the Virtual HUB in monitor mode, it is possible to monitor the contents of all
communication flowing within a Virtual HUB.
Fig. 3-6-7 This figure shows a normal VPN session in

monitor mode, but network adapters in this mode are
able to physically receive all Ethernet frames within
the Virtual HUB in the same way as this System
Administrator.
When the number of virtual Ethernet frames flowing through virtual HUB has lacked a
case and the space capacity of the frame buffer that are beyond the processing
capacity of a computer and neighboring devices, there is the case that the PacketiX
VPN software cancels the frame, and is going to keep stability of the whole system.
Therefore, depending on the situation, there is the case that cannot receive all frames.
Rather than designating an existing physical network adapter as the local bridge
destination network device, the Linux version VPN Server / VPN Bridge allow the creation
of a new tap device and bridging to that device. In this case the Universal TUN/TAP
device needs to be embedded in the kernel and accessible as a /dev/net/tun file.
The tap device generated by this function acts as a Virtual Network Adapter directly
connected to the Virtual HUB. The tap device should only be used when it has sufficiently
advanced knowledge of the virtual network.
Use the [ifconfig] command to display a registered tap device and perform its IP address
and other settings. The tap device name is recognized as a network interface in the
Linux kernel starting with the name "tap_".
# ifconfig
tap_test Link encap:Ethernet HWaddr 00:AC:11:9F:E2:8F
inet6 addr: fe80::2ac:11ff:fe9f:e28f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:308 (308.0 b)
The following precautions should be noted when using the local bridge function on a
Windows operating system.
To use the local bridge function it is necessary to launch the VPN Server / VPN Bridge
in service mode (Administrators authority is required when launching in user mode).
The local bridge function is disabled when the VPN Server / VPN Bridge is launched
with general user authority.
For users of old Windows versions (Windows 98 / Windows 98 Second Edition /

Windows Millennium Edition / Windows NT 4.0 Workstation / Windows NT 4.0 Server /
Windows NT 4.0 Server, Enterprise Edition), WinPcap software must be installed when
making a local bridge connection. Using the VPN Server Manager automatically
launches the WinPcap installer and performs the installation.
WinPcap installation is not required for the Windows 2000 and later versions. Instead,
the PacketiX VPN performs the necessary local bridge processing by running a local
bridge program inside the kernel.
It is recommended that the computer be rebooted after configuring the local bridge
connection when using a network adapter which supports hardware offloading to
make the local bridge connection. Although the local bridge operates even without
rebooting, communication may become unstable, in which case the computer should
be rebooted. A setting to disable hardware offloading is applied upon rebooting, after
which operation becomes stable.
The device name which can be designated in the local bridge destination network
adapter list is displayed as the name reported by that device's hardware device
driver. When two or more devices of the same type are connected, the second and
subsequent device names are distinguished by attaching (2), (3) and so on to the end
of their name. While it is generally not defined as to which network adapter name
corresponds to which physical network adapter, once the settings have been correctly
performed, the order of the devices is typically not altered even after re-launching.
Linux operating system.
To use the local bridge function it is necessary to launch the VPN Server / VPN Bridge
in Service Mode (root authority is required when launching in User Mode).
It is necessary to embed a socket interface for low level access to the network
adapter (also referred to as a packet socket) in the Linux kernel if one is not already
present. This is not a problem for most of the recent Linux kernels.
When communication instability occurs as a result of using a network adapter which

supports hardware floating to make the local bridge connection, disable said hardware
floating. Please refer to your hardware manual for details.
Limitations within the Linux operating system prevent communication with IP

addresses assigned to the network adapter locally bridged from the VPN side (Virtual
HUB side). The cause of this restriction lies with Linux's internal configuration rather
than with the PacketiX VPN. When wishing to communicate in any form with a Linux
computer used for local bridging from the VPN side (Virtual HUB side), (for instance,
when running both the VPN Server / VPN Bridge service & the HTTP Server service
and wishing to grant access to the server service from the VPN side as well), prepare
and connect a local bridge network adapter and physically connect both it and the
existing network adapter to the same segment (as explained in 「3.6.3 Preparing the
Local Bridge network adapter」 , it is recommended to prepare a network adapter for
exclusive use in local bridging for this and other situations).
While Windows enables device names to be designated for all network adapter
names, in Linux, network device names such as eth0, eth1 and so on are designated.
These device names can be obtained using the [ifconfig -a] command.
Solaris operating system.
The VPN Server / VPN Bridge must be operated with root authority to use the local
bridge function.
When communication instability occurs as a result of using a network adapter which

supports hardware floating to make the local bridge connection, disable said hardware
floating. Please refer to your hardware manual for details.
Limitations within the Solaris operating system prevent communication with IP

addresses assigned to the network adapter locally bridged from the VPN side (Virtual
HUB side). The cause of this restriction lies with Solaris's internal configuration rather
than with the PacketiX VPN. When wishing to communicate in any form with a Solaris
computer used for local bridging from the VPN side (Virtual HUB side), (for instance,
when running both the VPN Server / VPN Bridge service & the HTTP Server service
and wishing to grant access to the server service from the VPN side as well), prepare
and connect a local bridge network adapter and physically connect both it and the
existing network adapter to the same segment (as explained in 「3.6.3 Preparing the
Local Bridge network adapter」 , it is recommended to prepare a network adapter for
exclusive use in local bridging for this and other situations).
While Windows enables device names to be designated for all network adapter
names, in Solaris, network device names such as e1000 and so on are designated.
These device names can be obtained using the [ifconfig -a] command.
< 3.5 Virtual HUB Security 3.7 Virtual NAT & Virtual DHCP Servers>
< 3.6 Local Bridges 3.8 Virtual Layer 3 Switches>
The PacketiX VPN Server and PacketiX VPN Bridge Virtual HUBs feature SecureNAT
functionality. This section will explain SecureNAT concepts, methods for setting them
and precautions.
SecureNAT Overview
The SecureNAT function is a hitherto unknown innovative proprietary technology

developed for the PacketiX VPN, the use of which enables the creation of a more secure
network.
The SecureNAT function is broadly divided into two parts: the virtual NAT function and
the virtual DHCP server function. The Virtual HUB Administrator can enable either or
both the virtual NAT and virtual DHCP server when SecureNAT is enabled.
Please refer to 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights」 for details on how to set up the SecureNAT function.
The SecureNAT function is oriented towards System Administrators and those

with a detailed knowledge of networks. Proper use of the SecureNAT function
enables the realization of safe remote access via the VPN. However, its erroneous use
may place the entire network at risk. Please do not enable the SecureNAT function
without such a knowledge of networks and the permission of the Network
Administrator.
Virtualizing the Broadband Router Function
Many general broadband routers developed and commercialized for business and
consumer applications integrate the NAT function and the DHCP server function, and
connecting a computer internally to a broadband router enables access via NAT to global
IP networks (such as the Internet) in addition to the automatic assignment of a private

IP address to that computer.
The PacketiX VPN SecureNAT function virtualizes the NAT and DHCP server functions
equipped in typical broadband routers and, by carrying out all processing just in user
mode, enables the use of functions equivalent to a broadband router between a virtual
and a physical LAN.
Fig. 3-7-1 SecureNAT function
SecureNAT Virtual Interface
The SecureNAT function can be set and enabled/ disabled for each Virtual HUB. Unlike
the local bridge function, all settings of the SecureNAT function can be set by the Virtual
HUB Administrators. Enabling the SecureNAT function creates a virtual VPN session
called a SecureNAT session within the Virtual HUB and creates a virtual network
interface (VNI) as if there were a single network adapter within that VPN session. This is
called a virtual host network interface.
A virtual host network interface is layer 2 direct connected to the Virtual HUB. As such,
from the perspective of other VPN client computers connected to the Virtual HUB and the
perspective of cascaded or bridging destination computers when the Virtual HUB is
cascaded or locally bridged to other Virtual HUBs or physical LANs, the SecureNAT
function's virtual host network interface is recognized as being equivalent to a single
computer. The virtual host network interface can also assign IP addresses.
Using SecureNAT with General User Authority
The SecureNAT function and virtual NAT / virtual DHCP server all run as user mode
programs. In order to realize a complicated mechanism such as the one present in the
virtual NAT in particular, it is usually necessary to use the kernel module within the
operating system.
In order to realize the virtual NAT, the PacketiX VPN requires absolutely no special
processing in the operating system's kernel mode nor the use of the kernel mode's NAT
function. Accordingly, all SecureNAT functions including the virtual NAT function can be
freely executed with general user authority.
This feature means that no System Administrator authority is required to use the
SecureNAT function. Please refer to 「3.2.2 User Mode」 for details on how to launch
the VPN Server / VPN Bridge as a general user.
When general users with permission from the Network Administrator or System
Administrator but without a System Administrator account use the SecureNAT
function, it becomes possible to realize VPN communication typically not within general
user authority. Please refer to 「10.11 Using SecureNAT to Set Up a Remote Access
VPN With No Administrator Rights」 for specific methods of use.
In addition, System Administrators can use SecureNAT as safe NAT software. Typical
NAT programs run as kernel modules. If there is vulnerability such as a buffer overrun
in part of the NAT program, it may lead to system invasion and kernel authority theft
by a black hat or an entire system crash due to a bug. In contrast, the PacketiX VPN
SecureNAT program can be run completely in user space without the need for special
system authority. Even if a failure occurs in the SecureNAT program, the effect is
limited to the user space which launched the VPN Server / VPN Bridge, thus
eliminating the risk of effects to other users and the system overall.
Aims of SecureNAT Use
The SecureNAT function can be use for the following objectives.
Use as a Simple Network Gateway

Even setting up the VPN Server and Virtual HUB and remotely connecting to that hub
only results in closed communication within the Virtual HUB, so it is possible to
communicate with the physical network connected to the computer running the VPN
Server. Using local bridging in this case commonly involves a layer 2 connection
between the Virtual HUB and the physical network, but using the SecureNAT function
enables communication with the network connected to the computer operating the
VPN Server via the Virtual HUB's virtual host network interface. Therefore, it is
possible to make use of SecureNAT's virtual NAT function when preferring not to use
the local bridging function, or unable to use it due to not possessing the computer's
System Administrator authority or due to use of a UNIX OS version of the VPN Server
or VPN Bridge other than Windows, Linux or Solaris.
As a DHCP Server
Of the SecureNAT functions, it is possible to enable only the DHCP server. In other
words, it is possible to use only the DHCP server function operating within the Virtual
HUB Ethernet segment. This allows VPN Clients and local bridge destination client
computers remotely accessing the Virtual HUB to receive IP addresses assigned by
the virtual DHCP server.
Normally, using DHCP automatic IP address assignment requires locally bridging that
Virtual HUB to a separate network of the DHCP server or connecting to the Virtual
HUB from the DHCP server with the VPN Client using the Virtual Network Adapter, but
the SecureNAT function's Virtual DHCP server function eliminates this need.
As a Simple Gateway to Remotely Access Remote Sites

Remote access VPN to a remote site (for instance, sites on which equipment
maintenance is to be carried out via the network) using the PacketiX VPN typically
involves installing the VPN Server and VPN Bridge on that remote site's computer and
connecting to it with a VPN Client or setting up a continuous cascade connection from
that site to a VPN Server set up in a separate location, thus enabling communication
with a computer node on that remote site using the PacketiX VPN. However, the
SecureNAT function can be used as an alternative when a local bridge cannot be set
up on a remote site's computer for security or costs limitations or when the OS does
not support the PacketiX VPN local bridging function. Please refer to 「10.11 Using
SecureNAT to Set Up a Remote Access VPN With No Administrator Rights」 for details
on these methods of use.
Enabling the SecureNAT Function
This function is disabled in default mode. To enable the SecureNAT function, click on
[Virtual NAT & Virtual DHCP Server (SecureNAT)] button in the VPN Server Manager and
display the [Virtual NAT and Virtual DHCP Server function (SecureNAT) Setting] window
(all subsequent explanations relating to SecureNAT assume that this window is open).
Next click on [Enable SecureNAT].
In the vpncmd utility, SecureNAT commands all begin with "SecureNAT", "Nat" and
"Dhcp". To enable the SecureNAT function for example, use the [SecureNATEnable]
command.
Fig. 3-7-2 Virtual NAT and Virtual DHCP Server function (SecureNAT) Setting
window
Neither the virtual NAT function or the virtual DHCP server function operate when the
SecureNAT function of which they are a part is disabled. Therefore, ensure that the
SecureNAT function is enabled before using either of these functions.
The SecureNAT function enables setting of information relating to the VNI of the virtual
node (virtual host) created inside the Virtual HUB.
Click on [SecureNAT Configuration] in the VPN Server Manager and enter the relevant
details in the [Virtual Host Network Interface Setting] entry. A list of the entries and
default values which can be set is as follows.
Entry Description Default Values

MAC Address The virtual host network interface is a Virtual Total of 6 bytes of
Network Adapter which supports Ethernet random data starting
standards like typical computer network with "00:AC".
adapters and Virtual Network Adapters, so
one MAC address can be used. Designate the
MAC address to be used.
IP Address Designate the IP address of the virtual host 192.168.30.1
network interface.
Subnet Mask Designate the subnet mask of the IP network 255.255.255.0
to which the designated IP address belongs.
Fig. 3-7-3 Virtual host administration window
3.7.3 Virtual NAT
Virtual NAT Function Settings
Set the [Use Virtual NAT Function] checkbox to enable status in the VPN Server Manager
to use the SecureNAT's virtual NAT function. Contrarily, select disabled status when not
using the function. When starting SecureNAT, the virtual NAT function is enabled by
default.
A list of the entries and default values which can be set is as follows.
To set each option, use the VPN Server Manager to make the relevant entries in the
[Virtual NAT Setting] box inside [SecureNAT Setting]. In the vpncmd utility, use the
[NatSet] command.
Entry Description Default

Values
MTU Designates the MTU value used by the virtual NAT 1500 bytes
function on the VNI side. This value designates
the maximum length of the Ethernet frame
payload size (length excluding the MAC header).
TCP Session Sets whether a TCP/IP session among the entries 7,200 seconds
Timeout of the NAT session established via the virtual NAT
function is regarded as timed out after a certain
number of seconds have elapsed without any

communication.
UDP Session Sets whether a UDP/IP session among the entries 600 seconds
Timeout of the NAT session established via the virtual NAT
function is regarded as timed out after a certain
number of seconds have elapsed without any
communication.
Fig. 3-7-4 Virtual NAT function administration window
Using the Virtual NAT Function
TCP/IP and UDP/IP communication using the virtual NAT function is used as follows.
1. Make the appropriate settings and enable the SecureNAT and the virtual NAT
function in the Virtual HUB. In particular, match the virtual host's IP address &
subnet mask with the IP network address and subnet mask used in that Virtual
HUB.
2. In the TCP/IP settings on a separate client computer on the Virtual HUB side (it
does not matter whether this is connected by a physical local bridge and cascade
connection or via the VPN Client), set the IP address of the SecureNAT virtual host
running on the Virtual HUB as the default gateway (combining with the virtual
DHCP server function described below also enables automatic settings).
3. When the client computer attempts to perform TCP/IP or UDP/IP communication,
the virtual NAT operates entirely as a single router with NAT functionality enabling
access to a physical network's host via the computer running the Virtual HUB using
that computer's existing network interface. A new session is registered on the
virtual NAT function's NAT session table at that time. To display the NAT session
table, click on the [Virtual NAT Router Status] button in the VPN Server Manager.
In the vpncmd utility, use the [NatTable] command.
Operating Principles of the Virtual NAT Function
The virtual NAT function realizes IP routing and NAT (IP masquerade) processing,
typically carried out in kernel mode, in user mode.
The hierarchical relationship of the network protocol stack on a system with NAT
functionality in kernel mode is shown in the figure below.
Fig. 3-7-5 Stack diagram of network modules in combined

normal kernel mode NAT & PacketiX VPN NAT
The area in red in the diagram above denotes those operating in kernel mode. Achieving
functions equivalent to these areas typically required kernel mode programming.
However, the likelihood of increased fatal vulnerability in terms of security when
executing programs in kernel mode and the possibility of entire system instability due to
a program bug suggests that all processing should be carried out in User Mode wherever
possible.
To enable these processes in user mode, SoftEther Corporation developed a proprietary

TCP/IP stack for exclusive use with the SecureNAT function and succeeded in
implementing it in user mode. SecureNAT's virtual NAT function receives TCP/IP and
UDP/IP packets from the virtual network as a router and administers those packets to
each session, interpreting them properly in the layers up to the transport layer. For
TCP/IP protocol, the TCP/IP stream is reconfigured based on the sequence number
within that connection. These reconfigured payload data are forwarded to the target host
as fast as possible using the socket API of the operating system running the VPN Server
VPN Bridge, in addition to being internally stored in the FIFO buffer. Data received from
the destination host also travels this route but in the opposite direction, returning to the
Virtual HUB's virtual network. The TCP/IP stack running in user mode is also used at this
time, and the data is automatically put into datagram format by recovery and flow
control algorithms conforming to TCP/IP protocol standards. SecureNAT's virtual NAT
function is realized by way of this extremely complicated processing, although general
users do not have to be aware of these operating principles.
Fig. 3-7-6 Stack diagram of network modules in

SecureNAT's virtual NAT function
While virtual NAT is a very convenient function, the following precautions should be
taken when using it.
z Using Virtual NAT

The use of virtual NAT is recommended for environments running the VPN Server /
VPN Bridge without System Administrator authority or OS support for local bridging,
i.e. when a computer in the Virtual HUB's layer 2 segment is unable to use the local
bridge function and needs to access a physical network host via the physical network
interface of the computer actually running the Virtual HUB (particularly where the
uses given in 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights」 are applicable).
Where local bridging can be used to connect a Virtual HUB and a physical network
and in the absence of security issues, it is not necessary to connect a virtual network
to a physical network using the virtual NAT function.
z Preventing Connections causing Infinite Looping of Packets

Where a computer with VPN Client installed connects to a virtual NAT-enabled Virtual
HUB either from the Virtual Network Adapter of its own Virtual HUB or by local
bridging to said hub from a physical Network Adapter, and where the default
gateways for those Network Adapters designate IP addresses assigned by the Virtual
HUB’s SecureNAT virtual host network interface, communication attempting to
connect to an arbitrary IP address tries to use the Virtual HUB's Virtual NAT, which in
turn tries to communicate with the destination IP address by calling the operating
system's network communication API, resulting in the connection packet falling into
an infinite loop. The virtual NAT function is not typically used at the same time as
local bridge connections and VPN connections to localhost using the VPN Client. If
these types of connections are being made then there is a likelihood that the network
design is incorrect.
z Precautions relating to Performance

By possessing an internal virtual TCP/IP stack, SecureNAT performs the highly
advanced process of reassembling the TCP/IP stream packetized once by the TCP/IP
stack and further TCP/IP packetizing via the operating system. The overhead
resulting from these processes is large, such that throughput via the virtual NAT is
considerably decreased when compared to physical maximum throughput, even when
using a computer with sufficiently high speed. That is why virtual NAT should not be
used for performance-centric applications. As previously stated, virtual NAT is a
function which can be used as an alternative when the local bridge function cannot be
used for security or technical reasons. Where high-speed methods such as local
bridging are available, those methods should be used.
z Handling ICMP Packets

When virtual NAT is enabled, sending ICMP packets via IP addresses assigned by a
virtual host network interface as routers, and further sending said packets to a
separate host results in the virtual NAT returning dummy ICMP echo response
packets to all ICMP echo request packets. This is a specification of the PacketiX VPN
whereby this operation becomes inevitable because most operating systems do not
allow the transmission of arbitrary ICMP packets in network APIs which can be called
up with user authority. When using Virtual NAT it is therefore impossible to confirm
the existence of a host on the other side of a Virtual NAT router using ICMP packets.
z DNS Redirect
When Virtual NAT is enabled, UDP 53 port destination packets (DNS packets) to the
IP address of the virtual host network interface are automatically forwarded to the
DNS server being used as the DNS Server by the computer running the Virtual HUB.
This is the same operation carried out by typical broadband routers.
z Unsupported Functions
The User Mode TCP/IP stack used internally by Virtual NAT is not equipped with some
sophisticated TCP/IP functions such as the Window Scale option, Selective ACKs and
Nagle algorithms. In addition, the nature of Virtual NAT means that IP routing and
NAT between virtual networks is not supported. The virtual layer 3 switch function
should be used for inter-virtual network IP routing.
The Virtual DHCP Server Function
The Virtual DHCP Server function can be used in SecureNAT. Depending on the method
of use, there is also no problem in using the DHCP Server without using SecureNAT. The
DHCP Server enables a computer connected to a Virtual HUB layer segment to receive
an IP address distributed from the DHCP Server and temporarily use that IP address.
The Virtual DHCP Server allocates IP addresses in much the same way as a physical
computer DHCP server program. However, it does not offer detailed functions to set
numerous options like those included in the Windows Server versions.
The Virtual DHCP Server enables simple DHCP address allocation rather than being a
fully fledged DHCP server. The function is most suitable when setting up a Virtual HUB
and seeking to automate IP address assignment to that Virtual HUB's computer using
the DHCP protocol, but being prevented from doing so due to the effort required to run
the DHCP server software on the same segment as the Virtual HUB.
While the DHCP Server function is simplistic, it is able to set IP address expiration dates,
administer lease tables and allocate several essential options without problems.
Fig. 3-7-7 Virtual DHCP Server function
Virtual DHCP Server Function Settings

Set the [Use Virtual DHCP Server Functions] checkbox to enabled status in the VPN
Server Manager to use the SecureNAT's Virtual DHCP Server function. Contrarily, select
disabled status when not using the function. When starting SecureNAT, the Virtual DHCP
Server function is enabled by default.
A list of the entries and default values which can be set is as follows.
To set each option, use the VPN Server Manager to make the relevant entries in the
[Virtual DHCP Server Setting] box inside [SecureNAT Setting]. In the vpncmd utility, use
the [DhcpSet] command.
Entry Description Default Values

Distribution IP Designates the range of IP addresses From 192.168.30.10
Address Range allocated by the Virtual DHCP Server to to 192.168.30.200
the client.
Subnet Mask Designates the subnet mask value 255.255.255.0
assigned to the client together with the
IP address.
Lease Limit Designates the expiration date of the 7,200 seconds
leased IP address.
Default Designates the setting value of the 192.168.30.1
Gateway default gateway address directed to the
Address client. While concurrent use with the
Assigned to Virtual NAT function is assumed in
Client default, it is also possible to change to

a different value. It is also possible not
to designate any value.
DNS Server Designates the setting value of the 192.168.30.1
Address DNS server address directed to the
Assigned to client. While concurrent use with the
Client Virtual NAT function is assumed in
default, it is also possible to change to
a different value. It is also possible not
to designate any value.
Domain Name Designates the setting value of the Domain name attached to
Assigned to DNS domain suffix directed to the computer running Virtual
Client client. It is also possible not to HUB
designate any value.
Fig. 3-7-8 Virtual DHCP Server function administration window
Obtaining IP Address Lease Table

A list of the IP addresses assigned by the Virtual DHCP Server (IP Address Lease Table)
can be displayed at any time. To display the IP Address Lease Table, click on the [Virtual
DHCP Server Status] button in the VPN Server Manager. In the vpncmd utility, use the
[DhcpTable] command.
Fig. 3-7-9 Virtual DHCP Server IP Address Lease Table display window
While Virtual DHCP Server is a convenient function, the following precautions should be
taken when using it.
z Using the Virtual DHCP Server

The Virtual DHCP Server provides simple DHCP server functions, and does not require
System Administrator Authority to operate. The use of authentic UNIX or Windows
DHCP server software is recommended where the Virtual DHCP Server functions are
insufficient.
z Effective Range of DHCP Scope

The scope (range) within which IP addresses allocated by the Virtual DHCP Server can
be received is limited by the layer 2 segment of the Virtual HUB on which the
SecureNAT is operating. Accordingly, where there is no connection to a physical LAN
by local bridging in particular, it is possible to limit the range affected by that DHCP
server to within the Virtual HUB and to enable only the computer VPN-connected to
the Virtual HUB to receive the IP address from the Virtual DHCP Server. The LAN
connected to the computer actually running the Virtual HUB is not affected (this does
not apply in the case of local bridging). Needless to say, the entire layer segment is
subject to IP address assignment from the DHCP server in the case of cascading
between Virtual HUBs or bridging with a separate site.
z Note on Initial Settings

The Virtual DHCP Server function's default settings assign the address space
192.168.30.0/24 to the client computer, and attempt to set the default gateway and
DNS server address under the assumption that the Virtual NAT function is to be used
concurrently. Not using the Virtual NAT function renders the default gateway and DNS
server address default settings meaningless, so be sure to modify them.
z Allocating IP Addresses only without Allocating Default Gateway & DNS
Server Addresses
When wishing to use the Virtual DHCP Server to simply allocate an IP address to the
client computer without allocating client default gateway and DNS server settings,
leave the [Default gateway address] and [DNS server address] boxes in the client-
assigned options blank. In this case, the client computer to which the IP address is
assigned does not modify the router or DNS server it uses.
Please note that there have been reports of a problem for client computers using
Windows, wherein the options relating to the default gateway and DNS server
received upon the previous assignment from the DHCP server are cached, and when
these values are left blank on the subsequent connection, these previous ones are
applied. While this appears to be a Windows OS specification, we recommend trying
to connect to a separate DHCP server once in an attempt to overcome it.
When the SecureNAT function is operating on the Virtual HUB, a special virtual session
called a SecureNAT session is registered on the Virtual HUB session list. The SecureNAT-
operated virtual host VNI is virtually (software-wise) internally connected to this session.
The Virtual HUB Administrator can obtain information on this session in the same way as
a normal session.
The entire status of SecureNAT's Virtual NAT and Virtual DHCP Server functions are
saved in the Virtual HUB's security log. Below is an example of a saved log.
2005-12-06 15:44:52.557 SecureNAT: The DHCP entry 1 was created. MAC address: 00-AC-85-
40-B5-50, IP address: 192.168.30.10, host name: NT4, expiration date: 7200 seconds
The TCP session 1 was created. Connection source 192.168.30.10:1079, Connection destination
207.46.0.166:1863
2005-12-06 15:45:08.104 SecureNAT: The TCP session 1 was created. Connection source
192.168.30.10:1079, Connection destination 207.46.0.166:1863
2005-12-06 15:45:08.401 SecureNAT: The connection to TCP session 1: Host "baym-
sb26.msgr.hotmail.com (207.46.0.166)", Port 1863 was successful.
2005-12-06 15:45:08.666 SecureNAT: The TCP session 1 was deleted.
2005-12-06 15:45:14.604 SecureNAT: The UDP session 2 was created. Connection source
2005-12-06 15:45:15.494 SecureNAT: The connection to TCP session 4: Host
"us.softether.co.jp (61.197.235.212)", Port 143 was successful.
< 3.6 Local Bridges 3.8 Virtual Layer 3 Switches>
< 3.7 Virtual NAT & Virtual DHCP Servers 3.9 Clustering>
The virtual layer 3 switch function adds a virtual router which can perform IP routing
between multiple Virtual HUBs on the VPN Server, and enables the realization of a layer
3 connection between Virtual HUB segments by carrying out IP routing in accordance
with routing rules defined by the Administrator.
Virtual Layer 3 Switch Overview

As described in 「3.4 Virtual HUB Functions」 , the Virtual HUB is an object virtually
realizing a physical layer 2 switch (switching hub) using software, and a plurality of
Virtual HUBs can be created in the VPN Server. The Virtual HUB only supports the
exchange of Ethernet frames on layer 2, and does not support layer 3 routing.
The virtual layer 3 switch was developed and implemented in response to requests to
carry out IP routing between layer 2 segments in multiple Virtual HUBs. The virtual layer
3 switch implements as software the functions of communication devices commonly
found in the office such as routers and layer 3 switches. The exchange of IP packets
between each network is supported by creating multiple Virtual HUBs, separating the
layer 2 segments and IP routing between those layer 2 segments.
Fig. 3-8-1 IP Routing between IP Networks with Virtual Layer 3 Switching
The virtual layer 3 switch is a function intended for those with an intricate knowledge
of networks and IP routing and Network Administrators. Virtual layer 3 switching is not
required when using the normal VPN functions. When using the virtual layer 3 switch,
sufficient consideration should be given to the impact upon the network, based upon a
sound knowledge of IP routing. This explanations contained within this manual assume
that the reader possesses such knowledge.
Virtual Layer 3 Switch Authority
Just as only Administrators of the entire VPN Server can create Virtual HUBs, so does the
authority for creating, deleting and setting of virtual layer 3 switch lies solely with said
Administrators. Although Virtual HUB Administrators can find out how their own Virtual
HUB is connected to the virtual layer 3 switch, they cannot operate or edit the
connection of an existing layer 3 switch nor manipulate the routing table. VPN Server
Administrators are therefore required to perform settings when using the virtual layer 3
switch function.
Layer 2 network-connecting bridges and cascade connections between Virtual HUBs are
mechanisms which connect two separate network segments onto a single network
segment. When using TCP/IP protocol within one of the segments, the computers within
that segment must, in principle, belong to the same IP network (while it is possible to
multiplex a plurality of IP networks on the same segment and make them communicate,
computers connected to that network can only communicate directly with those
belonging to the same IP network).
In comparison, IP routing is a mechanism which carries out packet exchange on an IP

layer between two separate network segments. Please refer to documents on router
operation and IP routing for details.
The physical router and layer 3 switch have one IP address for each network segment
subject to routing, and forward the IP packet attempting to communicate via that IP
address to other suitable interfaces using the routing table held internally by the router.
The VPN Server-definable virtual layer 3 switch operates by the same mechanism.
Placing the virtual layer 3 switch between Virtual HUBs on the VPN Server enables IP
routing between the Virtual HUBs to which it is connected. In this case, the virtual layer
3 switch has one interface each for segments on both sides. For example, two IP
networks 192.168.1.0/24 and 192.168.2.0/24 exist and routing is carried out between
them using the virtual layer 3 switch, then an interface is connected to both networks
and two IP addresses 192.168.1.254 and 192.168.2.254, for instance, are assigned.
When the computer belonging to 192.168.1.0/24 wants to transmit an IP packet to
network 192.168.2.0/24, it is possible to send said packet using 192.168.1.254 as a
gateway. The router with two interfaces for 192.168.1.254 and 192.168.2.254 then
sends this packet to network 192.168.2.0/24. IP routing works by such a mechanism.
The theoretical interface on the VPN Server by which the virtual layer 3 switch connects
to the Virtual HUB is called the "virtual interface". The connection between the virtual
layer 3 switch and the Virtual HUB is actually carried out in the software's internal
memory and is not one which can be seen by users. However, a special virtual session
known as a virtual layer 3 session is registered on the Virtual HUB to which the virtual
layer 3 switch's virtual layer interface is connected.
The VPN Server does not have any virtual layer 3 switches in default. Virtual layer 3
switches can be created at any time they are required by the VPN Server Administrator
and in any amount.
All virtual layer 3 switches can be named and identified by said name. Alphanumeric
characters and some symbols can be used in the name. To define a new virtual layer 3
switch, first select a name. Note that once a virtual layer 3 switch is created, its name
cannot be changed.
To carry out settings relating to the virtual layer 3 switch, click the [Layer 3 Switch
Setting] button in the VPN Server Manager and display the [Virtual Layer 3 Switch
Setting] dialog box. When a virtual layer 3 switch is already registered here, double
clicking on it opens up its settings window (all explanations on how to use the virtual
layer 3 switch contained herein commence from this window). In the vpncmd utility, use
commands starting with "Router" command.
Fig. 3-8-2 Virtual layer 3 switch setting window
To create a new virtual layer 3 switch, click the [Create] button and designate its name.
A virtual interface must also be defined and the [Start] button clicked before the newly-
created virtual layer 3 switch begins running.
Fig. 3-8-3 Create virtual layer 3 switch window
Simply creating a virtual layer 3 switch serves no purpose, and is comparable to buying
a physical router and layer 3 switch and simply leaving them on the shelf. In the same
manner as physically connecting a router to the networks of each connection destination
with a network cable, it is necessary to register virtual interfaces on the virtual layer 3
switch for the Virtual HUBs of destinations to be connected.
To register a new virtual interface, click the [Add Virtual Interface] button. Once the
[Add Virtual Interface] dialog box appears, select the destination Virtual HUB. Also
designate the subnet space belonging to the IP address held by that interface within the
Virtual HUB.
Fig. 3-8-4 Add virtual interface window
Multiple virtual interfaces can be created on a virtual layer 3 switch. Normally two or
more virtual interfaces are added (only one serves almost no purpose). Register all of
the Virtual HUBs to be subject to routing by the virtual layer 3 switch.
The only Virtual HUBs which can be directly connected to the virtual layer 3 switch are
those running on the same VPN Server. When wishing to use layer 3 switching to IP
route between a VPN Server on a separate computer or a Virtual HUB running on a
VPN Bridge, first create a suitably-named Virtual HUB on the local side and connect it
with virtual layer 3 switching, then cascade that Virtual HUB with said VPN Server on a
separate computer or said Virtual HUB running on a VPN Bridge.
This method enables the connection of remote site Virtual HUBs or physical LANs by
virtual layer 3 switching as well as the creation of site-to-site VPN skillfully
incorporating an IP routing mechanism.
Previously, performing a similar connection required not only a VPN but also involved
the purchase of hardware for IP routing. The PacketiX VPN facilitates simple
implementation even for networks of sophisticated design by bringing together as
software the functions required to connect remote locations to the VPN with IP routing.
The virtual layer 3 switch has a routing table similar to that of common physical routers
and layer 3 switches. Even without designating anything, if a virtual layer 3 switch has a
virtual interface connected to a Virtual HUB, then it has the route information to the IP
network determined by the IP address and subnet mask set for that virtual interface.
Accordingly, it is not necessary to define a routing table for the layer 2 segment directly
connected to the virtual layer 3 switch.
When it is necessary to carry out IP routing via the directly-connected layer 2 segment
to an IP network in a segment further ahead, then it is necessary to edit the values of
the virtual layer 3 switch's routing table and add suitable routing entries.
The current routing able can be displayed using the [Edit Virtual Layer 3 Switch] dialog
box. This table is empty immediately after the creation of a new virtual layer 3 switch.
To make new entries in the routing table, click the [Routing Table Entry] button.
Fig. 3-8-5 Add routing table entry window
The [Add Routing Table Entry] window has boxes to enter the details of new routing
table entries for registration. The information which needs to be registered here is
similar to that designated when adding an entry to the static routing table of a typical
router or layer 3 switch. Specific examples of entries are shown below.
z Network Address
Designates the network address including the destination IP address subject to
routing using this routing table.
z Subnet Mask
Designates the network mask together with the network address.
z Gateway Address
Designates the IP address of the IP packet forwarding destination (i.e. the IP address
of the next router). The IP addresses which can be designated here must be included
in either those IP addresses defined by each virtual interface of this virtual layer 3
switch or among the IP network defined by the subnet mask (note that even those
not included are still registered without an error or notification appearing). If another
virtual layer 3 switch is connected to an adjacent Virtual HUB, then it may also be the
IP address of that virtual layer 3 switch's virtual network interface.
z Metric Value
Designates the metric value of the routing table entry.
When designating the default route, set the network address as 0.0.0.0 and the
subnet mask as 0.0.0.0.
Start and Stop
Operation can be started for virtual layer 3 switches with one or more registered virtual
network interfaces by clicking on the [Start] button. It is also possible to terminate a
virtual layer 3 switch during operation at any time by clicking on the [Stop] button.
Note that it is not possible to edit the virtual layer 3 switch's virtual interface list or
Routing Table in any mode other than [Terminated]. Therefore, terminate the virtual
layer 3 switch to edit these parameters.
Virtual Layer 3 Switch Status

The virtual layer 3 switch has the following three modes and each is displayed in real
time in the [Virtual Layer 3 Switch Setting] window.
Status Description
Stop Virtual layer 3 switch is stopped. This is the only state in
which the virtual layer 3 parameters can be set.
Started (operating) Indicates that the virtual layer 3 switch is running, and
that it is functioning because all Virtual HUBs connected
to all defined virtual interfaces exist on the VPN Server
and are online. This is the only state in which the virtual
layer 3 switch can perform IP routing. Also, if even one of
the Virtual HUBs connected to the defined virtual

interfaces in this mode is deleted from the VPN Server or
goes [Offline], then a transition to [Start (error)] mode
occurs automatically.
Started (error) Although the virtual layer 3 switch may be set to Started
status, when one or more of the Virtual HUBs connected
to the defined virtual interfaces does not exist on the VPN
Server or is offline then the virtual layer 3 switch cannot
commence IP routing. Also, if all of Virtual HUBs
connected to the defined virtual interfaces exist on the
VPN Server or come online in this mode, then a transition
to [Start (operating)] mode occurs automatically.
3.8.7 Limitations
The virtual layer 3 switch function has the following limitations.
z It does not support dynamic routing protocols.
z It does not support IGMP.
z Sending an ICMP Echo request to the virtual layer 3 switch's virtual interface
exceeding 1,472 bytes returns a 1,472 byte ICMP Echo response.
< 3.7 Virtual NAT & Virtual DHCP Servers 3.9 Clustering>
< 3.8 Virtual Layer 3 Switches 3.10 Logging Service>
3.9 Clustering
PacketiX VPN Server 2.0 Enterprise Edition & PacketiX VPN Server 2.0 Carrier Edition
both support the clustering function. This section explains the clustering function.
Clustering Necessity
In general terms, clustering is a processing method which enables the distribution of a

large processing load which would be difficult for a single computer to handle among
multiple computers, and which appears to the user as a single system such that there is
no need to be aware of the fact that it is coordinated processing performed in the
background by multiple computers.
PacketiX VPN Server 2.0 Enterprise Edition & Carrier Edition feature the clustering
function, which gathers the VPN Server computers into one cluster to enable the
handling of a large amount of processing as a whole where a single computer would
normally not be capable.
Aims of the PacketiX VPN Server Clustering Function
The PacketiX VPN Server clustering function is designed and implemented to create the
following two types of networks or a single network combining both. It is not designed or
implemented for any other purposes (for example, for separating a cluster node to a
remote location and running said mode autonomously etc.).
z Creating a large-scale remote access VPN Service where it would be difficult for a
single VPN Server to process all simultaneous connections (please refer to 「10.8
Setting Up a Large Scale Remote Access VPN Service」 for details).
z Creating a large-scale Virtual HUB hosting service where it would be difficult for a
single VPN Server to process all Virtual HUBs and simultaneous connections (please
refer to 「10.9 Setting Up a Large Scale Virtual HUB Hosting Service」 for details).
Clustering Function Overview
When configuring a cluster with multiple VPN Server computers, one of the computers is
run in cluster controller mode, while the other computers are cluster connected to the
cluster controller and operated as cluster member servers. The VPN Server operates in
stand alone mode by default after installation and no clusters are configured.
Clustering enables the following.
In environments where a large amount of VPN connections need to be processed,

clustering enables their skilful integrated processing on multiple VPN Servers through
load sharing where one computer attempting the same task would be incapable or
have a serious impact on performance.
Where a cluster member server running within the cluster stops temporarily due to a
hardware problem or software update, the processing to be carried out by that server
is automatically taken over by another cluster member server. Therefore, while long-
term operation of individual servers may result in a malfunction, as a whole the
servers can continue to run almost without disruption.
When operating a Virtual HUB within the cluster, it is possible to select either a static
Virtual HUB or dynamic Virtual HUB as the operating mode depending on the
objective.
The entire VPN Server Administrator and the Virtual HUB Administrators can connect
only to the cluster controller and perform cluster member server administration
simply without having to be aware of their individual existence.
Prerequisites
A VPN Server Enterprise Edition License or Carrier Edition License is required for each
VPN Server when creating a cluster between multiple VPN Servers.
It is also recommended to connect the VPN Servers to a network with minimal delays
and high throughput. Typically when joining a cluster, each server is set up in the same
location. In this case, it is probably most desirable for all cluster member servers to be
directly connected to the cluster controller on the same segment without traveling via a
router. Although performance declines, it is technically possible to set up the cluster
controller and cluster member servers in separate locations via a router. In either case,
the cluster controller must be set up in a location which allows TCP/IP protocol
communication from all other cluster member servers.
Fig. 3-9-1 Connecting the cluster controller & cluster member servers
What is a Cluster Controller?
The cluster controller is the computer forming the core of the entire cluster. The
computer representing the cluster when it is created is known as the cluster controller,
and a VPN Client of VPN Server / VPN Bridge attempting to connect to the cluster
designates the cluster controller's IP address or host name as the destination IP address
or host name.
Overview of Cluster Controller Load Sharing
When the cluster controller receives a VPN connection from a VPN source computer it
performs user authentication in the same manner as a regular VPN connection. After
successful user authentication, the cluster controller decides automatically which cluster
member server is to perform the processing and realizes load sharing by redirecting the
connection to that cluster member server. The VPN Server which is the cluster controller
is itself also a load sharing destination. The load sharing algorithm compares the load of
each VPN Server and automatically determined the assignment destination of a newly-
connected VPN session. At this time it uses integers referred to as points in the cluster
member list. By presetting the [Function Standard Ratio in Cluster] settings entry for the
cluster controller and cluster member servers, it is also possible to manually adjust the
parameters for load sharing.
The load sharing discussed here is an overview, and more detailed control is performed
depending on the type of Virtual HUB to which the actual VPN connection is made. For
details, please refer to 「3.9.7 Static Virtual HUBs」 and 「3.9.8 Dynamic Virtual
HUBs」 .
Setting a VPN Server as a Cluster Controller
The VPN Server operates as a stand alone server in the default operating mode.
Changing this operating mode to a cluster controller allows the VPN Server to run in
cluster controller mode. This and all other settings related to clustering can only be
performed by the entire VPN Server Administrator.
To set the VPN Server to cluster controller mode, click on the [Clustering Configuration]
button in the VPN Server Manager. Next select [Cluster controller] in the dialog box
which appears and click [OK]. In the vpncmd utility, use the
[ClusterSettingController] command.
Fig. 3-9-2 Configure Clustering settings window
Using the PacketiX VPN Server in cluster mode makes some functions unavailable. Of
the functions used in stand alone server mode, please note that the configuration data
relating to functions described in 「3.9.12 Functions not Available Simultaneously with
Clustering」 are all deleted when changing the server operating mode to cluster
controller mode or cluster member server mode. It is therefore recommended to make

a back up before changing the server's operating mode.
Creating & Administering Virtual HUBs
Virtual HUBs are created for the cluster controller in the VPN Server clustering
environment. Where necessary, the cluster member servers create temporary Virtual
HUB instances upon instructions from the cluster controller, but it is not necessary to
directly create Virtual HUBs for the cluster member servers. As explained in 「3.9.10
Collectively Administering the Entire Cluster」 , Virtual HUB creation and the setting &
administration of all Virtual HUBs can only be carried out for the cluster controller in a
clustering environment.
What is a Cluster Member Server?
The term "cluster member server" refers to any computer which forms a part of the
cluster configuration other than the cluster controller. By cluster connecting to the
cluster controller, the cluster member server is placed under the control of the said
cluster controller and shares the processing within the cluster.
When adding a cluster member server to an existing server, the cluster controller's host
name or IP address, port number (one of the listener ports made available by the cluster
controller) and administration password are required.
Setting a VPN Server as a Cluster Member Server

The VPN Server operates as a stand alone server in the default operating mode.
Changing this operating mode to a cluster member server allows the VPN Server to run
in cluster member server mode.
To set the VPN Server to cluster member server mode, click on the [Clustering
Configuration] button in the VPN Server Manager. Next select [Cluster Member Server]
in the dialog box which appears and click [OK]. In the vpncmd utility, use the
[ClusterSettingMember] command.
The entries required at this time are as follows.
Entry Description
Controller Host Name Designates the host name or IP address of the cluster
or IP Address controller computer representing the cluster. The VPN
Server must be operating in cluster controller mode on
the host designated here.
Port Number of Designates the TCP/IP port of the destination cluster
Controller controller.
Administration Designates the administration password of the
Password destination cluster controller. Participation as a member
in the cluster is either allowed or denied depending on
whether the hash value of the inserted administration
password is matched by challenge-response
authentication. It is also necessary to change the cluster

connection settings' administration password of the
cluster member servers when the cluster controller
administration password is changed. This password is not
associated with the VPN Server administration password
of the cluster member server itself.
Public IP Address The public IP address of this cluster member filed with
the cluster controller. The IP address designated here is
used as the redirect address when this cluster member
server is selected by the cluster controller as a VPN
connection session load sharing destination from a new
VPN source. When no address is entered, the network
interface IP address used when cluster connecting to the
cluster controller is automatically used. If wishing to use
a different public IP address to that of the network
interface when cluster connecting to the cluster
controller, that address should be designated.
Public Port List The public port number of this cluster member filed with
the cluster controller. Typically, the list of the listener
port made public by the cluster member server is
designated. More than one public port number must to be
designated, and multiple port numbers can be designated
by separating them with a comma.
Cluster Connecting to a Cluster Controller with a Cluster Member Mode

VPN Server
VPN Servers running in cluster member mode are constantly connected to the cluster
controller by a special control TCP/IP connection known as a "cluster connection". The
cluster member server attempts to maintain the control cluster connection between the
designated cluster controller as far as possible. In addition, if the cluster connection is
disconnected or fails to connect, ongoing repeated attempts are made at an interval of a
few seconds until the connection is successful.
When seeking to confirm whether the cluster member server is properly connected to
the cluster controller, connect to the cluster member server with the VPN Server
Manager and click [Clustering Status] to display the following information. In the
vpncmd utility, use the [ClusterConnectionStatusGet] command.
Entry Description
Connection Status Displays [Online] when the cluster connection is in
normal status. If the cluster connection is not properly
connected, the cause of the error is displayed.
Connection Start Time The time & date at which the cluster connection
commenced.
Time of First Time & date of first successful connection to cluster
Successful Connection controller.
Time of Current Time & date of currently-connected cluster connection.
Successful Connection
Connection Attempts Displays the number of attempts to connect to the cluster
controller to date.
Successful Displays the number of connection attempts to date
Connections which were successful.
Failed Connections Displays the number of connection attempts to date
which failed.
Fig. 3-9-3 Cluster controller connection status display window
Obtaining List of VPN Servers connected to Cluster Controller &

Displaying Details
Connect to the cluster controller with the VPN Server Manager and click the [Clustering
Status] button to display a list of all cluster controllers and cluster member servers
connected to that cluster controller. In the vpncmd utility, use the
[ClusterMemberList] command.
Fig. 3-9-4 Intra-cluster VPN Server list administration window
The entries listed here are as follows.
Entry Description
Type Either [Controller] or [Member].
Connection Time Time & date that member started operating as a member
of the cluster after cluster connection to the cluster
controller.
Host Host name of cluster controller or cluster member server.
Points Value indicating the load status of the cluster member
server. The higher this value, the lower the load and the
higher the likelihood that the member will be designated
as the load share destination for a new VPN session.
Sessions Displays the number of VPN sessions being processed by
the VPN Server.
TCP Connections Displays the number of TCP/IP connections being
processed by the VPN Server.
Dynamic Virtual HUBs Displays the number of instances of Virtual HUBs
operating on the VPN Server.
Consumed Client Displays the number of client connection licenses for the
Connection Licenses cluster consumed by the VPN Server.
Consumed Bridge Displays the number of bridge connection licenses for the
Connection Licenses cluster consumed by the VPN Server.
Note that the information for the cluster controller and each of the cluster member
servers displayed in the table of the [Cluster Member List] dialog box is not the latest
information, but is instead a few seconds old because it is the result of a query made by
the cluster controller to each member server every few seconds.
Also, selecting the desired cluster member server shown in the VPN Server Manager and
clicking on [Cluster Member Server Information] enables detailed information on that
cluster member server to be viewed. In the vpncmd utility, use the
[ClusterMemberInfoGet] command.
Fig. 3-9-5 Intra-cluster member server status display window
While cluster connection communication between a cluster controller and cluster

member servers is TCP/IP protocol-based, it differs from the PacketiX VPN protocol in
that it is implemented by a proprietary dedicated synchronous and asynchronous RPC
(remote proxy call). The System Administrator does not require an in-depth
knowledge this protocol. Additionally SSL encryption is used on the protocol contents
and a hashed password is used for authentication. However, it does not feature
functions such as the sophisticated server certificate authentication of the PacketiX
VPN protocol. It is therefore recommended to perform the cluster connection between
the cluster controller and cluster members using a physically secure range such as the
same LAN. In most cases, there is no problem because all computers used in the
cluster are set up in the same room but caution is required where the computers are
required to be geographically separated.
When making a normal VPN connection from the VPN Client and a cascade connection
from the VPN Client / VPN Bridge to a cluster, designate the cluster controller's IP
address and port number and the name of the destination Virtual HUB.
The cluster controller VPN Server receiving the connection from the VPN source carries
out authentication of that connection then selects the cluster member to which to assign
that VPN session. The following algorithms are used in this case.
When the Virtual HUB Designated as the VPN Destination is Static:
The cluster controller redirects the connection to the VPN Server with the highest point
value among all of those currently available.
Please refer to 「3.9.7 Static Virtual HUBs」 for details on static Virtual HUBs.
When the Virtual HUB Designated as the VPN Destination is Dynamic:
The redirect VPN Server is selected according to the following procedure.
1. When the VPN session connected to that Virtual HUB does not yet exist on one of
the VPN Servers in the cluster, the connection is redirected to the VPN Server with
the highest point value.
2. When the VPN session connected to that Virtual HUB already exists on one of the
VPN Servers in the cluster, the connection is redirected to that VPN Server.
Please refer to 「3.9.8 Dynamic Virtual HUBs」 for details on dynamic Virtual HUBs.
Weighting by Performance Standard Ratio
As previously mentioned, when the cluster controller selects the server with the lowest
load from among the VPN Servers in the cluster, it selects the VPN Server with the
highest point value.
The points used here are approximately determined by the following formula.
Points = (4096 - No. of sessions processed by VPN Server × 100 / weight) × 100000 ÷ 4096
* PacketiX VPN Server 2.0 Carrier Edition substitutes 4096 with 100000.
The above formula enables a definition of the performance standard ratio of each VPN
Server by setting "weighting" parameters for each server. By setting the values of the
[Function Standard Ratio in Cluster] settings entry in the VPN Server's [Configure
Clustering], it is possible to change the weight parameter freely. The default setting of
the weight parameter is 100.
The [Function Standard Ratio in Cluster] value sets how the subject VPN Server
performs against a value of 100 for a normally performing VPN Server. For example,
where two servers have respective [Function Standard Ratio in Cluster] values of 100
and 200, this means that the latter server is capable of processing twice the amount of
VPN sessions as the former server. The VPN cluster controller determines how many VPN
sessions the entire VPN Server should be able to process based largely on the value set
here and distributes load accordingly.
Settings to Prevent the Cluster Controller Itself from Processing VPN

Communication
The cluster controller may select itself as the VPN Server to process a VPN connection
from a VPN source. When the cluster controller decides the VPN Server to which to
allocate a new VPN session, the decision is based on the cluster's VPN Server point
values determined by the algorithms described in 「3.9.4 Load Balancing」 , so both the
cluster controller and the cluster members are judged according to an equal standard.
However, when a large volume of VPN connection sessions representing a significantly
large load for the entire server have to be processed, it is possible to reduce the load on
the cluster controller itself by having it only assume the role of processing the
redirection of VPN sessions to each of the cluster members. To enable this setting, open
the [Configure Clustering] settings entry and enable the [Controller functions only (It
does not process VPN communication itself)] checkbox. This prevents the cluster
controller from selecting itself when deciding which VPN Server to assign a new VPN
session to.
The PacketiX VPN Server cluster system not only offers load balancing but also realizes
fault tolerance at the same time.
When a cluster member server within the cluster terminates suddenly due to hardware
trouble or a software / device driver malfunction, or when a situation arises whereby it
has to temporarily terminate its VPN Server process in order to update its VPN Server
software program and OS, that cluster member server loses connection with the cluster
controller, such that the cluster controller automatically deems it as having disengaged
from the cluster and excludes it from the load balancing.
In addition, all VPN session which were connected to the cluster member server which
has ceased to function are automatically taken over by other cluster member servers.
This processing is carried out automatically without the need for any special handling by
the VPN client computer of the VPN source. Therefore, even when a part of the multiple
VPN Server computers used by an ISP or a large company terminate due to a
malfunction or have to shut down for maintenance, this mechanism enables the entire
network to continue operating without stopping as long as other computers remain in
the cluster.
Fig. 3-9-6 Realizing fault tolerance with the
PacketiX VPN Cluster
Virtual HUBs not using clustering are not particularly classified, but in a clustering
environment they are classified into two types: static Virtual HUBs and dynamic Virtual
HUBs. While the Virtual HUB's type has to be designated upon creation, it is also possible
to change the type at a later date.
First is an explanation of static hubs.
A static Virtual HUB is used to conveniently create a Virtual HUB for remote access VPN.
Creating a static Virtual HUB within a cluster generates that hub's instance (entity) in all
VPN Servers within the cluster, which continues to run on all VPN Servers as long as the
cluster is operating.
When connection source VPN software (usually an end user VPN Client) wishing to make
a remote access connection is connected to the cluster controller, the cluster controller
uses the aforementioned algorithms to select one of the VPN Servers and redirects the
connection to the static Virtual HUB instance within that VPN Server.
By configuring a local bridge connection between the physical Network Adapters

connected to each of the VPN Servers for each static Virtual HUB instance created in
each VPN Server in the cluster, and by connecting all of the local bridging destination
physical LANs to the in-house LAN destination to which the remote access is desired
(either a direct layer 2 connection or a layer 3 connection using a router and NAT is
acceptable), the VPN Client user can remotely access this in-house LAN regardless of
which VPN Server the connection is assigned to.
This mechanism enables the creation of a large-scale remote access VPN service
required to process a large volume of simultaneous connections. Please refer to 「10.8
Setting Up a Large Scale Remote Access VPN Service」 for specific configurations.
The dynamic Virtual HUB is a type of Virtual HUB convenient for providing VPN Server
services such as creating a large number of Virtual HUBs within a cluster and enabling
users connected to the same Virtual HUB to communicate freely. Dynamic Virtual HUBs
are suitable, for instance, as a way for systems divisions of large companies to make
Virtual HUBs for each department, or for ISPs creating Virtual HUBs as a service to their
customers, wherein those departments and customers have the administration authority
for that Virtual HUB and are free to operate it as they please. Such uses only require the
entire VPN Server Administrator to take note of whether the VPN cluster is running
properly, and all of the responsibility for setting and administering each Virtual HUB can
be delegated to the Virtual HUB Administrators.
When a dynamic Virtual HUB has been created within a cluster but does not have any
one connected to it, that Virtual HUB's instance (entity) does not exist on any of the VPN
Servers in the cluster. When the first session designating that Virtual HUB makes a VPN
connection, the controller selects the VPN Server which should launch that Virtual HUB's
instance for the first time, then creates the Virtual HUB instance for that VPN Server and
redirects the VPN session to that server. For the second and subsequent sessions to that
Virtual HUB, they are automatically redirected to the VPN Server running that Virtual
HUB instance such that regardless of how many VPN Servers there are, VPN sessions
connected to the same Virtual HUB are always connected to the same VPN Server. When
no one is connected to a dynamic Virtual HUB, its instance automatically stops running
and releases the CPU and memory reserved for it.
This system makes it possible to create a large-scale Virtual HUB hosting service capable
of hosting a large number of Virtual HUBs. Please refer to 「10.9 Setting Up a Large
Scale Virtual HUB Hosting Service」 for specific configurations.
As mentioned above, a VPN connection to a static mode Virtual HUB is automatically

load shared, so it is not possible to know which VPN Server the connection is to until it
has been established.
Virtual HUB Administrators may, however, need to connect to the static Virtual HUB
instance of an arbitrary VPN Server in a cluster for administration purposes. In this
event, when creating the connection settings in the VPN Client or the like, designate the
address of the VPN Server and the name of the Virtual HUB to which direct connection is
sought instead of designating the cluster controller as the connection destination VPN
Server. In addition, designate the password required to connect as an Administrator user
(see 「3.4.14 Administrator Connection」 for details). This exception makes it possible
for a VPN connection to be made directly to the desired VPN Server's static Virtual HUB
without going via the cluster controller router.
Collectively Administering the Entire Cluster
Once the cluster is created, the entire VPN Server Administrator and Virtual HUB
Administrators need only make an administration connection to the controller to be able
to collectively administer the status and VPN sessions of all of the Virtual HUBs operating
in the cluster. The administration of the VPN Server and Virtual HUBs is carried out using
the VPN Server Manager or vpncmd utility in the same manner as when not using the
clustering function.
Simply by connecting to the cluster controller, VPN Server Administrators can administer
all of the Virtual HUBs in the cluster. Each Virtual HUB Administrator can administer the
Virtual HUB for which they have authority.
The only situations in which it is necessary for VPN Server Administrators to make a
direct administration connection to cluster member servers other than the cluster
controller are the following.
When disengaging a cluster member server from a cluster and returning its operating
mode to a stand alone server.
When adding or deleting a cluster member server license.
When confirming which Virtual HUB instances (entities) are actually operating within
the cluster member servers.
When editing the cluster member server's [Encryption and Communication Setting]
entries, obtaining the contents of the Configuration file or acquiring the server's
status.
Virtual HUB Administrators can only perform administration connections to the cluster
controller, and not to the cluster member servers.
Local Bridge & Virtual Layer 3 Switch Settings
Local bridge and virtual layer 3 switch settings are carried out for each VPN Server.
However, entire VPN Server Administrator authority is required for these settings. Please
refer to 「3.9.12 Functions not Available Simultaneously with Clustering」 for further
details.
Changing Virtual HUB Types
After creating the Virtual HUB, the type (dynamic Virtual HUB or static Virtual HUB)
cannot be changed. As such, be sure to select a suitable type when creating the Virtual
HUB.
Clustering Product Licenses
When using the clustering function, either the VPN Server 2.0 Enterprise Edition License
or the VPN Server 2.0 Carrier Edition License is required for each PacketiX VPN computer
to be run as a cluster controller or cluster member server. Without these product
licenses the clustering function can not be enabled.
Inserting a single license key into multiple cluster controllers or cluster member servers
causes a licensing error to occur while using clustering, so be careful not to inadvertently
enter the same license key into more than one cluster controller or cluster member
server.
Administering Clustering Connection Licenses
When using the clustering function, a connection license only needs to be registered for
the cluster controller. Connection licenses do not have to be registered for each cluster
member server (doing so is meaningless).
Therefore, when purchasing a VPN Server 2.0 Enterprise Edition License and intending to
use the clustering function, it is necessary to purchase more than one of said license,
and of these, one is designated as the Server ID and client licenses and bridge
connection licenses are then purchased based on the number required for this Server ID.
Also, that Server ID's product license key and connection license keys are to be
registered on the VPN Server to become the cluster controller.
The number of client connection licenses required is the total number of client
connection sessions capable of connecting to the entire cluster simultaneously. Similarly,
the number of bridge connection licenses required is the total number of bridge
connection sessions capable of connecting to the entire cluster simultaneously.
PacketiX VPN Server 2.0's internal SecureNAT sessions, local bridge sessions, cascade
sessions and administration sessions connected from the VPN Server Manager and
vpncmd utility to administer PacketiX VPN Server 2.0 are not subject to the above-
mentioned number of client connections or bridge connections and do not consume a
connection license.
Please refer to 「1.3 PacketiX VPN 2.0 Product Configuration and License」 for
details on product licenses and connection licenses.
When the clustering function is enabled, the following functions cannot be used at the
same time.
Cascade Connections
(it is possible to receive a cascade connection from a separate computer)
SecureNAT
(although PacketiX VPN Server 2.0 Carrier Edition does allow the use of SecureNAT's
Virtual DHCP Server function)
The local bridging and virtual layer 3 switch functions can be used normally. However,
local bridging and virtual layer 3 switching of Virtual HUB instances (entities) designated
as local bridge definitions or virtual layer 3 switch virtual interface definitions can only
operate between that VPN Server on which they actually exist. In the case of static
mode Virtual HUBs, a defined static Virtual HUB instance normally exists, in principle, on
all VPN Servers. However, in the case of dynamic hubs, there can only be one VPN
Server in the cluster on which an instance can exist at the same time so the local
bridging and virtual layer 3 switching functions are typically not available for dynamic
Virtual HUBs.
< 3.8 Virtual Layer 3 Switches 3.10 Logging Service>
< 3.9 Clustering 3.11 Day-to-Day Management>
PacketiX VPN Server 2.0 automatically writes logs for operational status and packets
flowing over Virtual HUBs as a log file, thereby incorporating a function which enables a
simple and sure way to confirm proper operation as well as trace problems and discover
any unauthorized access & policy breaches at a later date. This section explains the
logging service integrated into PacketiX VPN Server 2.0.
Types of Logs Saved
The VPN Server automatically writes the Server Log as the log for the entire VPN Server.
Also, in addition to each of the Virtual HUBs writing a security log recording important
operating conditions relating to the hub's administration and VPN connection records,
they also write packet logs for packets types pre-designated by the Virtual HUB
Administrator.
All log files have their own entry and are written one to a line in a text file. When
multibyte characters such as hiragana & Chinese characters are used in the log file, the
encoding method is unified as UTF-8.
Log File Save Location & Format
All log files create the three subdirectories server_log, security_log and packet_log
in the directory containing the vpnserver process (or vpnbridge process in the case of
the VPN Bridge) executable files and write each of the server log, security log and packet
log there. A further subdirectory is created for the security log and packet log written for
each Virtual HUB. These logs are then written to this subdirectory, which is named after
its Virtual HUB.
Log File Switch Cycle

Virtual HUB Administrators can set the log file switch cycle of security logs and packet
logs. New file names are then generated based on this log file switch cycle. The log file
names created when the settable switch cycle and its rules are applied are as follows.
Note that the entire VPN Server log is always switched and saved on a daily cycle.
Switch Cycle Naming convention for file name date portion

(Example: 1:45:10 (pm), 7 December 2005
No Switching None (perpetually add records to same file)
Every second 20051207_014510
Every minute 20051207_0145
Every hour 20051207_01
Every day 20051207
Every month 200512
Changing the Virtual HUB Log File Settings
The Virtual HUB Administrator can set the switch cycles of the Virtual HUB's security log
and packet log by clicking on [Log save settings] in the VPN Server Manager. When not
wishing to save a log file, deselect the relevant checkbox prevents any log file from
being saved for that type of log. It is also possible to select the details of which types of
packet logs should be saved.
All Virtual HUB logs are set with a one day switch save cycle in default.
In the vpncmd utility, use the [LogEnable], [LogDisable], [LogSwitchSet] and

[LogPacketSaveType] commands.
Fig. 3-10-1 Log save settings window
Measures for Log Files Exceeding 2Gbytes

While the each log file increases in response to the log contents and volume, when
exceeding 2Gbytes (or 2,147,483,648 bytes to be precise), that log file is automatically
divided and saved approximately every 2Gbytes. The first file keeps the original file
name while the second and subsequent files are sequentially named "~01", "~02" and
so on.
3.10.2 Server Log
The server log is saved under the [server_log] directory. The entire VPN Server
operating log is saved in the server log, which saves detailed operating records including
event records upon the launch & termination of the VPN Server and when & what type of
connections were received. Therefore, subsequent analysis of this log enables the tracing
of unauthorized access and the cause of problems.
In addition, copies of each of the Virtual HUBs' security logs are saved together in the
server log so that even if a Virtual HUB Administrator sets the security log not to be
saved, it is always saved automatically in the server log. Accordingly, even when the
Virtual HUB Administrator does not save the Virtual HUB logs or deletes them, their
contents can still be accessed from the VPN Server's server log.
The Virtual HUB security log is saved under the [security_log/Virtual HUB name]
directory. The security log records information on sessions which connected to the
Virtual HUB, records within the Virtual HUB (address table and database updates etc.)
and records relating to Virtual HUB administration (user creation etc.).
The Virtual HUB packet log is saved under the [packet_log/Virtual HUB name]
directory. The packet log can save all of the headers of packets flowing within the Virtual
HUB or their entire payloads.
However, saving all types of packet logs generates a massive amount of log file data.
That is why the Virtual HUB Administrator is able to select which types of packets to
register in the packet log. The types of packets which can be selected in the [Log save
settings] window and their contents are as follows.
Packet Type Packets saved when this type is selected

TCP Connection Log Those TCP/IP protocol packets in which a TCP/IP
connection between a client and user is established or
disconnected.
TCP Packet Log All TCP/IP protocol packets.
DHCP Packet Log Those UDP/IP protocol packets which are control data for
DHCP protocol.
UDP Packet Log All UDP/IP protocol packets.
ICMP Packet Log All ICMP protocol packets.
IP Packet Log All IP protocol packets.
ARP Packet Log All ARP protocol packets.
Ethernet Packet Log All packets.
When set to save packet logs, the Virtual HUB saves the packet log types pre-designated
by the Virtual HUB Administrator from among all virtual Ethernet frames flowing within
the Virtual HUB. Each Ethernet frame is analyzed with the highest possible layer from
layer 2 up to layer 7 using the VPN Server's internal high-level packet analysis engine
and important header information is saved as a packet log.
In addition, the Virtual HUB Administrator can write not only the header information but
also the entire contents of the packet (bit sequence) to the packet log in 16 decimal
format. In this case, note that it is necessary have a high volume disk capacity in
proportion to the total size of the packets actually transmitted.
In default, only the packet header information of two packet types, namely the TCP
connection log and DHCP packet log, are saved. While this setting value is sufficient for
many environments, change the settings as required to save more detailed packet
information. Please note that saving all pockets logs is not practical in view of today's
broadened communication lines.
The log files written by the VPN Server and Virtual HUBs are saved on the physical
computer disk on which the VPN Server is running. However, reading and downloading
of the files written to the physical disk is typically limited to that computer's
Administrators and users capable of local log in.
The PacketiX VPN Server employs a mechanism which allows log files to be read
remotely without having to actually log in locally in consideration of the fact that the VPN
Server and Virtual HUB Administrators may not be the System Administrators of the
computer running the VPN Server. This is known as the remote log read function.
The remote log read function is very easy to use. Clicking on the [Log File List] button
when using the VPN Server Manager displays a list of the log files which can be read with
current authority along with their file size and time of last update. Log files can be
selected arbitrarily from this list and downloaded to an administration terminal. Data is
automatically SSL encrypted to ensure safety when transferring a log file because the
administration connection's TCP/IP connection is used.
The [LogGet] command can be used in the vpncmd utility.
The VPN Server Administrator can remotely obtain the VPN Server's server log, and the
security logs and server logs of all Virtual HUBs. Virtual HUB Administrators can only
remotely obtain the security log and server log of the Virtual HUB for which they have
authority, and cannot remotely acquire any other log files.
When connected to a cluster controller in a clustering environment, it is possible to

collectively enumerate and designate the log files of all cluster member servers including
the cluster controller, and download these files.
Fig. 3-10-2 Log file list display window
As explained in 「3.3.17 Syslog Transmission Function」 , enabling the Syslog

Transmission function prevents log data sent by the syslog protocol from being saved to
the local hard disk.
< 3.9 Clustering 3.11 Day-to-Day Management>
< 3.10 Logging Service Chapter 4 PacketiX VPN Client 2.0 Manual>
Once PacketiX VPN Server 2.0 is fully installed and set up, it basically operates
continuously without the need for administrative handling such as frequent
administration and status checks. However, in order to continue to provide improved
service to VPN users, performing the following day-to-day management may prove
beneficial. The following is an explanation of daily management methods and knowledge
in the form of tips from an Administrator's perspective.
By checking the server log written by the VPN Server on a daily basis, the VPN Server
Administrator can audit the server's operational status. The server log is not in an
obscure data format like that typically written by a computer, but is instead in an easy-
to-read Japanese format and is therefore not to difficult to look over each day.
Moreover, it may be better to examine not only the VPN Server log but also the log of
OS running the VPN Server as well as the logs of all network devices connected to the
computer (routers etc.) on a regular basis.
Frequent checking of these logs allows for the early detection of the following types of
problems.
z When user authentication failures, which do not usually occur much, are happening
frequently, this may indicate the presence of a party attempting to gain unauthorized
access to the VPN Server. In this case, it is possible to adjust the settings so as to
deny VPN connection to the IP address of the suspected hacker using the IP Access
Control List function.
z When VPN connections are being made from unknown VPN clients occurs, it may
reveal that the user's password has been cracked and unauthorized access to the VPN
Server has been gained.
z When communication events are occurring repeatedly in the Virtual HUB's security
log, it is possible that some kind of anomaly has occurred within the VPN network.
z By mechanically processing the log file (for instance, clipping necessary lines using a
tool such as [grep] and pursing with a tool such as [Perl]), it is possible to compile a
database of the time and frequency of each user's connections.
z The contents of packet logs can be processed mechanically. Storing packet logs in a
database and indexing their headers facilitates rapid packet log searches when
tracing is required at a subsequent date.
z Consider using the Syslog Transmission function explained in 「3.3.17 Syslog

Transmission Function」 if necessary. Note, however, that when using the Syslog
Transmission function, the contents of logs may be deleted if packet loss occurs when
attempting to send a large log volume.
The VPN Server and Virtual HUBs automatically record and administer statistical
information relating to various objects (see 「3.3.10 Administration of Statistical
Information」 for details). By checking this statistical information, the VPN Server &
Virtual HUB Administrators can obtain information relating to the VPN service's usage
status, such as which users and Virtual HUBs have a large communication volume.
It is recommended that the VPN Server Administrator make regular backups of the
[vpn_server.config] file, as this file contains all of the information required to operate
the VPN Server. Automatically backing up the vpn_sever.config file to a separate
computer is also prudent in preparing for a potential hardware malfunction on the
computer operating the VPN Server.
It is also recommended to backup all log files (server log, security log and packet log)
onto a secure device such as external media wherever possible. When disk capacity
appears likely to be insufficient, please note that old log files are automatically deleted
by the VPN Server to give priority to writing new ones (refer to 「3.3.11 Automatic
Adjustment when Disk Space is Insufficient」 for details).
When a failure such as a physical malfunction occurs on the computer operating the VPN
Server, it is possible to continue operation using the configuration information prior to
the failure by immediately preparing a separate computer with the VPN Server installed
and having it read the latest vpn_server.config backup file.
Even when Administrators do not explicitly perform backups, the Configuration file
history is saved once every hour whenever the file's contents have been changed (please
refer to 「3.3.9 Configuration History」 for details). If the Configuration file is
inadvertently corrupted or deleted due to a disk malfunction or power outage, or when
important settings are erroneously deleted and resetting would be difficult, it is possible
to roll back to the contents of a previous Configuration file contents at an arbitrary point
using the automatic backup system.
Please refer to the section in 「3.3.7 Configuration File」 entitled "Replacing the
Configuration File" for details on how to restore the Configuration file.
Please pay heed to the computer's available hard disk capacity, not only for the VPN
Server but when operating any server services. In particular, on the VPN Server which
saves many log files, log files are automatically deleted in sequence starting with the
oldest when hard disk space becomes low. In order to prevent this from happening,
make regular backups of old log files before deleting them.
If another server other than the VPN Server is operating on the same computer, please
note that the VPN Server is even prone to be affected by data file capacity of logs and so
on written by different software.
In some cases, the simple administration of the computer running the VPN Server can
be facilitated by the use of either commercial or free network administration support
software.
For example, using a utility which supports SNMP (Simple Network Management
Protocol) depicts a simple graph showing the CPU usage of the VPN Server computer and
the network traffic.
In addition, the use of integrated management software integrates server computers
running the VPN Server and other services and enables regular backups & server
rebooting and the application of system patches.
The operating performance of the VPN Server depends upon the server computer's CPU
speed, memory speed & availability, remaining hard disk capacity & fragmentation ratio
and network bandwidth.
z It is recommended that the CPU of the VPN Server computer be as fast as possibly
allowed by both budget and usability constraints. CPU speed has a significant impact
upon the speed of VPN communication encryption & decryption and RSA operation,
encapsulation and decapsulation. Select a CPU with a large cache size, which offers
Hyper-Threading & multi-core technology and is adept at parallel processing.
z While the VPN Server instantly processes large volumes of data, much of the data at
that time is stored temporarily in the memory. That is why the VPN Server's
performance is affected considerably by the memory speed. Moreover, depending on
the OS, a swap occurs when the available physical memory becomes scarce, but the
code to access the memory is stopped during swap processing and this can have a
potentially large damaging effect on the operation of the VPN Server. As such, it is
recommended that sufficient memory be installed on the server computer in advance,
especially when simultaneously processing a large volume of connections or writing
packet logs for many types of packets on the VPN Server.
z The VPN Server writes many logs to the hard disk. If the available hard disk space
becomes deficient or fragmentation becomes sporadic, rewriting these logs also
becomes time-consuming, which is not at all preferable.
z PacketiX VPN is communication software so it is recommended that the VPN Server

be connected to a broadband, low-latency network.
When simultaneously processing a large volume of connections, it may not be possible

for a single VPN Server computer to provide satisfactory hardware resources. The VPN
Server's clustering function should be considered in such situations.
When administering the VPN Server, it is recommended that a VPN connection be made
from the perspective of the user on a regular basis in order to measure the effective
throughput. The easiest way to measure effective throughput is to prepare two client
computers and connect to the same segment via the line normally used by the users,
then measure the communication throughput using a communication throughput
measuring tool. For details, please refer to 「4.8 Measuring Effective Throughput」 .
If the result is considerably lower than expected, the cause is likely with the network or
the hardware resources of the server computer so these areas should be scrutinized.
< 3.10 Logging Service Chapter 4 PacketiX VPN Client 2.0 Manual>
< 3.11 Day-to-Day Management 4.1 Operating Environment>
PacketiX VPN Client is VPN client software with a Virtual Network Adapter function that
enables connection to a Virtual HUB on PacketiX VPN Server operated at a remote
location. The user can use the easy settings on a computer with PacketiX VPN Client
installed to connect to a Virtual HUB on PacketiX VPN Server and flexibly connect via a
Virtual Network Adapter.
This chapter describes the functions of PacketiX VPN Client 2.0 and how to use the
functions.
PacketiX VPN Client is provided as a free software product. To use all of the functions at
no cost, you must agree to the end-user license agreement.

4.1.2 Linux Support
4.1.4 Limitations
4.3.3 Managing the Version of the Virtual Network Adapter Device Driver
4.3.4 Bridge Connection Between a Virtual Network Adapter and Physical Network
Adapter

4.4.12 Number of TCP/IP Connections for VPN Session Communications
4.4.13 Interval Between TCP Connections and Length of TCP Connection
4.6.8 Limitations
4.9 Other Functions

< 3.11 Day-to-Day Management 4.1 Operating Environment>
< Chapter 4 PacketiX VPN Client 2.0 Manual 4.2 Operating the VPN Client>
PacketiX VPN Client 2.0 supports Windows and Linux operating systems. For the
specifications related to the supported operating systems, please refer to 「12.2
PacketiX VPN Client 2.0 Specs」 .
PacketiX VPN Client 2.0 supports the Microsoft Windows platform. This software product
formally supports operating systems with an NT-type kernel in Windows 2000 or later,
and it can also be used with VPN Client installed in Windows 98 Second Edition (SE) and
Windows Millennium Edition (ME).
For PacketiX VPN software, it is assumed you are using Windows for the client system to
directly and remotely access the VPN. This is because the main purpose of installing VPN
Client is to remotely access VPN Server over the Internet and because most corporate
and personal desktop computers and laptop computers operate Windows.
The system architecture supported by the Windows version of PacketiX VPN Client is
shown below. Please note that the supported architecture is likely to change to higher
specifications in the future.
x86
x64 (AMD64 / EM64T)
PacketiX VPN Client 2.0 can operate on either a 32-bit or 64-bit (x64) version of
Windows. For details on the support of a 64-bit environment, please refer to 「Chapter
12 PacketiX VPN Software Specification」 .
SoftEther Corporation provides formal support for VPN Client only for Windows
2000/XP/Server 2003. This manual describes how to use VPN Client on these operating
systems.
4.1.2 Linux Support
PacketiX VPN Client 2.0 also operates on platforms with Linux kernel 2.4 or later.
However, the Linux version of VPN Client has numerous limitations, and currently it
cannot be operated using a GUI. Therefore, the Linux version of VPN Client is
recommended for use only by users with a very strong understanding of the Linux
operating system and networks.
When using a Linux server to configure a connection between bases or a remote access
VPN, normally this can be achieved using the local bridge functions of the Linux version
of VPN Server, and the Linux version of VPN Client does not need to be used.
Currently, PacketiX VPN Client is only provided for Windows and Linux operating
systems. PacketiX VPN users have not expressed much demand for support of VPN
Client on other operating systems. In addition, most non-Windows operating systems
provide poor support of networking functions for client computing when compared with
Windows, and using VPN Client on such a system may not provide completely
satisfactory results.
SoftEther Corporation has a policy of transferring VPN Client to those next-generation

operating systems, including the latest version of Windows, with demand.
4.1.4 Limitations
The following limitations apply when using VPN Client.
z Limited support is provided for Windows 98 SE and Windows ME with several

limitations. For example, only one Virtual Network Adapter can be added to these
operating systems. In addition, you are normally required to restart Windows after
adding a Virtual Network Adapter and enabling or disabling the function or after
changing the IP address setting. Furthermore, Windows 98 SE and Windows ME are
operating systems installed based on the old Windows kernel, which means such a
system can be unstable, and, over time, it can become more prone to crashes and
malfunctions. SoftEther Corporation does not recommend the use of VPN Client on
Windows 98 SE or Windows ME.
z VPN Client cannot be used on earlier versions of Windows (Windows 98 or earlier).
z The Windows version of VPN Client is operated by installing the device driver for a
Virtual Network Adapter recognized by the system as a single network adapter. There
are several existing network-related problems in Windows. These problems also affect
the Virtual Network Adapter of VPN Client.
z SoftEther Corporation provides a Linux version of VPN Client, but it does not provide
support for proper operations of this version of the software product.
z To operate the Linux version of VPN Client, the Universal TUN/TAP device driver
module must be embedded in the kernel. For details, please refer to
http://vtun.sourceforge.net/tun/ .
z The Linux version of VPN Client does not have a function for automatically rewriting
the routing table. To set the tap device connected to the VPN as the default gateway,
you may need to manually connect the static route to the VPN server.
z To use the tap device created with the Linux version of VPN Client as a DHCP client
device, you must properly set the DHCP client daemon.
< Chapter 4 PacketiX VPN Client 2.0 Manual 4.2 Operating the VPN Client>
< 4.1 Operating Environment 4.3 Virtual Network Adapter>
Installing PacketiX VPN Client 2.0 installs PacketiX VPN Client Service, which always runs
in the background, and two utilities that allow the user to operate VPN Client. General
users do not need to pay attention to the service running in the background. The user
can perform all VPN Client operations using VPN Client Manager and other user
interfaces. This section describes the two types of tools used to operate VPN Client.
PacketiX VPN Client Manager is a utility with a Windows-supported graphical user

interface (GUI) that allows the user to operate PacketiX VPN Client. Normally, the end
user uses VPN Client Manager to operate VPN Client.
VPN Client Manager allows the user to easily operate nearly all VPN Client operations by
selecting menu items and entering required information in the GUI windows in the same
manner as a conventional Windows application. Therefore, even users without much
knowledge of VPN technologies can quickly operate VPN Client.
VPN Client Manager also enables control of VPN Client services from local computers as
well as from remote computers. In this case, you must configure the destination VPN
Client setting to allow for a remote connection. In this way, the administrator can
remotely control the VPN Client service installed in a computer at a remote location. You
can also operate the Linux version of VPN Client using VPN Client Manager. This manual
does not describe in detail the operating procedure for operating VPN Client Manager
while connected to a remote computer, but you can use the method for operating VPN
Client Manager while connected to a local computer in almost the same way.
VPN Client Manager is installed at the same time as the Windows version of VPN Client.
Figure 4-2-1 VPN Client Manager
PacketiX VPN Client Manager is a GUI application, but you can use vpncmd as a utility
that performs the same operations from the command line. For more information about
vpncmd, please refer to 「2.6 VPN Command Line Management Utility (vpncmd)」 and
「Chapter 6 Command Line Management Utility Manual」 .
You can easily automate management by operating and controlling VPN Client using
vpncmd. For example, it is possible to automatically connect to a specified VPN server at
a specified time. With vpncmd, normally all operations that can be performed with VPN
Client Manager can be performed using the command line.
In this chapter, it is assumed that VPN Client Manager is used to operate VPN Client. For
more information about operating VPN Client using vpncmd, please refer to 「Chapter 6
Command Line Management Utility Manual」 .
Figure 4-2-2 Controlling VPN Client Using the

Command Line Management Utility (vpncmd)
When PacketiX VPN Client is installed, the PacketiX VPN Client icon is placed on the
Windows task tray in the taskbar. The user can use this icon to quickly operate VPN
Client Manager without having to open the window.
Figure 4-2-3 PacketiX VPN Client Task Tray Icon
In addition, the display of the task tray icon indicates the current VPN connection status.
If the icon is grayed out, this indicates that currently there is no VPN communication. If
the icon is highlighted and is rotating quickly, this indicates that the software is
connecting to VPN Server. If the icon is rotating slowly, this indicates that a VPN session
has been established.
To hide the task tray icon, delete the PacketiX VPN Client taskbar item from [Startup] in
Windows.
The task tray icon is registered to the taskbar when VPN Client Manager is started for
the first time after VPN Client is installed.
< 4.1 Operating Environment 4.3 Virtual Network Adapter>
< 4.2 Operating the VPN Client 4.4 VPN Server Connection Method>
PacketiX VPN Client communicates over a VPN by creating a Virtual Network Adapter on
the system. The Virtual Network Adapter is recognized by the Windows operating system
and applications running on Windows as a network device in the same way as a physical
network adapter. This enables the user to use the Virtual Network Adapter with TCP/IP
protocols and other network protocols (such as NetBEUI).
The earlier version of SoftEther 1.0 only allowed the user to create one Virtual Network
Adapter on the system. In PacketiX VPN Client 2.0, however, multiple Virtual Network
Adapters can be created on the system, unique TCP/IP protocol settings can be
configured for each Virtual Network Adapter, and these Virtual Network Adapters can
then connect to the VPN simultaneously as individual network devices.
Figure 4-3-1 Support for Multiple Virtual Network Adapters
Creating a Virtual Network Adapter
When the VPN client is first installed, there will be no Virtual Network Adapters
registered. The user can freely create as many Virtual Network Adapters as needed.
Each new Virtual Network Adapter must be given a name. A name consists of up to 31
alphanumeric characters. However, names are limited to four characters under Windows
98 Second Edition and Windows Millennium Edition. When multiple Virtual Network
Adapters are created, the Virtual Network Adapter names must all be different.
Only users with administrator privileges on the computer can change Virtual Network
Adapter settings. Only users who can connect to and control the VPN client service on
the computer can create or delete Virtual Network Adapters.
To create a new Virtual Network Adapter, click [Create Virtual Network Adapter] under
[Virtual Adapter] menu in the VPN Client Manager.
Figure 4-3-2 New Virtual Network Adapter Creation Dialog
Normal Virtual Network Adapter Settings
A newly created Virtual Network Adapter will be recognized as a Windows device. It will
be displayed as a [new network connection] icon in [Network Connections] in the
Windows Control Panel.
If, for example, the name of the newly created Virtual Network Adapter was "ABC", that
Virtual Network Adapter device name will be registered and displayed as "VPN Client
Adapter - ABC" in the Device Manager. Also, the name of the icon registered in the
Control Panel's [Network Connection] window will be "ABC - VPN client". The user can
change this name at any time.
Figure 4-3-3 Virtual Network Adapter Display in Network Connections
The TCP/IP protocol and other settings for the Virtual Network Adapter can be set in the
same way a normal network adapter is set by right clicking the VPN client Virtual
Network Adapter's icon in the Control Panel's [Network Connections] folder and selecting
[Properties]. When a new Virtual Network Adapter was created, the user can set the
protocol and clear any unneeded service bindings in the same manner as the user would
for a physical network adapter. For details on the settings, please ask the administrator
for the VPN server you want to connect to.
Figure 4-3-4 Virtual Network Adapter Network Properties
Changing Advanced Settings

The following Virtual Network Adapter settings can be changed in the properties for a
VPN client Virtual Network Adapter registered in the Windows Device Manager. Note that
the VPN connection will be temporarily closed if these settings have been changed while
the Virtual Network Adapter is being used for VPN communication.
Item Description Default

Indicate Speed Specifies the datalink speed in Mbps that 100 (Mbps)
(Mbps) the Virtual Network Adapter reports to
the operating system. Windows
recognizes that the maximum
communication rate supported by the
Virtual Network Adapter is the value set
here. The actual communication rate is
not influenced by the value set here.
Although normally no problems will
occur if this setting is left at 100 Mbps, if
the physical connection used for VPN

communication have a maximum rate of
only 10 Mbps, this value may be set to
10 Mbps.
MAC Address Specifies the value of the MAC address A 4-byte value that
held by the Virtual Network Adapter. consists of
This item can be set to any value that "00:AC" (fixed)
can be used as a MAC address. When followed by a random
specifying a MAC address, specify a number is used as the
consecutive sequence of hexadecimal initial MAC address.
digits. (No hyphens or colons are
required.)
Figure 4-3-5 Virtual Network Adapter Device Driver Setting Window
Removing a Virtual Network Adapter
Once a Virtual Network Adapter has been added by the user, it remains in the system
until the user removes it manually. There are two ways to remove a Virtual Network
Adapter as shown below. These methods for removing a Virtual Network Adapter are
equivalent.
Removal using the Windows Device Manager
Removal using the VPN Client Manager
Enabling and Disabling a Virtual Network Adapter
A Virtual Network Adapter registered in the system can be enabled or disabled at any
time. When a new Virtual Network Adapter is created, it will be in the enabled state.
When a Virtual Network Adapter is disabled, Windows handles it as though it has been
disconnected from the system.
The Virtual Network Adapter enable/disable operations are performed from either the
VPN Client Manager or the Windows Device Manager or [Network Connections] window.
Figure 4-3-6 Disabling a Virtual Network Adapter
Messages Indicating that a Network Cable is Unplugged
Under Windows 2000 and later, when a new Virtual Network Adapter is created, an icon
is displayed in the task tray at the lower right of the task bar and "A network cable is
unplugged." message is displayed. This is normal operation.
When a VPN client uses a Virtual Network Adapter which is not connected to a VPN, the
adapter operates in exactly the same state as when the network cable between a
physical network adapter and the switching hub is disconnected. Therefore when a
Virtual Network Adapter is used and a VPN is not connected, Windows handles that
Virtual Network Adapter as a network adapter to which no network cable is attached.
When a VPN connection is established using Virtual Network Adapter, the operation will
start in the same fashion just as when a network adapter is connected to a switching
hub by a network cable.
Figure 4-3-7 The "A network cable is unplugged" Message
Figure 4-3-8 Virtual Network Adapter's "Connection

Established" Message
4.3.3 Managing the Version of the Virtual Network Adapter Device

Driver
The version of the device driver of the Virtual Network Adapter created by the user is
displayed in VPN Client Manager. This is the version of the device driver program file at
the time the user registered the Virtual Network Adapter to Windows.
The version of the device driver of the Virtual Network Adapter is the same as the
version of the VPN Client software used to create the Virtual Network Adapter. Even if a
later version of the VPN Client software is installed thereafter, the version of the device
driver of the previously created Virtual Network Adapter is not updated. To update the
version of the device driver of the Virtual Network Adapter to the same version of the
VPN Client software, use VPN Client Manager to select the Virtual Network Adapter to be
updated and click [Reinstall Driver] on the [Virtual Adapter] menu.
4.3.4 Bridge Connection Between a Virtual Network Adapter and

Physical Network Adapter
In SoftEther 1.0, it was possible to connect a virtual network to a physical network using
the Windows function to create a bridge connection between the Virtual Network Adapter
and physical network adapter.
In PacketiX VPN 2.0, the user can create a local bridge connection between a Virtual
HUB and an existing physical LAN with the functions provided in VPN Server and VPN
Bridge. (For details, please refer to 「3.6 Local Bridges」 .)Because the performance of
the local bridge connection function of VPN Server / VPN Bridge is the same as or better
than that when using VPN Client together with the bridge connection function of
Windows XP/Server 2003/Vista, normally, there is no need to use the bridge connection
function on the client side.
Under special circumstances or when the user wants to create a bridge connection
between the Virtual Network Adapter and physical network adapter on the VPN Client
side, a bridge connection can be created in the same way as the Virtual Network Adapter
of SoftEther 1.0. In these cases, connect the Virtual Network Adapter and the physical
network adapter using the same method for creating a bridge connection between two
network adapters using the functions of Windows XP/Server 2003/Vista.
Figure 4.3.9 Using the Windows Function to Create a

Bridge Connection Between a Virtual Network
Adapter and Physical Network Adapter
< 4.2 Operating the VPN Client 4.4 VPN Server Connection Method>
< 4.3 Virtual Network Adapter 4.5 Connecting to VPN Server>
After installing PacketiX VPN Client and creating a Virtual Network Adapter, configure a
connection setting to connect to the Virtual HUB of the desired PacketiX VPN Server. This
section describes the information that must be entered when creating a connection
setting.
The settings described here are, for the most part, the same as the settings used to
configure a cascade connection to VPN Server or VPN Bridge on a separate computer
using the Virtual HUB of VPN Server or VPN Bridge described in 「3.4.11 Cascade
Connection Functions」 . The windows for editing the connection setting of the cascade
connection and VPN Client are nearly the same, and the resulting operations when the
connection settings are edited are also the same. Refer to the information described
here when configuring a cascade connection.
Creating a Connection Setting
At the time PacketiX VPN Client is installed, no connection settings exist. To establish a
VPN connection to PacketiX VPN Server, you must create a connection setting. To create
a connection setting, select [New Connection Setting] on the [Connect] menu of VPN
Client Manager. Hereafter, explanations on creating a connection setting and editing the
settings assume this window is open.
Figure 4-4-1 Window for Creating and Editing a Connection Setting
To connect the computer with PacketiX VPN Client installed to the Virtual HUB of the
desired PacketiX VPN Server, first you must select the proper connection method
according to the network environment of the client and server computers. Select the
connection method in the [Proxy Server for Relaying] field. When using a proxy server,
click [Proxy Server Connection Setting] and enter the required parameters.
Choose from the following three connection methods.
Direct TCP/IP Connection
Connection Via HTTP Proxy Server
Connection Via SOCKS Proxy Server
Specifying the Destination VPN Server

Regardless of the connection method, you must correctly enter the host name, port
number, and Virtual HUB name of the destination VPN Server. The default port number
is 8888, but you can specify any TCP/IP port waiting for incoming connections as the
listener port on the destination VPN Server. When connecting via an HTTP proxy server
or when using high firewall settings, consider using 443 (port for HTTPS access). For
more information about setting the port number, please contact the VPN Server
administrator.
Use a direct TCP/IP connection in an environment where only direct IP routing can be
used to establish an IP connection between the VPN client computer and VPN server
computer. Select this setting when, for example, the VPN client computer and VPN
server computer are both directly connected to a global IP address usable on the
Internet or when a normal NAT or transparent firewall exists between the two
computers.
Figure 4-4-2 Direct TCP/IP Connection
When a direct TCP/IP connection cannot be used, you can connect to VPN Server via an
HTTP proxy server.
Figure 4-4-3 Connection Via HTTP Proxy Server
To connect to VPN Server via an HTTP proxy server, select [Connect Via HTTP Proxy
Server], and then click [Proxy Server Connection Setting] and enter the required
information. For more information about the settings on the [Proxy Server Connection
Setting] window, please contact the administrator of the HTTP server.
Figure 4-4-4 Proxy Server Connection Setting Window
You can connect through a standard proxy server that supports the CONNECT method.
Depending on the proxy server, the connection via the CONNECT method may only be
allowed through port 443. In this case, set port 443 of the destination PacketiX VPN
Server as the listener port in advance, and then try connecting to that port. By
default, port 443 is enabled on VPN Server, but separate software products may also
use the same port, so caution must be exercised. For details, please contact the
administrator of the destination VPN Server.
When a direct TCP/IP connection cannot be used, you can connect to VPN Server via a
SOCKS proxy server if available.
Figure 4-4-5 Connection Via SOCKS Proxy Server
To connect to VPN Server via a SOCKS proxy server, select [Connect Via SOCKS Proxy
Server], and then click [Proxy Server Connection Setting] and enter the required
information. For more information about the settings on the [Proxy Server Connection
Setting] window, please contact the administrator of the SOCKS server.
At the time of writing this manual, PacketiX VPN Client supports SOCKS protocol
version 4, but does not support version 5.
Enabling Server-Certificate Verification

As described in 「2.3 Server Authentication」 , verifying that the server certificate of the
destination VPN Server is valid on the VPN client computer guarantees through
mathematical calculations that the destination VPN Server is the correct computer and
that there is no "man-in-the-middle attacker". For high security applications requiring
verification of the server certificate, use the server-certificate verification option.
Checking the box next to [Always Verify Server Certificate] performs verification of the
server SSL certificate when establishing a VPN connection using that connection setting.
By default, this box is not checked, so check it if necessary.
Clicking [Manage Trusted CA Certificate List] opens a window with a list of certificates
from trusted certification authorities managed by VPN Client (or the Virtual HUB in a
cascade connection). You can use this window to add, delete, or confirm trusted
certificates. When [Always Verify Server Certificate] is enabled and the user attempts to
connect to the VPN, VPN Client (or the Virtual HUB) checks whether the certificate
presented by the destination VPN Server is signed, according to the list of trusted
certificates, and connects only to the VPN Server with a signed certificate.
Figure 4-4-6 Server-Certificate Verification Options Window
Clicking [Specify Individual Cert] associates, in advance, the unique server certificate of
the VPN Server to which VPN Client is connecting with that connection setting. If the
destination VPN Server already has a server certificate, you can use this function to
register that certificate, thereby authenticating the server. This is an easy way to
authenticate a small-scale destination VPN server.
Window Displayed When Certificate Verification is Enabled and the

Destination VPN Server Presents an Untrusted Server Certificate When
Connecting (Only for VPN Client)
The [Security warning] window is displayed if it is determined that the certificate

presented by the destination VPN Server cannot be trusted when connecting to VPN
Server with the [Always Verify Server Certificate] option enabled. This window displays
detailed information of the certificate presented by VPN Server. You can review the
displayed information to determine whether to trust the destination VPN Server. For
example, you can ensure the security of the destination VPN Server by checking the
validity of the digest value displayed to the VPN Server administrator over the telephone
or by using another relatively safe method. Clicking [Cancel Connection] cancels the
connection attempt to VPN Server.
Figure 4-4-7 Security Warning Window Displayed for an Untrusted Server

Certificate
Clicking [Proceed with Connection] displays a dialog box asking the user whether to trust
the certificate. Clicking [Yes] registers this certificate as a [individual certificate] for the
connection setting, and the security alert is not displayed again if there are no changes
to the certificate presented by VPN Server. Clicking [No] does not register the certificate.
Figure 4-4-8 Dialog Box Asking Whether to Trust the Server Certificate
If the certificate presented by VPN Server differs from the individual certificate
registered to the connection setting, the dialog box below is displayed. In this case, we
recommend that you immediately terminate the connection.
Figure 4-4-9 Security Warning Window Displayed When Server Certificates

Do Not Match
The security warning windows described here are only displayed on PacketiX VPN
Client. When using a cascade connection on PacketiX VPN Server or PacketiX VPN
Bridge, a connection error is automatically generated and these windows are not
displayed, so caution must be exercised.
The VPN Client user must select the Virtual Network Adapter for the connection setting.
As described in 「4.3 Virtual Network Adapter」 , a Virtual Network Adapter must be
registered to Windows in advance. When creating a connection setting, select the Virtual
Network Adapter you want to use to connect to VPN Server with the connection setting,
from the [Virtual Network Adapter to Use] list.
Selecting the Type of User Authentication
You must enter the settings related to user authentication on the connection setting.
Select one of the following user authentication methods for [Auth Type].
Anonymous Authentication
Standard Password Authentication
RADIUS or NT Domain Authentication
Smart Card Authentication

(Only for VPN Client. Cannot be used in a cascade connection.)
You must enter a user name in [User Name] regardless of the selected user
authentication type. The other required information varies depending on the selected
authentication type.
Information Required for Anonymous Authentication
Other than the user name, no information is required to use anonymous authentication.
For more information about anonymous authentication, please refer to 「2.2.1
Anonymous Authentication」 .
Information Required for Standard Password Authentication and

RADIUS or NT Domain Authentication
Enter the password for user authentication when using standard password authentication
or RADIUS or NT domain authentication.
The password entered here is saved and written to the disk drive as connection
information of VPN Client. If this operation is not desirable for security reasons, you
can leave the password field blank. This prevents the password from being saved as
part of the connection setting and displays the password entry window each time you
connect to VPN Server.
For more information about password authentication, please refer to 「2.2.2 Password
Authentication」 , 「2.2.3 RADIUS Authentication」 , and 「2.2.4 NT Domain and Active
Directory Authentication」 .
Information Required for Client Certificate Authentication
When using client certificate authentication, you must specify the certificate to be
presented to VPN Server as the client certificate. To specify a certificate, click [Specify
Client Certificate].
For more information about certificate authentication, please refer to 「2.2.5 Individual
Certificate Authentication」 and 「2.2.6 Signed Certificate Authentication」 .
The client certificate and private key specified here are written to the disk drive as
setting information of VPN Client. Normally, only users with administrative rights can
read files with VPN Client setting information, and therefore, it is safe. However, if, for
example, a notebook computer with VPN Client installed is stolen, the contents of the
hard disk can be analyzed and the private key data can be stolen. To eliminate this risk,
we recommend using smart card authentication.
Information Required for Smart Card Authentication

When using smart card authentication, you must specify the smart card with the
certificate to be presented to VPN Server as the client certificate and the smart card
object name. First, click [Select Smart Card] and select the smart card you want to use.
Then click [Specify Cert and Private Key] and select the certificate object and private key
object for authentication. For more information about smart cards, please refer to 「4.6
Using and Managing Smart Cards」 .
VPN Client support user authentication with the Smart card. Smart card authentication is
the safe authentication method, compare normal authentication certification mode.
When VPN Client connect for VPN Server with Smart Card Authentication , judging from
VPN Server side, seem to have connected VPN Client use a normal certificate
certification mode. But VPN Client begins to read the certificate from an Smart card not
a hard disk. And the private key is process the authentication of the PKI by an RSA
operation tip in the Smart card without taking it out.
About an IC card, please refer to 「4.6 Using and Managing Smart Cards」 .
You can configure the setting for automatic reconnection, as described in "Reconnection
Setting When the VPN Connection Fails or is Dropped" in 「2.1.3 Communication
Efficiency and Stability」 . To use the automatic reconnection function, check the box
next to [Reconnect When Lost Connection to VPN Server] and specify [Reconnection
Count] and [Reconnection Interval]. Checking the box next to [Reconnection Endless
(Keep VPN Session Always)] allows VPN Client to continually attempt to reconnect to
VPN Server if the connection is dropped.
The automatic reconnection function cannot be used when using smart card
authentication because the user would constantly be asked to enter the PIN code for
user authentication in order to reconnect.
Checking the box next to [Don't display connection status and error window when
connecting to VPN Server] prevents the display of dialog boxes with error messages and
the connection status to VPN Server. When this is enabled, the following dialog box, for
example, is not displayed and the connection process runs in the background.
Figure 4-4-10 Dialog Box Displaying the Connection Status of VPN Client
To make changes to the advanced communication setting options, as described in 「2.1

VPN Communications Protocol」 , click [Advanced Settings]. These settings are for the
system administrator and users with a strong understanding of network communication
protocols and network security. General end users should only change settings specified
by the VPN Server administrator or network administrator.
Figure 4-4-11 [Advanced Settings] Window
4.4.12 Number of TCP/IP Connections for VPN Session

Communications
You can adjust the [Number of TCP Connections] setting on the [Advanced Settings]
window. This setting is described in "Number of TCP/IP Connections for VPN
Communications" in 「2.1.3 Communication Efficiency and Stability」 .
4.4.13 Interval Between TCP Connections and Length of TCP

Connection
You can adjust the [Establishing TCP Connection Interval] and [Keep Alive] settings on
the [Advanced Settings] window. These settings are described in "Interval Between
TCP/IP Connections and Length of TCP/IP Connection" in 「2.1.3 Communication
Efficiency and Stability」 .
You can enable or disable the [Use Half-Duplex Mode] option on the [Advanced Settings]
window. This function is described in "Using Half-Duplex Mode" in 「2.1.3
Communication Efficiency and Stability」 .
You can disable the [Encrypt VPN Session by SSL] option on the [Advanced Settings]
window. This function is described in "Disabling the Encryption Option" in 「2.1.3
Communication Efficiency and Stability」 . When VPN Client is connected to VPN Server
running on a local host (same host as the client), SSL encryption is not required, so this
option is automatically disabled.
You can enable or disable the [Use Data Compression] option on the [Advanced
Settings] window. This function is described in "Using Data Compression" in 「2.1.3
Communication Efficiency and Stability」 .
You can enable either of the following two connection modes in the [Connection Mode
Settings] field of the [Advanced Settings] window.
Bridge / Router Mode
Monitoring Mode
Checking the box next to either of these connection modes enables that connection
mode for the connection session with VPN Server. For information about these special
connection modes, please refer to 「1.6.8 Client Mode Session」 , 「1.6.9 Bridge/Router
Mode Session」 , and 「1.6.10 Monitoring Mode Session」 .
By default, the [Don't Modify Routing Table] option in the [Advanced Communication
Settings] window is disabled.
Windows automatically rewrites the routing table to ensure proper VPN communication
even when the Virtual Network Adapter side of VPN Client is set as the default gateway
after connecting to VPN Server.
If, for a special reason, you do not want to rewrite the routing table, add a check to the
box next to this option.
You can set a connection setting for startup connection by using VPN Client Manager to
select a connection setting and then clicking [Set as Startup Connection] on the
[Connect] menu. When a connection setting is set for startup connection, a connection
to VPN Server is automatically started using that connection setting when Windows is
started.
If, for example, you want to maintain a constant connection to a specific Virtual HUB
when the computer is running, set that connection setting to startup connection and
enable the [Reconnection Endless (Keep VPN Session Always)] option. In this way, VPN
Client automatically attempts to connect to VPN Server using the specified connection
setting when Windows is started, even if a user is not logged on to Windows.
The icon of the connection setting registered as the startup connection changes as
follows in VPN Client Manager.
Figure 4-4-12 Icon of the connection setting When Set to Startup Connection
Exporting and Importing
You can export a connection setting registered to VPN Client and save it as a file. An
exported connection setting can also be copied by importing it to VPN Client running on
the same or a separate computer.
To export a connection setting, select the connection setting and click [Export VPN
Connection Setting] on the [Connect] menu. Next, specify the file name of the
connection setting you want to save.
You can easily import an exported connection setting simply by double-clicking the
connection setting file in Explorer or on the folder window. To import a connection
setting using VPN Client Manager, click [Import VPN Connection Setting] on the
[Connect] menu and specify the file name of the exported connection setting file.
Using the Export and Import Functions
The VPN Server or Virtual HUB administrator can use these functions to distribute a
connection setting to users. The user can then double-click the connection setting file to
easily add the connection setting data to VPN Client running on the user's computer. The
imported connection setting can also be edited by the user.
Content of the Exported Connection Setting File
The connection setting is exported as a special text file with the extension .vpn. The
content of the connection setting file is as follows.
# VPN Client connection setting file

#
# This file is exported using the VPN Client Connection Manager.
# The contents of this file can be edited using a text editor.
#
# When this file is imported to the Client Connection Manager
# it can be used immediately.
declare root
{
bool CheckServerCert false
bool StartupAccount false
declare ClientAuth
{
uint AuthType 1
byte HashedPassword 5TOruB30QtETypSka+r+fAQjwz4=
string Username test
}
declare ClientOption
{
string AccountName New$20connection
uint AdditionalConnectionInterval 1
uint ConnectionDisconnectSpan 0
string DeviceName vpn

bool DisableQoS false
bool HalfConnection false
bool HideStatusWindow false
string Hostname localhost
string HubName VPN
uint MaxConnection 1
bool NoRoutingTracking false
uint NumRetry 4294967295
uint Port 8888
uint PortUDP 0
string ProxyName $
byte ProxyPassword $
uint ProxyPort 0
uint ProxyType 0
string ProxyUsername $
bool RequireBridgeRoutingMode false
bool RequireMonitorMode false
uint RetryInterval 15
bool UseCompress false
bool UseEncrypt false
}
}
As shown in the example above, all content of the connection setting file is written in
text. Any hiragana, kanji, or other multibyte characters are UTF-8 encoded. Normally,
this text file does not need to be edited, but you can manually edit this file or write a
program to automatically create a connection setting file, as shown above.
You can create a shortcut file for a connection setting registered to VPN Client. This
shortcut file is the same type of shortcut file that can be created for files or folders in
Windows.
To create a shortcut file for a connection setting, select a connection setting, click
[Create VPN Connection Shortcut] on the [Connect] menu, and then specify the name of
the shortcut file to be created. Once a shortcut file is created, it can be placed anywhere
on the computer where a normal file can be set in Windows. For example, you can place
the shortcut file on the desktop or add it to the Quick Launch bar.
Figure 4-4-13 Connection Setting Shortcut File
When the shortcut file for a connection setting is double-clicked while that connection
setting is offline, the VPN connection for that connection setting is automatically started.
When the shortcut file for a connection setting is double-clicked while VPN Client is
connecting or is connected to the VPN, a dialog box is displayed asking whether to
terminate the connection for that connection setting. Clicking [Yes] terminates the
connection.
Figure 4-4-14 Dialog Box Displayed When Starting a Shortcut for a

Connection Setting That is Already Connected
You can use the same user interface as that used to create and edit a connection setting
with VPN Client Manager to edit the settings to cascade-connect a Virtual HUB of VPN
Server or VPN Bridge to a separate Virtual HUB with VPN Server Manager, as described
in 「3.4.11 Cascade Connection Functions」 .
You do not have to enter the following items when configuring the cascade connection
settings.
Virtual network adapter to use
Interval between attempts to reconnect and reconnect retries

(Attempt to reconnect an infinite number of times at 10-second intervals)
Connection mode setting

(Always connect with bridge/router mode)
Rewrite routing table settings

(Do not rewrite routing table in a cascade connection)
< 4.3 Virtual Network Adapter 4.5 Connecting to VPN Server>
< 4.4 VPN Server Connection Method 4.6 Using and Managing Smart Cards>
By using PacketiX VPN Client to define the required connection settings of a connection
setting and then connecting to that connection setting, you can start the connection to
VPN Server.
Starting a VPN Connection
To start the VPN connection of a registered connection setting, double-click the

connection setting or click [Connect] on the [Connect] menu. When VPN Client is
connecting to VPN Server, the following dialog box displays the connection status in real-
time. (The connection status dialog box is not displayed when the [Don't display
connection status and error window when connecting to VPN Server] option for the
connection setting is enabled.)
Figure 4-5-1 Dialog Box Displaying the VPN Connection Status
Establishing a VPN Connection
When a VPN connection is established, the connection status changes to Connected

(Established). Depending on the Windows setting, when the status of the Virtual
Network Adapter changes from the network cable being unplugged to the VPN client
being online, the notification [Connected] is displayed in the notification area of the
taskbar.
Figure 4-5-2 Status of the Virtual Network Adapter Changes When a VPN
Connection is Established
VPN Communication after Establishing a VPN Connection
When a VPN connection is established, VPN Client establishes VPN communication with
the Virtual HUB on the destination VPN Server.
Once VPN communication is established, the operation of the Virtual Network Adapter is
the same as the operation of a physical network adapter connected to Windows. To
determine the IP address assigned to the Virtual Network Adapter, double-click the
connection icon of the Virtual Network Adapter on the taskbar or use the ipconfig /all
command.
Using VPN Client Manager to Check the Status in the Connection Setting
List
A list of connection settings registered to VPN Client is displayed in the VPN Client
Manager window.
Figure 4-5-3 List of VPN Client Connection Settings and Their Status
This list displays the current status of each connection setting in the [Status] column.
The three connection statuses displayed here are as follows.
Status Description
Offline Indicates that the connection to VPN Server for that
connection setting is offline.
Connecting Indicates that the connection setting is connecting to VPN
Server or that an error occurred and VPN Client is waiting to
reconnect.
Connected Indicates that a connection to VPN Server is established and
(Established) a VPN session is established and communicating to VPN
Server.
Obtaining Detailed Information on a Connecting or Connected

Connection Setting
To obtain the latest information in real-time on a connection setting connecting or

connected to VPN Server, double-click the connection setting or click [View Status] on
the [Connect] menu.
Figure 4-5-4 Window Displaying Detailed Information of a Connection

Setting
The following are the main items displayed here.
Setting Description
VPN Connection Displays the name of the connection setting.
Setting Name
Session Status Displays the connection status of the connection setting. One
of the following connection statuses is displayed.
z Starting Connection to VPN Server
z Negotiating
z Authenticating User
z Connection Established
z Retrying
z Idling
z Connecting
z Connection Established (Session Established)
Server Name Displays the host name or IP address of the destination VPN
Server. The IP address of the VPN Server computer to which
VPN Client is actually connected is displayed even when
connected to a cluster, thereby letting you know to which
VPN Server of the cluster the client is connected.
Port Number Displays the destination TCP/IP port number.
Server Product Displays the product name and edition name of the
Name destination VPN Server.
Server Version Displays the version number of the destination VPN Server.
Server Build Displays the build number of the destination VPN Server.
Connection Start Displays the time when the VPN connection process started
Time using the connection setting. For example, this indicates the
time when the user double-clicked the connection setting.
Time that first Displays the time when the initial VPN session was
session was established and VPN communication started.
established
Number of Displays the time when the current VPN session was
Established established and VPN communication started.
Sessions
Number of Displays the number of times that a VPN session has been
Sessions successfully established. This number increases each time a
Established VPN connection is established, the connection is terminated,
and a VPN connection is established again.
Half-Duplex TCP Displays whether the PacketiX VPN protocol communication
Connection mode for the VPN session is the half-duplex connection mode.
Mode
VoIP / QoS Displays whether the VoIP / QoS support function (for details,
Support see 「1.9 VoIP / QoS Support Function」 ) is enabled for this
Function session.
Number of TCP Displays the number of current TCP/IP connections in the VPN
Connections session.
Maximum Displays the maximum number of TCP/IP connections that
Number of TCP can be used in the VPN session.
Connections
Encryption Displays whether the VPN session is protected using
encryption or a digital signature.
Use of Displays whether the VPN session is using compressed data
Compression communication via a data compression algorithm.
Session Name Displays the ID identifying the session.
Session Key Displays the internal management ID uniquely identifying the
(160-bit) session created by VPN Server.
Bridge/Router Displays whether the session type is the bridge/router mode.
Mode
Monitoring Mode Displays whether the session type is the monitoring mode.
Outgoing Data Displays the number of data bytes sent from the VPN client to
Size VPN Server using the PacketiX VPN protocol (approximate
number of packets actually flowing through the physical IP
network).
Receive Data Displays the number of data bytes sent from VPN Server to
Size the VPN client using the PacketiX VPN protocol (approximate
number of packets actually flowing through the physical IP
network).
Incoming Data Displays the number of virtual Ethernet frame packets sent
Size and received and the total data size (updated in real-time).
Displaying the VPN Session Security Policies
When a VPN session is established, the [Security policy] button on the [Connection
status] window is enabled. Clicking this button displays a list of security policy values
associated with the VPN session in which the VPN client is currently connected to VPN
Server.
Figure 4-5-5 Window Displaying the Security Policies of the VPN Session
Displaying the Server and Client Certificates
Once a VPN session is established, you can display the X.509 certificate presented by the
destination VPN Server by clicking [Server Certificate] on the [Connection status]
window.
If client certificate authentication or smart card authentication is used to authenticate

the user when connecting to the current VPN, clicking [Client Certificate] displays the
X.509 certificate presented by VPN Client to VPN Server at the time of authentication.
Figure 4-5-6 Window Displaying the Server and Client Certificates
The VPN Client user can terminate a connected session at any time. When a connected
VPN session is terminated, the connection setting returns to the offline status.
To terminate a VPN connection by specifying a connection setting, select the connection

setting and click [Disconnect] on the [Connect] menu. Depending on the network status,
it can take anywhere from several milliseconds to several seconds to send the message
to terminate the connection to VPN Server.
When an Error Occurs
When a communication error, such as a communication timeout when connecting or

connected to VPN Server, occurs, an error message is displayed, as shown below. The
error message displays the error code and error description. For information about the
error codes, please refer to 「12.5 Error Codes」 .
Figure 4-5-7 Window Displayed When a Communication Error Occurs
If no action is taken when an error message is displayed and the automatic reconnection
function is set for the connection setting, after the interval between attempts to
reconnect, the error message automatically disappears and the VPN client automatically
starts an attempt to reconnect to the desired VPN Server.
Please note that error messages are not displayed when the [Don't display connection
status and error window when connecting to VPN Server] option for the connection
setting is enabled or when the checkbox next to [Hide this Window when Connecting
Next Time] is checked.
When Password Authentication Fails

When the connection setting is set to [Standard password authentication] or [RADIUS or
NT domain authentication] and access to the Virtual HUB is denied because the user
name or password does not match, the following window for re-entering the password is
displayed.
Figure 4-5-8 Window Displayed When Password Authentication Fails
When the box next to [Don't Save Password] is checked on the above window, the
entered password is not saved, so you must enter the password again the next time you
connect to VPN Server.
If you do not want the password saved to VPN Client, enable the [Don't Save Password]
option. (Checking this box also enables this option the next time you connect.)
< 4.4 VPN Server Connection Method 4.6 Using and Managing Smart Cards>
< 4.5 Connecting to VPN Server 4.7 Management in a Large-Scale Environment>
PacketiX VPN Client supports Public Key Infrastructure (PKI) using smart cards. This
section describes how to use PacketiX VPN Client together with smart cards. For an
overview of smart card authentication, please refer to 「1.5.4 Use with Smart Cards」
and #1.5.5#.
Required Device Driver
To use the PKI function along with a smart card or hardware security token compatible
with a smart card (hereafter collectively referred to as "smart card"), the following two
device drivers must be installed on the client computer.
Device driver of the smart card reader or other hardware device
Device driver with PKCS#11 interface that supports the smart card in use
In addition, after installing VPN Client and then installing the smart card reader and
smart card device driver, you must restart the VPN Client service or the computer.
Furthermore, if any settings need to be made in order to use the smart card with the
smart card reader or smart card device driver, you must make these settings in
advance. For information about the settings for using a smart card reader or smart card,
please refer to the hardware manual for that device.
Supported Smart Card Types
Some PKCS#11-supported smart cards can be used with PacketiX VPN Client 2.0. For
information about the types of smart cards supported by SoftEther Corporation, please
refer to 「12.2.6 List of Supported Smart Cards and Hardware Security Devices」 .
SoftEther Corporation does not guarantee that VPN Client can be used with all types of
smart cards.
To select the type of smart card to use, click [Select Which Smart Card to Use] on the
[Smart Card] menu of VPN Client Manager. The [Select Which Smart Card to Use]
window is displayed.
Select the desired type of the smart card listed here and click [OK] to enable the use of
that smart card. Please note that the smart cards listed here may not necessarily work
with PacketiX VPN Client 2.0. For information about the types of smart cards supported
by SoftEther Corporation, please refer to 「12.2.6 List of Supported Smart Cards and
Hardware Security Devices」 .
Figure 4-6-1 Select Smart Card Window
Smart Card Manager
PacketiX VPN Client has a smart card manager function that allows you to list and obtain
objects on supported smart cards and write objects to a smart card. To start Smart Card
Manager, click [Smart Card Manager] on the [Smart Card] menu.
When Smart Card Manager is started, a window for entering the PIN code to access the
smart card is displayed. When the PIN code is correctly entered, a list of the objects on
the smart card is created.
Figure 4-6-2 Smart Card Access Window
You can use Smart Card Manager to list, obtain, and write the following types of data on
the smart card.
X.509 type certificate object
RSA-type private key object
Arbitrary type data (binary data)
Figure 4-6-3 Smart Card Manager Window
Writing Objects to a Smart Card
To write a new object to a smart card that supports object writing, click [Import to
Card]. The [Select Object Type] window is displayed. Select [Certificate], [Private Key],
or [Data], click [OK], and then specify the file you want to write.
Figure 4-6-4 Window for Importing an Object to a Smart Card
You must specify the name of the object you want to create on the smart card. You can
specify any alphanumeric characters for the object name, but some characters may be
restricted depending on the smart card.
Figure 4-6-5 Window for Entering the Name of the Object to be Imported
Reading an Object from a Smart Card
You can read a certificate object or binary data in an arbitrary format from a smart card.
You cannot read a private key object. To read an object, select the object, click [Export
from Card], name the file, and then save it.
Creating a Certificate and RSA Private Key and Writing them to a Smart
Card
You can create a certificate and RSA private key and immediately write them to a smart
card. Start by clicking [Write New Certificate and Private Key to Card]. Select a root
certificate or a certificate signed using another certificate for the type of certificate to be
created. In addition, specify the subject names of the certificate.
Figure 4-6-6 Window for Creating a Certificate and Private Key
Starting Smart Card Manager on VPN Server Manager

A smart card manager similar to VPN Client Manager is provided in VPN Server Manager,
which is a VPN Server management tool. To manage smart cards with VPN Server
Manager, click [Smart Card Manager] on the startup window.
If a smart card allows for objects to be deleted, you can delete objects on that smart
card. Select the object you want to delete and click [Delete from Card]. Please note that
once an object is deleted, it cannot be restored.
Smart cards are protected by PIN codes. To change the PIN code of a smart card, click
[Change PIN Code] and then enter the current and new PIN codes. Please note that
some smart cards may not allow the PIN code to be changed. In this case, you can
change the PIN code by using the utility provided with that smart card.
Figure 4-6-7 Window for Changing a Smart Card PIN Code
To connect to VPN Server with [Smart card authentication] selected as the type of user
authentication in the connection setting, insert the smart card and then enter the PIN
code on the displayed PIN code entry window.
Figure 4-6-8 Window for Entering the Smart Card PIN Code
4.6.8 Limitations
The following are some limitations and precautions when using the PacketiX VPN smart
card function.
Not all PKCS#11 smart cards are supported. For a list of supported smart cards,
please refer to 「12.2.6 List of Supported Smart Cards and Hardware Security
Devices」 .
When PacketiX VPN calls the PKCS#11 driver or other external program, the user
must use that external program in accordance with the licensing agreement set forth
by the provider of the external program at the call destination.
You can use the smart card manager function of PacketiX VPN to write a certificate or
private key to a smart card, but we recommend using the utility provided with the
smart card or commercially-available PKI software.
< 4.5 Connecting to VPN Server 4.7 Management in a Large-Scale Environment>
< 4.6 Using and Managing Smart Cards 4.8 Measuring Effective Throughput>
To construct a VPN server in an enterprise with a large number of users, the

administrator may be required to implement measures to simplify VPN Client user
operations and provide remote management of VPN Client on client computers. This
section describes how to properly manage a large number of VPN Client users in a large-
scale environment.
VPN Client Manager is normally used to connect to and control the VPN Client service
running on a local computer, but by properly configuring the settings, you can also VPN
Client Manager to remotely operate VPN Client services running on remote computers.
Setting VPN Client to Allow Remote Management
To enable the remote operation of the VPN Client service running on a remote computer,
[Allow Remote Management of VPN Client Service] must be enabled on the setting of the
VPN Client service at the remote destination. The user can enable this option by clicking
[Options] on the [Tool] menu of VPN Client Manager.
A password must also be set for VPN Client with enabled remote management. The user
can set the password by clicking [Set Password] on the [Tool] menu.
By checking the boxes next to [Set password] and [Only Request Password For Remote
Operation] on the [Password Setting] window, you can set the local computer to not
request a password when starting VPN Client Manager and only request a password
when connecting for remote operation.
Figure 4-7-1 Remote Management Setup Window
Remotely Connecting to VPN Client on a Separate Computer
You can remotely connect to and manage PacketiX VPN Client running on a separate
computer by clicking [Start] > [PacketiX VPN Client Manager] > [Manage PacketiX VPN
Client on a Separate Computer]. Specify the name of the destination PacketiX VPN Client
computer in [Computer name] and click [OK].
Figure 4-7-2 Window for Remotely Connecting to VPN Client on a Separate

Computer
By remotely operating PacketiX VPN Client on a separate computer, the administrator

can, for example, configure the proper connection settings for a user that does not
understand the connection method without the administrator having to go to that user's
computer.
The following operations cannot be performed with VPN Client Manager when connected
to a remote VPN Client.
Adding a Virtual Network Adapter or reinstalling a device driver
Configuring smart card settings
Displaying network devices on a remotely connected VPN Client
Using a TCP Optimization Utility
The configuration data of VPN Client is automatically saved to vpn_client.config in the

directory where PacketiX VPN Client is installed. Each time VPN Client is started, this file
is read and the configuration data is managed and maintained. By replacing the
vpn_client.config file, you can back up or roll back the operations or configuration data
of VPN Client at any time, and the file can also be copied to other computers.
The administrator can configure the default settings of VPN Client and then distribute the
vpn_client.config file to client computers, thereby providing the default settings across
the VPN in advance.
The contents of the vpn_client.config file cannot be directly replaced while the VPN Client
service is running. First stop the VPN Client service, and then change the
vpn_client.config file and restart the VPN Client service.
To stop the VPN Client service running on a VPN client computer, execute the net stop
vpnclient command. To start the VPN Client service, execute the net start vpnclient
command.
You can export the connection setting data of VPN Client, as described in 「4.4.20
Exporting and Importing Connection Settings」 . The exported file can be sent by e-mail
to VPN Client users who can then simply double-click the received connection setting file
to register that connection setting to VPN Client on the user's computer.
Because the connection setting file is comprised of simple text data, the system
administrator can automatically create this file for each user. In this way, connection
setting files with the necessary settings can be created and distributed to a large number
of VPN Client users to ensure that even users with little knowledge of VPN connection
settings can easily connect to the VPN.
< 4.6 Using and Managing Smart Cards 4.8 Measuring Effective Throughput>
< 4.7 Management in a Large-Scale Environment 4.9 Other Functions>
With the use of the communication throughput measurement tool, the communication
speed between two computers can be accurately measured by actually transferring a
large volume of data between the computers. You can use this communication
throughput measurement tool to measure the communication speed over a physical
network or through a VPN. This section describes how to use the communication
throughput measurement tool.
There is a GUI version and a command line version of the communication throughput
measurement tool. The GUI version can only be used in Windows. The command line
version can be used in Windows, Linux, or other Unix operating system. In the GUI and
command line versions of the communication throughput measurement tool, because
there is a compatibility in terms of protocols, the computers can connect to each other
and the communication throughput can be measured.
This subsection describes the GUI version of the communication throughput

measurement tool. For information regarding the command line version of the
communication throughput measurement tool, please refer to 「Chapter 6 Command
Line Management Utility Manual」 .
Starting the Communication Throughput Measurement Tool (GUI

Version)
To start the GUI version of the communication throughput measurement tool, perform
either of the following operations.
When PacketiX VPN Server is installed

Click [Start] > [PacketiX VPN Server] > [Communication Throughput Measurement
Tool].
When PacketiX VPN Client is installed

Click [Start] > [PacketiX VPN Client] > [Communication Throughput Measurement
Tool].
Alternatively, click [Communication Throughput Measurement Tool] on the [Tool]
menu of VPN Client Manager.
Starting the Communication Throughput Measurement Tool (Command

Line Version)
To start the command line version of the communication throughput measurement tool,
start the PacketiX VPN Command Line Management Utility (vpncmd) and select [3. Use
VPN Tools Command (Create Certificate or Measure Communication Throughput)]. Next,
add and start the TrafficClient or TrafficServer command.
The communication throughput measurement tool can be operated either as the

measurement server or measurement client. To measure the communication throughput
between two computers, one computer must be the measurement server and the other
computer must be the measurement client.
Select either [Measuring Server] or [Measuring Client] on the [Communication

Throughput Measurement Tool] window, enter the required information specified below,
and then click [Start].
Figure 4-8-1 Communication Throughput Measurement Tool Window
Measurement Server Mode
When the communication throughput measurement tool is operated in measurement

server mode, the specified TCP/IP port on that computer is opened and the computer
waits for a connection from the measurement client. Once measurement server mode is
started, the operation continues until the user stops it. The only setting required in
measurement server mode is the port number to be used. (By default, this is set to port
9821.)
Measurement Client Mode
In measurement client mode, the computer connects to the measurement server, sends
and receives the maximum allowable number of communication packets, measures the
network throughput between the two computers, and then displays the results. The
following information must be entered in measurement client mode.
Destination measurement server host name or IP address and TCP/IP port

number
Specify the host name or IP address and TCP/IP port of the destination computer
running in measurement server mode.
Direction of data communication

Specify whether to download, upload, or perform both. Download and upload here
refer to the direction of data flow as seen from the measurement client computer.
Number of parallel TCP/IP connections

To measure the communication throughput, specify the number of parallel TCP/IP
connections. The maximum number is 32. If both directions are specified for the
direction of data communication, the number of TCP/IP connections must be an even
number.
Data transfer time (measurement time)

This is the time period that data is actually transferred and throughput is measured.
Communication throughput is calculated by dividing the size of the transferred data
by the data transfer time.
Calculate throughput for Layer 2 as Ethernet

When this setting is enabled, the media type of the network over which the
measurement data is transferred is assumed to be a normal Ethernet, and the
number of bytes of packets physically flowing over that Ethernet and the throughput
are displayed.
Relay device capacity measurement mode

When this setting is enabled, the throughput in the measured results is doubled and
then displayed. This option is used to measure the total throughput capacity handled
by a network device located between the two computers.
Measurement Results Display

The measurement results obtained using the communication throughput measurement
tool are displayed in a window, as shown below.
Figure 4-8-2 Communication Throughput Measurement Tool Results Window
Please note the following precautions when using the communication throughput
measurement tool.
z The communication throughput measurement tool measures the maximum speed that
communication packets flow over a physical network or VPN that is actually
operating. Separate communications that occur over the network during
measurement can affect the measurement, and the displayed results of the
communication throughput measurement tool may be lower than the actual line
capacity.
z Before using the communication throughput measurement tool on a network in an

organization, such as a corporate network, obtain the permission of the network
administrator in advance. This tool can transfer a large volume of data, which can
affect normal network communication operations.
z If the throughput value displayed using this tool is lower than expected, increasing
the number of parallel TCP/IP connections can improve the throughput.
z When this tool measures the download throughput, it displays the amount of data the
client actually received from the server as the measurement result. When this tool
measures the upload throughput, it receives a report from the server of the amount
of data the server actually received from the client and displays the data size as the
measurement result. TCP/IP is used as the communication protocol for measurement
and control.
z The measurement results obtained using this tool may be lower, but usually not
higher, than the actual network capacity.
< 4.7 Management in a Large-Scale Environment 4.9 Other Functions>
< 4.8 Measuring Effective Throughput Chapter 5 PacketiX VPN Bridge 2.0 Manual>
4.9 Other Functions
This section describes the other functions provided with PacketiX VPN Client.
When standard password authentication is selected as the type of user authentication on

the VPN Client Manager window for editing the connection setting, as described in
「4.4.7 User Authentication Setting」 , the [Change Password] button is enabled. Click
this button to change the user password registered to VPN Server. To change the
password, correctly enter the user name, the current password, and the new password.
If the security policy of the user does not allow changes to the password, the password
cannot be changed.
Figure 4-9-1 Window for Changing the User Password Registered to VPN
Server
PacketiX VPN Client has a function for maintaining an Internet connection similar to that
of PacketiX VPN Server (see 「3.3.13 Keep Alive Internet Connection Function」 ).
With the Internet connection maintenance function, TCP/IP or UDP/IP packets can be
sent to the port number of a specified host at regular time intervals. The data size of the
packets to be sent is very small, and the payload contents of the packets to be sent are
randomly generated.
By default, the Internet connection maintenance function is enabled, and the function
uses the following settings.
Setting Default Setting

Host name keepalive.se2.softether.com
Port number 80
Packet sending 50 seconds
out interval
Protocol TCP/IP protocol
To change the setting of the Internet connection maintenance function, click [Options]
on the [Tool] menu of VPN Client Manager, and enter the setting in the [Keep Alive
Internet Connection Function] field.
Figure 4-9-2 VPN Client Options Window
PacketiX VPN Client Manager has the function, which can explain the operation by voice
guide, and which
can read the message. However, this voice guide function is not a substitute for the
software that reads out the character string in a screen on the market for for visually
handicapped one.
The voice guide function is "Disabled" in default. To enable the function, open [Voice] on
VPN Client Manager, then select [Normal Voice Guide] or [Extension Voice Guide]. A part
of Extension Voice Guide might not operate accurately.
You can use translucent window function for PacketiX VPN Client Manager window on
Windows 2000 / XP / Server 2003.
To use the function, open [Optional Settings] of [Tools] menu on VPN Client Manager,
and check [window transparency] to specify the transparency. The transparency is not
allowed to set 20 percent lower.
Figure 4-9-3 Connection Setting Window When Setting Lock Function is

Enabled
When the setting lock function is enabled, the user can connect to VPN Server using a
connection setting registered in PacketiX VPN Client and terminate a connected VPN
session, but the user cannot change or delete an existing connection setting or create a
connection setting.
In addition, this function can be locked with a password, preventing the user from
unlocking it without the correct password.
For example, the system administrator can set up the connection setting for the
company VPN server on the computers of the end users and then enable the setting lock
function, preventing the end users from accidentally or intentionally connecting to a
different destination VPN server, and thereby reduce management costs and security
risk.
Even with the setting lock function enabled, changes can be made to user
authentication-related settings of an existing connection setting and settings for
connecting via a proxy server.
To enable the setting lock function, click [Change Operation Mode] on the [Tool] menu
of VPN Client Manager, check the box next to [Use Setting Lock Function], and click
[OK].
Figure 4-9-4 Connection Setting Window When Setting Lock Function is

Enabled
By default, PacketiX VPN Client Manager operates in normal mode, but you can also
switch this to simple mode.
When the operation mode of PacketiX VPN Client Manager is set to simple mode, the
display of the PacketiX VPN Client Manager window is simplified.
This allows beginning users of VPN client software to easily connect to or disconnect
from the VPN simply by double-clicking the desired VPN server.
Figure 4-9-3 Operating VPN Client in Simple Mode
< 4.8 Measuring Effective Throughput Chapter 5 PacketiX VPN Bridge 2.0 Manual>
< 4.9 Other Functions 5.1 Operating Environment>
PacketiX VPN Bridge is software that allows you to cascade-connect to a Virtual HUB of
PacketiX VPN Server operating at a remote location and create a Layer-2 bridge
connection between that VPN connection and a physical network adapter on a computer
running PacketiX VPN Bridge. PacketiX VPN Bridge is the ideal software for a computer
connected to a remote base LAN when you want to connect the remote base LAN to a
VPN configured with PacketiX VPN Server (namely, a Virtual HUB on a PacketiX VPN
Server).
This chapter describes the functions of PacketiX VPN Bridge and how to use the
functions.
PacketiX VPN Client is provided as a free software product. To use all of the functions at
no cost, you must agree to the end-user license agreement.


5.1.7 Limitations
5.2 Operating Modes
5.2.1 Service Mode
5.2.2 User Mode
< 4.9 Other Functions 5.1 Operating Environment>
< Chapter 5 PacketiX VPN Bridge 2.0 Manual 5.2 Operating Modes>

The PacketiX VPN Bridge supports many platforms and operating systems. Please refer
to 「12.3 PacketiX VPN Bridge 2.0 Specs」 for specifications on compatible operating
systems.
The PacketiX VPN Bridge supports the Microsoft Windows platform. Support is provided
not only for Windows NT 4.0 and new NT kernel-based platforms from Windows 2000
onwards, but also for legacy systems Windows 98 and Windows Millennium Edition, and
the PacketiX VPN Bridge may in some cases be operable on these legacy systems.
When developing the PacketiX VPN Bridge, SoftEther Corporation develops the programs
as well as basic debugging and optimization on a Windows platform and then ports these
tasks to other operating systems. That is why the performance of the Windows OS
kernel scheduler and network protocol stack is equivalent to or slightly better than those
of Linux, and not only matches the performance of UNIX operating systems, but exceeds
it. Using the Windows version of the PacketiX VPN Bridge also enables VPN Server
operation with the least limitations.
In addition, while specific software may not work properly for Linux and other UNIX
operating systems depending on the kernel version and differences between the
distribution and various library systems, Windows operating systems guarantee a certain
degree of uniformity in terms of the operation of system APIs and user-mode libraries
such that the PacketiX VPN Bridge can operate safely on both old and new versions of
Windows.
Accordingly, SoftEther Corporation recommends using the PacketiX VPN Bridge on a

Windows platform where no other technical or cost issues are involved.
The Windows version PacketiX VPN Bridge is compatible with the following system
x86
x64 (AMD64 / EM64T)
PacketiX VPN Bridge 2.0 can be operated on either 32-bit or 64-bit (x64 version)
versions of Windows. For more information about support for 64-bit environments,
please refer to 「Chapter 12 PacketiX VPN Software Specification」 .
The PacketiX VPN Bridge supports the Linux platform. The server can be operated on
the Linux Kernel 2.4 or later kernel versions.
The Linux platform is the next operating environment recommended by SoftEther

Corporation after Windows. The performance of the Linux kernel scheduler and
multithread library has improved considerably on past versions, and the network
protocol stack also now rivals that of Windows in terms of reliability. Therefore, where
technical or political issues make the use of Windows as the VPN server difficult, we
recommend using the PacketiX VPN Bridge on a Linux system. One of the particular
advantages of using a Linux system is that the cost of software license fees upon
installation is often cheaper than for Windows. The Linux version PacketiX VPN Bridge
also exhibits performance and functions comparable with the Windows version.
Furthermore, the Linux operating system offers the benefit of supporting many types of
CPUs compared to the Windows OS. For this reason, the PacketiX VPN Bridge supports
many CPUs such as those listed below. Apart from common computers, Linux may also
be installed on embedded devices (NASs, routers, HDD recorders etc) whose hardware
adopts a CPU aimed at such devices other than the x86. The PacketiX VPN Bridge can
also operate on these types of hardware.
The Linux version PacketiX VPN Bridge is compatible with the following system
x86
x64 (AMD64 / EM64T)
SH4 (32-bit mode)
MIPS (32-bit mode)
versions of Linux . For more information about support for 64-bit environments, please
refer to 「Chapter 12 PacketiX VPN Software Specification」 .
The PacketiX VPN Bridge supports the FreeBSD platform. The server is operable on the
FreeBSD 5.x or later kernel versions.
While the PacketiX VPN Bridge can perform sufficiently on the FreeBSD platform, there
whole, using the PacketiX VPN Bridge on FreeBSD does not pose any problems when
the user does not intend to utilize the local bridge function.
The FreeBSD version PacketiX VPN Bridge is compatible with the following system
x86
x64 (AMD64 / EM64T)
versions of FreeBSD . For more information about support for 64-bit environments,
please refer to 「Chapter 12 PacketiX VPN Software Specification」 .
The PacketiX VPN Bridge supports the Sun Microsystems Solaris platform. The server
can be operated on the Solaris 8 or later kernel versions.
The VPN Server can deliver sufficient performance on the Solaris platform. Additionally,
the local bridge connection function can be used on Build 5220 or later versions of the
Solaris version PacketiX VPN Bridge 2.0/ VPN Bridge 2.0. This has enabled the Solaris
OS to realize VPN Server/ VPN Bridge functionality comparable to that of Windows or
Linux operating systems.
Also, because the Solaris OS operates on hardware using SPARC CPUs, companies
possessing this special hardware can effectively utilize their resources as VPN servers by
running the PacketiX VPN Bridge on said hardware.
Due to a lack of test hardware, SoftEther Corporation has not carried out testing of the
PacketiX VPN Bridge for all CPU types and versions of the Solaris OS. We therefore
recommend using the latest possible version of the Solaris operating system to best
ensure operation.
The Solaris version PacketiX VPN Bridge is compatible with the following system
x86
x64 (AMD64 / EM64T)
SPARC (32-bit mode)
SPARC (64-bit mode)
PacketiX VPN Bridge 2.0 can be operated on either 32-bit or 64-bit (x64 or SPARCv9)
versions of Solaris. For more information about support for 64-bit environments, please
refer to 「Chapter 12 PacketiX VPN Software Specification」 .
The PacketiX VPN Bridge supports the Mac OS X platform. The server can be operated
on Darwin 7.9.0 or later kernel versions.
While the PacketiX VPN Bridge can perform sufficiently on the Mac OS X platform, there
whole, using the PacketiX VPN Bridge on Mac OS X does not pose any problems when
the user does not intend to utilize the local bridge function. Multithread library
performance on the Mac OS X may be inferior to that of other operating systems, so we
recommend using other OSs when the PacketiX VPN Bridge is to be used in a high load
environment.
The Mac OS X version PacketiX VPN Bridge is compatible with the following system
The PacketiX VPN Bridge features highly portable, memory-saving software

programming code and can therefore be embedded in hardware devices in hardware
routers, Layer 3 and Layer 2 switches, wireless LAN devices, digital consumer electronics
and miniature computers in automobiles and the like, provided that said hardware
devices satisfy the operational requirements. See 「1.3.8 64-bit version of PacketiX VPN
Server 2.0」 for details.
Embedding the PacketiX VPN Bridge into various devices in the future would
theoretically ensure interconnectivity and communication between these devices via the
common PacketiX VPN protocol, thus enabling not only computer users but also
consumers in general to use the PacketiX VPN intuitively.
5.1.7 Limitations
A number of operating system limitations exist for the PacketiX VPN Bridge . While these
limitations may be described in other areas of this manual, it is also possible that other
technically difficult OS and hardware architecture-dependent issues may exist. Moreover,
SoftEther Corporation does not guarantee the operational stability of the PacketiX VPN
Bridge on all operating systems. Please refer to 「12.3 PacketiX VPN Bridge 2.0 Specs」
for details on our recommended operating systems and system configurations.
< Chapter 5 PacketiX VPN Bridge 2.0 Manual 5.2 Operating Modes>
< 5.1 Operating Environment 5.3 Differences between VPN Server and VPN
Bridge>
5.2 Operating Modes
The user can operate the PacketiX VPN Bridge in two modes: Service Mode and User
Mode. Below is an explanation of these two modes.
5.2.1 Service Mode
Service Mode is the normal operating mode. Installing and operating the PacketiX VPN
Bridge in Service Mode will cause the PacketiX VPN Bridge to operate in the background
as a part of the OS, launch when the OS launches prior to user log in and await VPN
session connection as the VPN Bridge . In addition, the server will automatically
shutdown when the operating system shuts down.
The word "service" here refers to a background system service in Windows and some
UNIX operating systems and is sometimes referred to as a daemon in other operating
systems.
When the VPN Bridge is operating in Service Mode, said operation is not depended upon
by users currently logged onto the operating system. That is why we recommend
running the VPN Bridge in Service Mode on most occasions.
When using the VPN Bridge in Service Mode, the VPN Bridge process (executable file
name vpnbridge ) typically runs on system or root authority.
The executable file name for the 32-bit Windows version PacketiX VPN Bridge is
"vpnbridge .exe", while the file name for the 64-bit version is "vpnbridge _x64.exe".
The description in this manual assumes use of the 32-bit version, so please apply the
relevant changes in the case of the 64-bit version.
Installing the VPN Bridgein Service Mode
The method for installing the VPN Bridge in Service Mode on the Windows version
differs to that of other UNIX versions.
z Installing the Windows version PacketiX VPN Bridge from the installer results in the
installation of the Service Mode and automatic initiation of its operation as a
background service. For details, please refer to 「7.2 Installing to Windows and
Configuring the Default Settings」 .
z In order to install the PacketiX VPN Bridge in Service Mode on the Linux version or
other UNIX versions, it is necessary to register it on the system as a daemon process.
For details, please refer to 「7.3 Installing to Linux and Configuring the Default
Settings」 .
Service Mode cannot be used in the following situations, in which case the VPN Bridge
should be used in User Mode.
When the system on which the PacketiX VPN Bridge is to operate does not have
System Administrator authority.
When the client wishes to install and use the PacketiX VPN Bridge temporarily rather
than continuously.
When the client wishes to launch the PacketiX VPN Bridge with general user authority
for security reasons.
Service Mode for Windows Version PacketiX VPN Bridge
We recommend using the installer when installing the Windows version VPN Bridge in
Service Mode. This method automatically launches and runs the VPN Bridge as a service
without the need for any special operation by the client. Even if the system is rebooted,
the VPN Bridge will automatically begin operating upon system start-up. Because the
VPN Bridge is launched as a background task, the computer on which the server is
installed can be used for other tasks without the client having to be aware of said
server's installation.
In addition, the Windows version PacketiX VPN Bridge service can be commenced or
terminated by attaching the relevant command line argument to the executable file
name (vpnbridge .exe), or can be removed or re-registered from the Windows system
via the Windows system service list.
The shortened service name of the PacketiX VPN Bridge service registered on the
Windows system is "vpnbridge " and the long service name is "PacketiX VPN Bridge
".
In order to register vpnbridge .exe as a service when the PacketiX VPN Bridge service is
not currently installed on the Windows system, insert the following from the command
prompt and execute vpnbridge .exe (System Administrator authority is required).
> vpnbridge /install
To delete the PacketiX VPN Bridge service when it is already installed on the Windows
system, insert the following from the command prompt and execute vpnbridge .exe
(System Administrator authority is required).
> vpnbridge /uninstall
Furthermore, attaching the /start or /stop arguments enables the service to be

commenced or terminated. For details on other arguments which can be designated in
the vpnbridge program, please refer to the message box which appears when directly
executing vpnbridge .exe.
The service can also be started and terminated by accessing [Control Panel] >
[Administrative Tools] > [Services] (or [Control Panel] > [Services] in the case of
Windows NT 4.0). It is possible to change the server from [Automatic] to [Manual]
startup by selecting PacketiX VPN Bridge from the [Services] list, then clicking open
[Startup type]. Changing the startup type to [Manual] means that the service does not
launch automatically on startup, and does not operate until initiated by a user with
Administrator authority.
It is also possible to start and stop the PacketiX VPN Bridge service using the net
command. Enter net start vpnbridge to start the service, and net stop vpnbridge to
terminate the service.
The PacketiX Server emulates the service system of Windows NT or later when
operating on an older OS. There may be several limitations in this case, such as the
process terminating when the user logs off.
Fig. 5-2-1 PacketiX VPN Bridge registered as a service
Service Mode for UNIX Version PacketiX VPN Bridge

Please refer to 「7.3 Installing to Linux and Configuring the Default Settings」 for
details on installing and launching the Linux and other UNIX versions of the PacketiX
VPN Bridge in Service Mode.
5.2.2 User Mode
User Mode is a special type of operating mode. Operating the PacketiX VPN Bridge in
User Mode causes the PacketiX VPN Bridge to run in the background as a user process.
To operate the PacketiX VPN Bridge in User Mode, it is necessary to log onto the system
as a user and launch the vpnbridge executable file each time the server is launched.
Operations may differ depending on the operating system as described below.
Launching the VPN Bridge in User Mode on the Windows OS will result in the server
process running in the background only while the user is logged on, and the process
will terminate at the same time that the user logs off.
Meanwhile, launching the VPN Bridge in User Mode on a UNIX OS will result in the
VPN Bridge 's server process creating a child process at that time, and running that in
the background, thereby enabling separation of the process from the user session.
Consequently, the VPN Bridge process will remain operational on the OS even if the
user logs off, and will continue running until the system is shutdown or rebooted.
User Mode for Windows Version PacketiX VPN Bridge
To launch the Windows version VPN Bridge in User Mode, attach the [/usermode]
option to the vpnbridge .exe executable file and then launch.
> vpnbridge/usermode
Once the launch is complete, an icon will appear in the task tray and the VPN Bridge will
have launched in User Mode. In this mode, the VPN Bridge program operates as one
which can be executed with general user authority, similar to other application programs
operating in User Mode (such as Word, calculator and so on). That is why absolutely no
System Administrator authority is required to launch the VPN Bridge in User Mode.
However, the VPN Bridge process also terminates at the same time that the user logs
off. We recommend saving the above /usermode option attached to the command line as
a shortcut on the desktop or setting it up in the [Startup] folder in order to facilitate the
frequent launch of the VPN Bridge in User Mode.
Fig. 5-2-2 PacketiX VPN Bridge

launched in User Mode
To terminate the User Mode once it has been launched, right click on the icon in the task
tray and select [Exit PacketiX VPN Bridge ].
Furthermore, clicking on [Hide task tray icon], hides the icon in the task tray display.
This function is available when the VPN Bridge is launched regularly in User Mode and
the icon display becomes a hindrance. Note, however, that the VPN Bridge cannot be
terminated from the menu when the task tray icon is hidden. In this case, press the Ctrl
+ Alt + Del keys to open the Task Manager and end the vpnbridge .exe process. When
launching vpnbridge .exe the next time in User Mode, the task tray icon can be restored
by attaching the /usermode_showtray option.
Fig. 5-2-3 Hide task tray icon menu
When using the PacketiX VPN Bridge , rather than operating the server by using
System Administrator authority and registering the server as a system service,
operating the server in User Mode with general user authorization may enable security
to be enhanced. Launching the PacketiX VPN Bridge in User Mode may, however,
result in the inability to use the local bridge function.
User Mode for Unix Version PacketiX VPN Bridge
To launch the VPN Bridge in User Mode on UNIX systems including Linux, rather than
registering the vpnbridge executable file in the system as a daemon, attach the start
argument from the command line as shown below as if launching a normal application
command (such as ls, cat, etc.) and launch vpnbridge .
$ ./vpnbridge start
PacketiX VPN Bridge Service Started.
$
If control returns to the shell after the message [PacketiX VPN Bridge Service Started.]
is output, this means that the VPN Bridge was properly launched in User Mode. To
terminate the VPN Bridge once it has been launched, attach the stop argument and
launch the vpnbridge as follows.
$ ./vpnbridge stop
PacketiX VPN Bridge Service Stopped.
$
When the VPN Bridge is launched on UNIX in User Mode, the process operates and
becomes a background process with that user's authority. Therefore, the vpnbridge
process continues to operate even if the user logs out or disconnects the SSH
connection. The process continues to operate until the system is rebooted or until the
process is forcibly terminated by root.
As described in 「7.3 Installing to Linux and Configuring the Default Settings」 ,

daemonizing and using the vpnbridge process in UNIX operating systems is simply a
matter of registering it so as to instruct the operating system's startup script to call up
vpnbridge start. Even when running the VPN Bridge in Service Mode, something
equivalent to the procedure described here is automatically performed by a system with
root authority so there is fundamentally no difference. Accordingly, the items described
below also apply generally to the daemonized VPN Bridge .
As shown below, the vpnbridge process is launched in two stages on the UNIX version
VPN Bridge . First, the first process named execsvc is launched as a background process,
after which that process creates a child process using the fork() system call, and this
child process carries out the actual VPN processing. The parent process (process ID 1549
in the example below) constantly monitors the child process (process ID 1550 in the
example below) and in the event that an abnormal error occurs, immediately terminates
the process and launches it again to attempt recovery (see 「3.3.12 Failure Recovery」
for details). The example below was actually run on a particular Linux system so it may
not appear the same on different Linux or other operating systems. In addition, in order
to display multiple threads as multiple processes in the case of versions with old Linux
kernels (i.e. versions not compatible with native threads), the actual vpnbridge
processes created may be more than those in the example below but this is a display
issue and operation is in fact normal.
$ ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
neko 1549 0.0 0.8 5188 560 ? S< Nov24 0:00 /tmp/vpnbridge execsvc
neko 1550 0.0 4.0 11888 2520 ? S< Nov24 0:08 ¥_ /tmp/vpnbridge execsvc
Although it only occurs rarely, in the event that the VPN Bridge process launched in
User Mode goes out of control for some reason such as a hardware malfunction (a
memory shortage, for instance) and is unable to be stopped by vpnbridge /stop, first
forcibly terminate the parent vpnbridge process (process ID 1549 in the example
above) by sending a signal to it using kill -KILL, then forcibly terminate the remaining
process (process ID 1550 in the above example) by sending a signal to it with kill -
KILL. Forcibly terminating the child process first may cause the parent process to
determine that the child process terminated abnormally and launch it again. Depending
on the system, killall -KILL vpnbridge may enable the simultaneous termination of
all vpnbridge processes.
Moreover, when the vpnbridge receives the TERM signal (the normal termination
request signal), it performs termination processing properly.
The use of TCP/IP ports with a port number less than 1024 in standby mode is not
permitted for processes operating with general user authority in the case of UNIX
operating systems. That is why TCP/IP listener ports with a port number less than
1024 cannot be opened when operating the PacketiX VPN Bridge in User Mode with
general user authority rather than operating it after registration as a system service
with System Administrator authority. Please note that although the PacketiX VPN
Bridge attempts to open the three ports 443, 992 and 8888 in default as listener
ports, operating the server in User Mode means that only the 8888 port goes into
listen mode. Additionally, launching the PacketiX VPN Bridge in User Mode may result
in inability to use the local bridge function.
< 5.1 Operating Environment 5.3 Differences between VPN Server and VPN
Bridge>
< 5.2 Operating Modes Chapter 6 Command Line Management Utility

Manual>
PacketiX VPN Bridge is a software product for creating a connection (bridge) between a
Virtual HUB at a remote location and a physical network adapter, minus some of the
functions of PacketiX VPN Server. With the exception of the differences noted here, the
descriptions of PacketiX VPN Server in 「Chapter 3 PacketiX VPN Server 2.0 Manual」
can be used to understand the use, principles of operation, and management of PacketiX
VPN Bridge. For the detailed setup method of PacketiX VPN Bridge, refer to this chapter
while replacing all descriptions of VPN Server with VPN Bridge and vpnserver with
vpnbridge.
VPN Server and VPN Bridge

PacketiX VPN Server described in 「Chapter 3 PacketiX VPN Server 2.0 Manual」 is a
software product that provides VPN server functions to the VPN client computer. This
software allows you to place several Virtual HUBs on a single VPN Server so VPN Client
or VPN Bridge can establish a VPN connection to a Virtual HUB over the network from a
remote location. In addition, this software comes with a function for connecting a virtual
network and physical network using the local bridge function (see 「3.6 Local Bridges」 )
and SecureNAT function (see 「3.7 Virtual NAT & Virtual DHCP Servers」 ), which
connect a Virtual HUB on VPN Server and a physical network adapter on the computer
running VPN Sever.
VPN Bridge does not have the following functions of VPN Server, which has the features
described above.
Function for receiving a VPN connection (as a VPN server) and associated
functions
Function for creating several Virtual HUBs
Virtual Layer 3 switching function
Packet filtering function using the access list
Technical Positioning of VPN Bridge
Technically speaking, PacketiX VPN Bridge is a software program optimized for bridge
bases without the VPN Server function for receiving a connection from PacketiX VPN
Client or PacketiX VPN Server on a separate computer and the function for creating
multiple Virtual HUBs. When PacketiX VPN Bridge is installed, only one Virtual HUB, with
the name "BRIDGE", is created. The network administrator creates a local bridge with
the base LAN bridging to the Virtual HUB and connects to the Virtual HUB on the
destination PacketiX VPN Server.
VPN Bridge Applications and Usage
VPN Bridge is optimized for use of the two functions for creating a cascade connection to
VPN Server and creating a bridge with a physical network using a local bridge
connection, and nearly all other extra functions have been eliminated.
You can make effective use of VPN Bridge, for example, by placing a Virtual HUB on an
existing VPN Server at the head office, installing VPN Bridge to the base LAN at each
branch to be connected to the Virtual HUB, and creating a VPN configured to remain
constantly connected to the head office network over the Internet.
Number of VPN Server and VPN Bridge Computers Generally Required

To create a VPN connecting multiple bases on a general scale, as described in 「10.5
Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」 and 「10.6 Setting Up a
LAN-to-LAN VPN (Using IP Routing)」 , install VPN Server at one base, install VPN Bridge
at the other bases, and create a cascade connection from the Virtual HUB of VPN Bridge
to the Virtual HUB of VPN Server, while at the same time creating a local bridge
connection between the Virtual HUB and physical network adapter at each base.
In this case, VPN Bridge must be installed on one less number of computers than the
total number bases to be connected to VPN Server. Generally speaking, to establish a
peer VPN connection between N-number of bases, provide VPN Bridge on N-1 computers
and connect to one VPN Server computer.
Figure 5-3-1 Connecting VPN Server and VPN Bridge at Each Base
Configuration File Name

The configuration file name in VPN Server is vpn_server.config, but in VPN Bridge, the
name is vpn_bridge.config.
Only one Virtual HUB can exist in the program on VPN Bridge. The name of that Virtual
HUB is fixed to "BRIDGE".
Figure 5-3-2 Virtual HUB with the Name "BRIDGE"
VPN Bridge is managed using VPN Server Manager or the vpncmd utility, in the same
way as VPN Server, but with the "BRIDGE" Virtual HUB.
By connecting the "BRIDGE" Virtual HUB to the network adapter physically connected to
the computer with the local bridge function, you can join the segment between the
"BRIDGE" Virtual HUB and the physical network. Now by creating a cascade connection
to the "BRIDGE" Virtual HUB and configuring a constant connection to the desired VPN
Server, a VPN connection can be easily created between the bases.
The Virtual HUB of VPN Bridge can be cascade-connected to a Virtual HUB operating on a
separate computer in the same way as a Virtual HUB of VPN Server. For more
information about cascade connections, please refer to 「3.4.11 Cascade Connection
Functions」 .
Because the Virtual HUB of VPN Bridge cannot receive a VPN connection, it is
meaningless if VPN Bridge does not cascade-connect to an external VPN Server. When
using VPN Bridge, be sure to use the cascade connection function.
Figure 5-3-3 Cascade Connection Function on VPN Bridge
Unlike VPN Server, VPN Bridge does not have a function for receiving a VPN connection.
PacketiX VPN Server is the only product in the PacketiX VPN software series with a
function for receiving a VPN connection, namely a VPN server function.
However, VPN Bridge is similar to VPN Server in that it has a TCP/IP listener port. By
default, the three enabled TCP/IP listener ports are 443, 992, and 8888, the same as
those on VPN Server. These TCP/IP listener ports are required for management
connection from a local or remote client to VPN Bridge using VPN Server Manager or the
vpncmd utility.
Figure 5-3-4 Management Connection to VPN Bridge
A local bridge connection can be configured between the "BRIDGE" Virtual HUB on VPN
Bridge and a physical network adapter on the computer running VPN Bridge. This
function allows you to connect the Virtual HUB of VPN Bridge to a network on an existing
base using Layer 2, using this function as a bridge.
The method for setting up a local bridge is the same as that for VPN Server. For details,
please refer to 「3.6 Local Bridges」 .
Please note that the local bridge function is not available in VPN Bridge for operating
systems other than Windows, Linux, or Solaris. Therefore, VPN Bridge is not very useful
on operating systems other than Windows, Linux, or Solaris. However, the SecureNAT
function can be used.
Figure 5-3-5 Local Bridge Setup Window in VPN Bridge
The "BRIDGE" Virtual HUB on VPN Bridge has a virtual NAT function using SecureNAT
and a virtual DHCP server function similar to those of VPN Server. You can enable these
functions when necessary. For information about using these functions, please refer to
「3.7 Virtual NAT & Virtual DHCP Servers」 .
For examples of how to use PacketiX VPN with the SecureNAT function of VPN Bridge,
please refer to 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights」 .
Because VPN Bridge only has one Virtual HUB, a virtual Layer 3 switch is meaningless.
Therefore, the virtual Layer 3 switch function has been eliminated in VPN Bridge and
cannot be used.
PacketiX VPN beginning users often make the mistake of installing both VPN Server and
VPN Bridge on the same computer, which creates conflicting operations. Just as the
descriptions of VPN Server and VPN Bridge are separate in this manual, there is no
reason to install both VPN Server and VPN Bridge on the same computer.
Because VPN Server has a function for creating a local bridge between a Virtual HUB and
a physical network, the Virtual HUB of VPN Server can be connected to a physical
network adapter using Layer 2 on VPN Server alone. To make this type of connection,
you do not need to use VPN Bridge.
Do not install VPN Server and VPN Bridge on the same computer.
< 5.2 Operating Modes Chapter 6 Command Line Management Utility
Manual>
< 5.3 Differences between VPN Server and VPN 6.1 Overview of vpncmd>
Bridge
PacketiX VPN comes with a command line management utility called "vpncmd". You can
use vpncmd to perform management operations from the command line with Windows-
based GUI software, such as PacketiX VPN Server Manager or PacketiX VPN Client
Manager. This chapter describes how to use vpncmd and serves as a reference for all
vpncmd commands.

6.1.1 vpncmd
6.2.5 Saving a Log
Entire Server)

6.3.10 ClusterSettingGet - Get Clustering Configuration of Current VPN Server
6.3.12 ClusterSettingController - Set VPN Server Type as Cluster Controller
6.3.17 ClusterConnectionStatusGet - Get Connection Status to Cluster Controller
6.3.20 ServerCertSet - Set SSL Certificate and Private Key of VPN Server
Communication.
Communication.
6.3.30 ConnectionList - Get List of TCP Connections Connecting to the VPN Server
6.3.31 ConnectionGet - Get Information of TCP Connections Connecting to the VPN
Server
6.3.32 ConnectionDisconnect - Disconnect TCP Connections Connecting to the VPN
Server
6.3.33 BridgeDeviceList - Get List of Network Adapters Usable as Local Bridge

6.3.46 RouterIfList - Get List of Interfaces Registered on the Virtual Layer 3
Switch
6.3.49 RouterTableList - Get List of Routing Tables of Virtual Layer 3 Switch
6.3.50 RouterTableAdd - Add Routing Table Entry for Virtual Layer 3 Switch
6.3.51 RouterTableDel - Delete Routing Table Entry of Virtual Layer 3 Switch
6.3.55 HubCreateDynamic - Create New Dynamic Virtual HUB (For Clustering)
6.3.56 HubCreateStatic - Create New Static Virtual HUB (For Clustering)
6.3.59 HubSetDynamic - Change Virtual HUB Type to Dynamic Virtual HUB
Client
Server
Virtual HUB)
6.4.3 SetMaxSession - Set the Max Number of Concurrently Connected Sessions
for Virtual HUB
6.4.5 SetEnumAllow - Allow Enumeration by Virtual HUB Anonymous Users
6.4.6 SetEnumDeny - Deny Enumeration by Virtual HUB Anonymous Users

6.4.8 RadiusServerSet - Set RADIUS Server to use for User Authentication
6.4.9 RadiusServerDelete - Delete Setting to Use RADIUS Server for User
Authentication
Authentication
6.4.16 LogPacketSaveType - Set Save Contents and Type of Packet to Save to
Packet Log
6.4.26 CascadeUsernameSet - Set User Name to Use Connection of Cascade
Connection
6.4.27 CascadeAnonymousSet - Set User Authentication Type of Cascade
Connection to Anonymous Authentication
6.4.28 CascadePasswordSet - Set User Authentication Type of Cascade Connection
to Password Authentication
6.4.29 CascadeCertSet - Set User Authentication Type of Cascade Connection to
6.4.30 CascadeCertGet - Get Client Certificate to Use for Cascade Connection
6.4.31 CascadeEncryptEnable - Enable Encryption when Communicating by
Cascade Connection
6.4.32 CascadeEncryptDisable - Disable Encryption when Communicating by
Cascade Connection
6.4.33 CascadeCompressEnable - Enable Data Compression when Communicating
by Cascade Connection
6.4.35 CascadeProxyNone - Specify Direct TCP/IP Connection as the Connection

Method of Cascade Connection
6.4.36 CascadeProxyHttp - Set Connection Method of Cascade Connection to be
6.4.37 CascadeProxySocks - Set Connection Method of Cascade Connection to be
via an SOCKS Proxy Server
6.4.38 CascadeServerCertEnable - Enable Cascade Connection Server Certificate
Verification Option
6.4.39 CascadeServerCertDisable - Disable Cascade Connection Server Certificate
Verification Option
6.4.40 CascadeServerCertSet - Set the Server Individual Certificate for Cascade
Connection
6.4.41 CascadeServerCertDelete - Delete the Server Individual Certificate for
Cascade Connection
6.4.42 CascadeServerCertGet - Get the Server Individual Certificate for Cascade
Connection
6.4.43 CascadeDetailSet - Set Advanced Settings for Cascade Connection
6.4.44 CascadePolicySet - Set Cascade Connection Session Security Policy
6.4.45 PolicyList - Display List of Security Policy Types and Settable Values
6.4.60 UserAnonymousSet - Set Anonymous Authentication for User Auth Type
6.4.61 UserPasswordSet - Set Password Authentication for User Auth Type and Set
Password
6.4.62 UserCertSet - Set Individual Certificate Authentication for User Auth Type
and Set Certificate
6.4.63 UserCertGet - Get Certificate Registered for Individual Certificate
Authentication User
6.4.64 UserSignedSet - Set Signed Certificate Authentication for User Auth Type
6.4.66 UserNTLMSet - Set NT Domain Authentication for User Auth Type
6.4.86 SecureNatEnable - Enable the Virtual NAT and DHCP Server Function
6.4.87 SecureNatDisable - Disable the Virtual NAT and DHCP Server Function
6.4.88 SecureNatStatusGet - Get the Operating Status of the Virtual NAT and
DHCP Server Function (SecureNat Function)
6.4.89 SecureNatHostGet - Get Network Interface Setting of Virtual Host of
SecureNAT Function
6.4.90 SecureNatHostSet - Change Network Interface Setting of Virtual Host of
SecureNAT Function
6.4.91 NatGet - Get Virtual NAT Function Setting of SecureNAT Function
6.4.93 NatDisable - Disable Virtual NAT Function of SecureNAT Function
6.4.94 NatSet - Change Virtual NAT Function Setting of SecureNAT Function
6.4.95 NatTable - Get Virtual NAT Function Session Table of SecureNAT Function
6.4.96 DhcpGet - Get Virtual DHCP Server Function Setting of SecureNAT Function
6.4.97 DhcpEnable - Enable Virtual DHCP Server Function of SecureNAT Function
6.4.98 DhcpDisable - Disable Virtual DHCP Server Function of SecureNAT Function
6.4.99 DhcpSet - Change Virtual DHCP Server Function Setting of SecureNAT

Function
6.4.100 DhcpTable - Get Virtual DHCP Server Function Lease Table of SecureNAT
Function
6.4.101 AdminOptionList - Get List of Virtual HUB Administration Options
6.4.102 AdminOptionSet - Set Values of Virtual HUB Administration Options
6.5.3 PasswordSet - Set the password to connect to the VPN Client service.
6.5.4 PasswordGet - Get Password Setting to Connect to VPN Client Service
6.5.22 AccountSet - Set the VPN Connection Setting Connection Destination
6.5.25 AccountUsernameSet - Set User Name of User to Use Connection of VPN
Connection Setting
6.5.26 AccountAnonymousSet - Set User Authentication Type of VPN Connection
Setting to Anonymous Authentication
6.5.27 AccountPasswordSet - Set User Authentication Type of VPN Connection
Setting to Password Authentication
6.5.28 AccountCertSet - Set User Authentication Type of VPN Connection Setting
to Client Certificate Authentication
6.5.29 AccountCertGet - Get Client Certificate to Use for Cascade Connection
6.5.30 AccountEncryptDisable - Disable Encryption when Communicating by VPN
Connection Setting
6.5.31 AccountEncryptEnable - Enable Encryption when Communicating by VPN
Connection Setting
6.5.32 AccountCompressEnable - Enable Data Compression when Communicating
6.5.33 AccountCompressDisable - Disable Data Compression when Communicating
6.5.34 AccountProxyNone - Specify Direct TCP/IP Connection as the Connection
Method of VPN Connection Setting
6.5.35 AccountProxyHttp - Set Connection Method of VPN Connection Setting to be
6.5.36 AccountProxySocks - Set Connection Method of VPN Connection Setting to
be via an SOCKS Proxy Server
6.5.37 AccountServerCertEnable - Enable VPN Connection Setting Server
6.5.38 AccountServerCertDisable - Disable VPN Connection Setting Server
Connection Setting
6.5.40 AccountServerCertDelete - Delete Server Individual Certificate for VPN
Connection Setting
6.5.41 AccountServerCertGet - Get Server Individual Certificate for VPN
Connection Setting
6.5.42 AccountDetailSet - Set Advanced Settings for VPN Connection Setting
6.5.44 AccountConnect - Start Connection to VPN Server using VPN Connection
Setting
6.5.45 AccountDisconnect - Disconnect VPN Connection Setting During Connection
6.5.47 AccountNicSet - Set Virtual Network Adapter for VPN Connection Setting to
Use
6.5.48 AccountStatusShow - Set Connection Status and Error Screen to Display
6.5.49 AccountStatusHide - Set Connection Status and Error Screen to be Hidden

6.5.50 AccountSecureCertSet - Set User Authentication Type of VPN Connection
Setting to Smart Card Authentication
6.5.51 AccountRetrySet - Set Interval between Connection Retries for Connection
Failures or Disconnections of VPN Connection Setting
6.5.52 AccountStartupSet - Set VPN Connection Setting as Startup Connection
6.5.53 AccountStartupRemove - Remove Startup Connection of VPN Connection
Setting
6.5.56 RemoteEnable - Allow Remote Management of VPN Client Service
6.5.57 RemoteDisable - Deny Remote Management of VPN Client Service
Client
Server
6.6.3 TrafficClient - Execute Communication Throughput Measurement Tool Client
Server
< 5.3 Differences between VPN Server and VPN 6.1 Overview of vpncmd>
Bridge
< Chapter 6 Command Line Management Utility 6.2 General Usage of vpncmd>
Manual
This section provides an overview of the vpncmd utility.
6.1.1 vpncmd
Overview of vpncmd
vpncmd is formally known as "PacketiX VPN Command Line Management Utility". This
software is operated exclusively from the command line and without the use of window-
based GUI processing, and it can be used on all operating systems that support PacketiX
VPN, including Windows, Linux, FreeBSD, Solaris, and Mac OS X.
vpncmd on Different Operating Systems
vpncmd is provided in each PacketiX VPN package file.
When the Windows version of VPN Server, VPN Client, or VPN Bridge is installed,
[PacketiX VPN Command Line Management Utility (vpncmd)] is registered to the Start
menu of Windows. Once vpncmd has been started in Windows, it can be started the next
time simply by entering [vpncmd] at the command prompt.
vpncmd is also provided in the Unix operating system versions of VPN Server, VPN
Client, and VPN Bridge. When these software products are installed, vpncmd is
automatically created and placed in the same directory as the vpnserver, vpnclient, or
vpnbridge executable file.
The vpncmd software provided with all operating system versions of PacketiX VPN is a
command line interface program that has the same functions and performs the same
operations. Therefore, you can use vpncmd to manage VPN Server, VPN Client, and VPN
Bridge from both Windows and non-Windows operating systems.
vpncmd Startup Environment

vpncmd may display the output result using multiple lines on the command line
interface. In this case, use a terminal emulator or SSH client software with a scroll
function. In addition, as an option of vpncmd, you can specify the output file name and
write the output result to a text file. For more information about using vpncmd, please
refer to 「6.2.3 Command Line Parameters When Starting a vpncmd Command」 and
「6.2.5 Saving a Log」 .
You can operate vpncmd using any of the following three modes.
1. VPN Server / VPN Bridge Management Mode

This mode enables management by establishing a management connection to
PacketiX VPN Server or PacketiX VPN Bridge running on the same or a remote
computer.
2. VPN Client Management Mode
This mode enables control by connecting to PacketiX VPN Client running on the
same or a remote computer.
3. Use VPN Tools Command (Create Certificate or Measure Communication
Throughput) Mode
This mode enables the use of only the test command and create certificate
command only on the computer running vpncmd, without connecting to VPN
Server, VPN Client, or other services.
When vpncmd is started, a dialog box is displayed asking you to select one of these
three management modes. Select 1, 2, or 3 to start vpncmd in that management mode.
You can also specify the management mode as the command line argument for starting
vpncmd.
vpncmd command - PacketiX VPN Command Line Management Utility
PacketiX VPN Command Line Management Utility (vpncmd command)
Version 2.20 Build 5317 Beta 1 (English)
Compiled Sun Jun 24 21:08:06 2007 by yagi at ILC308
By using vpncmd program, the following can be achieved.
1. Management of VPN Server or VPN Bridge

2. Management of VPN Client
3. Use of VPN Tools (certificate creation and communication speed measurement)
Select 1, 2 or 3:
< Chapter 6 Command Line Management Utility 6.2 General Usage of vpncmd>
Manual
< 6.1 Overview of vpncmd 6.3 VPN Server / VPN Bridge Management Command
Reference (For Entire Server)>
This section describes the general usage of the vpncmd commands and how to display
help for the command input rules.
Input Prompt
When vpncmd is ready to receive command input, the command prompt cursor (">") is
displayed, and you can use the keyboard to enter a new command.
There are four prompt statuses, and these can be used to determine in which mode
vpncmd is currently operating.
VPN Server Management Mode
This mode manages the entire VPN Server directly after establishing a management
connection to VPN Server. The prompt in this mode is as follows.
VPN server>
In this mode, you can only call the commands for managing the entire destination VPN
Server, such as the ServerStatusGet and HubCreate commands. Approximately 60
commands are available in this mode.
By using the Hub command to select the Virtual HUB you want to manage in this mode,
you can switch to the Virtual HUB management mode.
VPN Server>Hub VPN

Hub command - Select Virtual HUB to Manage
The Virtual HUB "VPN" was selected.
The command terminated normally.
VPN Server/VPN>
Virtual HUB Management Mode
The Virtual HUB management mode is the mode in which the Virtual HUB specified when
connecting to VPN Server in Virtual HUB management mode or the Virtual HUB selected
using the Hub command is selected. The prompt in this mode is as follows.
VPN Server/Virtual Hub Name>
In this mode, you can also call the commands for managing the Virtual HUB, such as the
Online and SetMaxSession commands. In addition, you can call the same commands
that are available in VPN Server management mode to manage the entire VPN Server.
Approximately 170 commands are available in this mode.
To return to the VPN Server management mode from the Virtual HUB management
mode, call the Hub command without adding an argument to the command line.
VPN Server/VPN>Hub
Hub command - Select Virtual HUB to Manage
The Virtual HUB selection was unselected.
VPN Server>
You can use nearly the same operations as described above for managing VPN Server to
manage VPN Bridge. Because there is only one Virtual HUB on VPN Bridge, this Virtual
HUB is always managed.
VPN Client Management Mode

When a management connection to VPN Client is established, the following prompt is
displayed.
VPN Client>
You can use this mode to execute commands for controlling VPN Client. Approximately
65 commands are available in this mode.
VPN Tools Mode
By starting vpncmd in VPN Tools mode, you can start only the commands that can be
executed locally on the computer where vpncmd is executed, without connecting to VPN
Server or VPN Client. The following five commands are available in VPN Tools mode.
z About command
z MakeCert command
z TrafficClient command
z TrafficServer command
z Check command
These five commands can also be executed from other modes.
When operating vpncmd in VPN Tools mode, the following prompt is displayed.
VPN Tools>
Exiting vpncmd
To exit vpncmd, type [exit].
Obtaining a List of Available Commands
To obtain a list of commands available in the current mode, type [Help] or [?].
VPN Tools>?
You can use the following 5 commands:
About - Display the version information
Check - Check if PacketiX VPN Operation is Possible
MakeCert - Create New X.509 Certificate and Private Key
TrafficClient - Execute Communication Throughput Measurement Tool Client
TrafficServer - Execute Communication Throughput Measurement Tool Server
To reference the usage for each respective command, input "command name /?" to display help.
Entering Commands
Enter commands at the vpncmd prompt as follows.
>command-name argument/parameter-name:argument/parameter-name:argument...
z Command Name
This is the name of the command you want to call. The command name is not case
sensitive. If the command name is too long to type, you can enter part of the
command and use the function described later to automatically complete the
command name.
z Argument (Parameter)
You can specify an argument in some commands. There are two types of arguments:
arguments without names and arguments with names.
To specify an argument without a name, describe the argument content as a string
after the command name.
To specify an argument with a name, use the format "/argument-name:" to specify
the argument name and colon (:) after the backslash followed by the argument
content. You can substitute a hyphen (-) for the backslash. If the argument name is
too long to type, you can enter part of the argument name and use the function
described later to automatically complete the command name. The argument name is
not case sensitive.
Depending on the command, you can specify several arguments. In this case,
separate the arguments with spaces. To include a space in an argument, enclose the
argument content in double quotation marks (" ").
For example, the following are the input rules for the BridgeCreate command.
BridgeCreate [hubname] [/DEVICE:device_name] [/TAP:yes￨no]
The BridgeCreate command is called as follows when specifying [TEST] for the
[hubname] argument without a name, [Intel(R) PRO/1000 MT Desktop Adapter] for the
DEVICE argument, and [no] for the TAP argument
>BridgeCreate TEST /DEVICE:"Intel(R) PRO/1000 MT Desktop Adapter" /TAP:no
The order of the arguments can be freely changed.
>BridgeCreate /DEVICE:"Intel(R) PRO/1000 MT Desktop Adapter" /TAP:no TEST
When the above arguments are entered, for example, the same process is executed.
If an Argument is Omitted
In vpncmd, nearly all arguments can be omitted. Even when a required argument is
omitted, no error occurs. Instead, a prompt is displayed for entering the contents of the
omitted parameter. For example, when starting the abovementioned BridgeCreate
command without an argument, the following prompt is displayed, and the user must
specify the required items indicated in red below on the prompt.
VPN Server>BridgeCreate
BridgeCreate command - Create Local Bridge Connection
Virtual HUB Name to Create Bridge: TEST
Bridge Destination Device Name: Intel(R) PRO/1000 MT Desktop Adapter
In the above example, the /TAP argument is not specified and a prompt asking for the
contents of the /TAP argument is not displayed. Some arguments, such as this one,
normally do not need to be specified. In this case, when a command alone is executed
without adding an argument, the default values are used without asking for the contents
in the displayed prompt. This type of operation is described in the command help.
For strings, such as passwords, that should not be displayed on the window, the text
entered by the user is displayed on the prompt masked with asterisks (*).
Command Name Naming Convention

Over 200 commands can be used in vpncmd. Because it is difficult to remember all the
commands, the naming convention of the commands in vpncmd is easy to understand,
and you can display a list of commands for operating an object simply by specifying the
object of the operation you want to perform. This eliminates the need to spend time
learning the commands, as is the case for regular command line programs.
As a basic rule, the names of the commands in vpncmd follow the naming convention
"operation-object-name operation-name". (This does not include some commands.)
For example, the command for obtaining server information is ServerInfoGet. The
commands in vpncmd follow a naming scheme in which the type or name of the object
for operation is followed by a verb indicating the operation, as shown in UserCreate
(the command for creating a user), UserGet (the command for obtaining information
about an existing user), UserDelete (the command for deleting a user), and UserList
(the command for displaying a list of users).
If, for example, you forgot the command for deleting a user and want to display a list of
commands for managing the users, you can enter the command shown below to display
a list of user management commands and simple descriptions of each command.
VPN Server>user?
"user": The command is ambiguous.
The specified command name matches the following multiple commands.
UserAnonymousSet - Set Anonymous Authentication for User Authentication Method
UserCertGet - Get Certificate Registered for Individual Certificate
Authentication User
UserCertSet - Set Individual Certificate Authentication for User
Authentication Method and Set Certificate
UserCreate - Create User
UserDelete - Delete User
UserExpiresSet - Set User's Expiration Date
UserGet - Get User Information
UserList - Get List of Users
UserNTLMSet - Set NT Domain Authentication for User Authentication Method
UserPasswordSet - Set Password Authentication for User Authentication Methodand
Set Password
UserPolicyRemove - Delete User Security Policy
UserPolicySet - Set User Security Policy
UserRadiusSet - Set RADIUS Authentication for User Authentication Method
UserSet - Change User Information
UserSignedSet - Set Signed Certificate Authentication for User Authentication Method
Please re-specify the command name with more precision.
Command Name Auto Complete Function (Specified with Prefix Search)
vpncmd has a large number of commands, and many of these commands have long
names that are troublesome to enter. In this case, you can use the auto complete
function to call a command by entering only part of the command name.
For example, if the command ServerPasswordSet is too long to type, you can type the
first part of the command, and then a prefix search is performed based on the typed
string. If the list of available commands is filtered to one command that can be called,
that command name is completed and the command is automatically executed. In the
case of ServerPasswordSet, typing the first six characters of the command,
[ServerP], eliminates all other commands. Therefore, this command can be executed
simply by typing [serverp].
VPN Server>serverp
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.
If the prefix search results in two or more commands matching the entered command
name and the specified command name cannot be filtered to one executable command,
the message [The command is ambiguous. The specified command name matches the
following multiple commands.] is displayed along with a list of commands matching the
entered string and simple descriptions of those commands.
VPN Server>server
"server": The command is ambiguous.
The specified command name matches the following multiple commands.
ServerCertGet - Get SSL Certificate of VPN Server
ServerCertSet - Set SSL Certificate and Private Key of VPN Server
ServerCipherGet - Get the Encrypted Algorithm Used for VPN Communication.
ServerCipherSet - Set the Encrypted Algorithm Used for VPN Communication.

ServerInfoGet - Get server information
ServerKeyGet - Get SSL Certificate Private Key of VPN Server
ServerPasswordSet - Set VPN Server Administrator Password
ServerStatusGet - Get Current Server Status
Please re-specify the command name more strictly.
In this case, re-type the command name adding additional characters to filter the
command name to a single executable command.
Command Name Auto Complete Function (Specified with Abbreviation)
The abovementioned auto complete function by prefix search can be helpful, but if there
are multiple commands with the same long prefix string, then you have to type more
characters, which can be inconvenient. By using the auto complete function with the
abbreviation specification method, you can reduce the number of characters typed for a
command name.
As an example of this method, consider the following three commands.
RouterIfList [name]
RouterIfAdd [name] [/HUB:hub] [/IP:ip/mask]
RouterIfDel [name] [/HUB:hub]
Because the above three commands all start with the string "RouterIf", you have to
specify the first eight characters, "routerif", when specifying the command name with
the prefix search method.
To specify the commands with the abbreviation method, you can use the following
abbreviations.
Command Name Abbreviation Example

RouterIfList RIL
RouterIfAdd RIA
RouterIfDel RID
As can be seen in the above examples, when a vpncmd command consists of both upper
and lowercase characters (as is the case for most of the commands), you can identify
the command to be executed simply by specifying in order the uppercase characters of
the command. (When typing the abbreviation, you can also use lowercase characters.)
Other long commands can also be abbreviated, as shown in the following examples.
Command Name Abbreviation

Example
LogPacketSaveType lpst
RadiusServerSet rss
SetMaxSession sms
ClusterMemberInfoGet cmig
ServerStatusGet ssg
In addition, while using the abbreviation method to call a command by its uppercase
characters, if a single command to be executed can also be filtered using the prefix
search, the command can be recognized simply by entering the first few characters of
the abbreviation. For example, to call the LogPacketSaveType command, shown
above, you can type the abbreviation [lpst] or the first few characters, [lps] or [lp].
By using these two methods, you can greatly reduce the number of characters you have
to type to execute a command, and by learning the abbreviations of commands when
executing the same command several times, you can learn how to quickly enter
commands with few keystrokes.
Parameter Name Auto Complete Function
Similar to command names, parameter names (argument names) can also be specified
with an abbreviation when the prefix search is successful. For example, a parameter
specified with the SecureNATHostSet command is defined as follows.
NatSet [/MTU:mtu] [/TCPTIMEOUT:tcp_timeout] [/UDPTIMEOUT:udp_timeout] [/LOG:yes￨no]
In this command, you can specify the four

arguments /MTU, /TCPTIMEOUT, /UDPTIMEOUT, and /LOG, but you can call the
command with the arguments by specifying a few characters of the argument names
that identify the arguments using the prefix search. Therefore, you can specify the four
parameters in the example above with the following abbreviations.
Argument Abbreviation
Name Example
/MTU /M
/TCPTIMEOUT /T
/UDPTIMEOUT /U
/LOG /L
Canceling the Displayed String Input Prompt or Password Entry Prompt

All parameters in the commands can be specified as a list of arguments, but when the
required argument specifications are abbreviated, an entry prompt for specifying those
items is displayed on the window at that time.
To cancel entry on the prompt and execution of that command, press Ctrl + D.
VPN Server>sps
ServerPasswordSet command - Set VPN Server Administrator Password
Please enter the password. To cancel press the Ctrl+D key.
Password: ***
Confirm input:^D
VPN Server>
In the above example, pressing Ctrl + D cancels execution of the command and returns
to the command prompt.
Command Help
vpncmd has a large number of commands, and this manual contains references for the
commands. In addition, vpncmd provides an online help for all commands to provide an
understanding of the details of the commands quickly, without having to refer to this
manual, in case you should forget the command names, the list of arguments that must
be specified for commands, or the command operations when using vpncmd.
Displaying the Online Help for a Specific Command

If you know the command name, you can display the online help for that command by
using any of the following methods.
command-name --help
command-name -help
command-name /help
command-name -?
command-name /?
command-name?
man command-name
?command-name
The displayed contents are the same for all of the above methods; therefore, you can
display the command help using familiar formats, such as [--help] or [/?].
The following is an example of help displayed for the BridgeCreate command.
VPN Server>BridgeCreate?
BridgeCreate command - Create Local Bridge Connection
Help for Command "BridgeCreate"
[Objective]
Create Local Bridge Connection
[Description]
Use this to create a new local bridge connection on the VPN Server.
By using a local bridge, you can configure a Layer 2 bridge connection betwe
en a Virtual HUB operating on this VPN server and a physical Ethernet Device
(Network Adapter).
You can create a tap device (virtual network interface) on the system and co
nnect a bridge between Virtual HUBs (the tap device is only supported by Lin
ux versions).
It is possible to establish a bridge to an operating network adapter of your
choice for the bridge destination Ethernet device (network adapter), but in
high load environments, we recommend you prepare a network adapter dedicate
d to serve as a bridge.
To execute this command, you must have VPN Server administrator privileges.
[Usage]
BridgeCreate [hubname] [/DEVICE:device_name] [/TAP:yes|no]
[Parameter]
hubname - Specify the Virtual HUB to create bridge. To get a list of Virtual
HUBs, you can use the HubList command. It is not essential that y
ou specify a Virtual HUB that is currently operating. If you speci
fy a Virtual HUB name that is not currently operating or that does
not exist, the local bridge connection will become enabled when t
he actual operation of that Virtual HUB begins.
/DEVICE - Specify the bridge destination Ethernet device (network adapter) o
r tap device name. You can get the list of Ethernet device names b
y using the BridgeDeviceList command.

/TAP - Specify yes if you are using a tap device rather than a network ad
apter for the bridge destination (only supported for Linux version
s). When this is omitted, it will be treated the same as when no i
s specified.
VPN Server>
Displaying a List of Available Command Names
If you are unsure of the names of available commands, you display a list of available
command names in the current management mode by typing the following.
man
help
?
For example, the following displays the list of available command names in VPN Server
management mode.
VPN Server>help
AcAdd - Add Rule to IP Access Control List
AcDel - Delete Rule from IP Access Control List
AcList - Get List of Rule Items of IP Access Control List
AccessAdd - Add Access List Rules
AccessDelete - Delete Rule from Access List
.
.(Abbreviation )
.
UserSignedSet - Set Signed Certificate Authentication for User A
uthentication Method
To reference the usage for each respective command, input "command name /?" to d
isplay help.
VPN Server>
If you know the first few characters of a command name, or the type of the object for
operation, you can display a list of commands starting with that string by typing the
following.
prefix-string --help
prefix-string -help
prefix-string /help
prefix-string -?
prefix-string /?
prefix-string?
man prefix-string
?prefix-string
For example, to display a list of commands for cascade connection-related operations,

type [cascade?].
VPN Server>help
AcAdd - Add Rule to IP Access Control List
AcDel - Delete Rule from IP Access Control List
AcList - Get List of Rule Items of IP Access Control List
AccessAdd - Add Access List Rules
AccessDelete - Delete Rule from Access List
.
.(Abbreviation )
.
UserSignedSet - Set Signed Certificate Authentication for User A
uthentication Method
To reference the usage for each respective command, input "command name /?" to d
isplay help.
VPN Server>
You can also start a vpncmd command by adding any number of arguments. Normally,
when vpncmd is started, a prompt for entering the IP address of the destination server
or management mode is displayed, but by starting vpncmd with an added command line
argument, you can automatically connect to a specified VPN Server and even execute a
specified command and have the result written to a file.
Automation of Management and Necessity of Batch Processing
When a vpncmd command is started, normally a prompt for entering the command is
displayed, and by entering the command in the prompt, you can then operate the
destination VPN Server or VPN Bridge. In addition, VPN Client end users can start
vpncmd and enter commands to control VPN Client.
These functions can be automated depending on the PacketiX VPN operation method.
For example, with a large list of employee names in a CSV file, you can batch create an
account for each individual in the Virtual HUB. Normally, this type of repetitive task
using a GUI would take a significant amount of time, but by using the vpncmd batch
processing function, you can execute several pre-defined commands at once.
In addition, you can call vpncmd from a separate program and automatically manage
VPN Server. For example, you can call vpncmd to set the Virtual HUB of VPN Server
online at a specified time and periodically save and record a snapshot of the summary of
the session connected to the Virtual HUB to a text file.
Calling a Single Command Specified to vpncmd
After starting vpncmd, establishing a management connection to the service of the

connection target, and calling a command, use the /CMD argument at vpncmd startup to
perform simple operations, such as terminating the connection.
When the /CMD argument is specified to vpncmd, after connecting to VPN Server, VPN
Client, or VPN Bridge, you can execute a command described later, instead of /CMD, to
immediately exit vpncmd after that command is executed. For example, to connect to
the "DEFAULT" Virtual HUB on VPN Server and create user "ABC", type the following and
start vpncmd.
vpncmd /server Server Name /password:password /adminhub:DEFAULT

/cmd UserCreate ABC /GROUP:none /REALNAME:none /NOTE:none
When this is performed, the command specified with /CMD is automatically executed and
vpncmd is exited, as shown below.
C:\>vpncmd /server localhost /adminhub:VPN /cmd UserCreate ABC /GROUP:none /REAL

NAME:none /NOTE:none
Version 2.20 Build 5302
Compiled Sat Mar 31 03:09:18 2007 by yagi at ILC308
Connection was established with VPN Server "localhost" (port 8888).
You have administrator privileges for the entire VPN Server.
The Virtual HUB "VPN" was selected.

VPN Server/VPN>UserCreate ABC /GROUP:none /REALNAME:none /NOTE:none
UserCreate command - Create User
C:\>
Calling Multiple Commands Specified to vpncmd
To call one command, as described above, vpncmd must be started each time. Using
this method to execute 1,000 commands at the same time, for example, requires high
overhead processing in which the software has to start vpncmd 1,000 times,
automatically connect to the server to be managed, execute the commands, and then
terminate the connection and exit vpncmd, requiring a vast amount of time and making
ineffective use of CPU and network resources.
But by describing multiple commands to execute at the same time as a text file in
advance and specifying the file name of the text file as the /IN argument when starting
vpncmd, you can automatically execute all commands described in the text file. After all
commands are executed, vpncmd is exited.
For example, create the following file and save it with the file name [batch.txt]. When
including multibyte characters (hiragana, kanji, etc.) in the file, as shown in this
example, be sure to save the file in UTF-8 format.
Hub DEFAULT
UserCreate jiro /GROUP:none /REALNAME:"Tanaka" /NOTE:none
UserCreate yas /GROUP:none /REALNAME:"Shinjou" /NOTE:none
UserCreate idai /GROUP:none /REALNAME:"Kamishima" /NOTE:none
UserCreate yokote /GROUP:none /REALNAME:"Yokote" /NOTE:none
UserCreate ihihihi /GROUP:none /REALNAME:"Kinsei" /NOTE:none
UserCreate yuta /GROUP:none /REALNAME:"Yuta" /NOTE:none
Next, add a command line argument, as shown below, and start vpncmd.
vpncmd /server Server Name /in:batch.txt
vpncmd starts, the commands in all lines are automatically executed in order, and then
vpncmd is exited. After the commands in the above examples are executed, the users
are registered at the same time.
Figure 6-2-1 Users Registered After Executing the batch.txt File
6.2.5 Saving a Log
When a file name is specified in the /OUT parameter as a command line argument at
the time vpncmd is started, all output results displayed by vpncmd are saved to that file.
This enables you to write the results of commands executed on vpncmd to an external
file, and thereby record the vpncmd results and create an automated program for
processing based on those results.
The vpncmd process returns the error code of the execution results for last executed
command to the parent process. If a command is completed successfully, [0] is
returned. For information about the error codes, please refer to 「12.5 Error Codes」 .
Character Encoding in Windows Version
The character encoding when the Windows version of the VPN program and other
PacketiX VPN programs display messages and operation results and receive input from
the user is automatically selected according to the operating system when a process is
started or the regional options selected by the user.
Character Encoding in Unix Version
The character encoding when the Linux and other Unix versions of the VPN program and
other PacketiX VPN programs display messages and operation results and receive input
from the user is determined by the value of the LANG environment variable when a
process is started. SoftEther Corporation guarantees operation only when the LANG
environment variable is set to the following values.
z ja_JP.eucJP
z ja_JP.shift_jis
z ja_JP.UTF-8
When the LANG environment variable is not set or is not correctly recognized even if set,
EUC-JP encoding is used. Before starting a process with PacketiX VPN software, check
that the LANG environment variable is correctly set.
After PacketiX VPN software is installed in Windows, starting the vpncmd.exe program
installed in the installation directory (such as C:\Program Files\PacketiX VPN
Server) starts vpncmd.
When vpncmd is started once with administrative rights, vpncmd can be started the next
time by typing [vpncmd] in the command prompt or [Run...] dialog box.
In Unix operating systems, you can achieve the same effect by manually configuring the
PATH environment variable or by configuring vpncmd and hamcore.se2 in a program
folder, such as /usr/local/bin.
Normally, vpncmd is automatically installed on the same computer on which VPN Server,
VPN Client, or VPN Bridge is installed. However, you can use vpncmd as a stand-alone
program on a separate computer by copying the files below to another computer.
SoftEther Corporation recommends that instead of manually copying these files, you
extract the exe-only version of VPN Bridge on Windows or the normal version of VPN
Bridge on Unix operating systems to the computer on which you want to use vpncmd.
z vpncmd. exe executable file

(vpncmd file in Unix version)
z hamcore.se2 file
< 6.1 Overview of vpncmd 6.3 VPN Server / VPN Bridge Management Command
Reference (For Entire Server)>
< 6.2 General Usage of vpncmd 6.4 VPN Server / VPN Bridge Management Command
Reference (For Virtual HUB)>
6.3 VPN Server / VPN Bridge Management Command

Reference (For Entire Server)
This section describes the commands for configuring and managing the entire VPN
Server from among the commands that can be called when using vpncmd in VPN Server
or VPN Bridge management mode. For information about the commands for configuring
and managing a Virtual HUB selected with the Hub command, please refer to 「6.4 VPN
Server / VPN Bridge Management Command Reference (For Virtual HUB)」 .
Command Name About

Outline of Display the version information
Command
Explanation This displays the version information of this command line
management utility. Included in the version information are the
vpncmd version number, build number and build information.
Commandline About
format
List of parameter argument that can be specified by vpncmd command.
There is no parameter argument that should be specified in this command.
Command Name ServerInfoGet

Outline of Get server information
Command
Explanation This allows you to obtain the server information of the currently
connected VPN Server or VPN Bridge. Included in the server
information are the version number, build number and build
information. You can also obtain information on the current server
operation mode and the information of operating system that the
server is operating on.
Commandline ServerInfoGet
format
Command Name ServerStatusGet

Outline of Get Current Server Status
Command
Explanation This allows you to obtain in real-time the current status of the
currently connected VPN Server or VPN Bridge. You can get
statistical information on data communication and the number of
different kinds of objects that exist on the server. You can get
information on how much memory is being used on the current
computer by the OS.
Commandline ServerStatusGet
format
Command Name ListenerCreate

Outline of Create New TCP Listener
Command
Explanation This allows you to create a new TCP Listener on the server. By
creating the TCP Listener the server starts listening for a
connection from clients at the specified TCP/IP port number.
A TCP Listener that has been created can be deleted by the
ListenerDelete command.
You can also get a list of TCP Listeners currently registered by
using the ListenerList command.
nTo execute this command, you must have VPN Server
administrator privileges.
Commandline ListenerCreate [port]
format
port Using an integer, specify the newly added TCP/IP listener port
number. You can also use a port number that is already being
used by a different program; however the VPN Server will not be
able to use it until that program ends the use of that port. Specify
a port number that is within the range of 1 to 65535.
Command Name ListenerDelete

Outline of Delete TCP Listener
Command
Explanation This allows you to delete a TCP Listener that's registered on the
server. When the TCP Listener is in a state of operation, the
listener will automatically be deleted when its operation stops.
To execute this command, you must have VPN Server
Commandline ListenerDelete [port]
format
port Using an integer, specify the TCP/IP listener port number you want
to delete.
Command Name ListenerList

Outline of Get List of TCP Listeners
Command
Explanation This allows you to get a list of TCP listeners registered on the
current server. You can obtain information on whether the various
TCP listeners have a status of operating or error.
Commandline ListenerList
format
Command Name ListenerEnable

Outline of Begin TCP Listener Operation
Command
Explanation This starts the operation of stopped TCP Listeners registered on
the current server.
Commandline ListenerEnable [port]
format
port Using an integer, specify the port number of the TCP/IP listener
you want to start.
Command Name ListenerDisable

Outline of Stop TCP Listener Operation
Command
Explanation This stops the operation of operating TCP Listeners registered on
the current server.
Commandline ListenerDisable [port]
format
port Using an integer, specify the port number of the TCP/IP listener
you want to stop.
Command Name ServerPasswordSet

Outline of Set VPN Server Administrator Password
Command
Explanation This sets the VPN Server administrator password. You can specify
the password as a parameter. If the password is not specified, a
prompt will be displayed to input the password and password
confirmation. If you include the password as a parameter, this
password will be displayed momentarily on the screen, which
poses a risk. We recommend that whenever possible, avoid
specifying this parameter and input the password using the
password prompt.
Commandline ServerPasswordSet [password]
format
password This specifies a new password setting.
6.3.10 ClusterSettingGet - Get Clustering Configuration of Current VPN

Server
Command Name ClusterSettingGet

Outline of Get Clustering Configuration of Current VPN Server
Command
Explanation You can use this to acquire the clustering configuration of the
current VPN Server.
Commandline ClusterSettingGet
format
Command Name ClusterSettingStandalone

Outline of Set VPN Server Type as Standalone
Command
Explanation Use this to set the VPN Server type as [Standalone Server].
Standalone server means a VPN Server that does not belong to
any cluster in its current state. When VPN Server is installed, by
default it will be in standalone server mode. Unless you have
particular plans to configure a cluster, we recommend the VPN
Server be operated in standalone mode.
Also, when this command is executed, VPN Server will
automatically restart.
This command cannot be run on VPN Bridge.
Commandline ClusterSettingStandalone
format
6.3.12 ClusterSettingController - Set VPN Server Type as Cluster

Controller
Command Name ClusterSettingController

Outline of Set VPN Server Type as Cluster Controller
Command
Explanation Use this to set the VPN Server type as [Cluster Controller]. A
cluster controller is the central computer of all member servers of
a cluster in the case where a clustering environment is made up of
multiple VPN Servers. A cluster requires one computer to serve
this role. The other cluster member servers that are configured in
the same cluster begin operation as a cluster member by

connecting to the cluster controller.
Commandline ClusterSettingController [/WEIGHT:weight] [/ONLY:yes|no]
format
/WEIGHT This sets a value for the performance standard ratio of this VPN
Server. This is the standard value for when load balancing is
performed in the cluster. Normally it is 100. For example, making
only one machine 200 while the other members have a status of
100, will regulate that machine to receive twice as many
connections as the other members during load balancing. Specify 1
or higher for the value. If this parameter is left unspecified, 100
will be used.
/ONLY By specifying "yes" here, the VPN Server will operate only as a
controller on the cluster and it will always distribute general VPN
Client connections to members other than itself. This function is
used in high-load environments. If this parameter is left
unspecified, "no" will be used.
Command Name ClusterSettingMember

Outline of Set VPN Server Type as Cluster Member
Command
Explanation Use this to set the VPN Server type as [Cluster Member Server]. A
cluster member server is a member computer belonging to a
clustering configuration made up of multiple VPN Servers with
another existing cluster controller as the center. Multiple cluster
members can be added to the cluster as required.
Before setting the VPN Server as a cluster member server, first
ask the administrator of the cluster controller to be used for the
controller's IP address and port number, the public IP address and
public port number (when required) of this VPN Server and the
password.

Commandline ClusterSettingMember [server:port] [/IP:ip] [/PORTS:ports]
format [/PASSWORD:password] [/WEIGHT:weight]
server:port Specify the host name or IP address, and port number of the
destination cluster controller using the parameter with the format
[host name:port number].
/IP Specify the public IP address of this server. If you wish to leave
public IP address unspecified, specify it like this: "/IP:none". When
a public IP address is not specified, the IP address of the network
interface used when connecting to the cluster controller will be
automatically used.
/PORTS Use this to specify the list of public port numbers on this server.
The list must have at least one public port number set, and it is
also possible to set multiple public port numbers. When specifying
multiple port numbers, separate them using a comma such as
"/PORTS443,992,8888".
/PASSWORD Specify the password required to connect to the destination
controller. It needs to be the same as an administrator password
on the destination controller.
/WEIGHT This sets a value for the performance standard ratio of this VPN
Server. This is the standard value for when load balancing is
performed in the cluster. For example, making only one machine
200 while the other members have a status of 100, will regulate
that machine to receive twice as many connections as the other
members. Specify 1 or higher for the value. If this parameter is
left unspecified, 100 will be used.
Command Name ClusterMemberList

Outline of Get List of Cluster Members
Command
Explanation Use this command when the VPN Server is operating as a cluster
controller to get a list of the cluster member servers on the same
cluster, including the cluster controller itself.
For each member, the following information is also listed. [Type],
[Connection Start], [Host Name], [Points], [Number of Session],
[Number of TCP Connections], [Number of Operating Virtual
HUBs], [Using Client Connection License], [Using Bridge
Connection License].
Commandline ClusterMemberList
format
Command Name ClusterMemberInfoGet

Outline of Get Cluster Member Information
Command
Explanation When the VPN Server is operating as a cluster controller, you can
get information on cluster member servers on that cluster by
specifying the IDs of the member servers.
You can get the following information about the specified cluster
member server: [Server Type], [Time Connection was
Established], [IP Address], [Host Name], [Points], [Public Port
List], [Number of Operating Virtual HUBs], [First Virtual HUB],
[Number of Sessions], [Number of TCP Connections].
Commandline ClusterMemberInfoGet [id]
format
id Specify the ID of the cluster member whose information you want

to get. You can obtain the cluster member server ID by using the
ClusterMemberList command.
Command Name ClusterMemberCertGet

Outline of Get Cluster Member Certificate
Command
Explanation When the VPN Server is operating as a cluster controller, you can
get the public X.509 certificate of cluster member servers on that
cluster by specifying the IDs of those member servers. You can
save the certificate as an X.509 format file.
Commandline ClusterMemberCertGet [id] [/SAVECERT:cert]
format
id Specify the ID of the cluster member whose certificate you want to

get. You can obtain the cluster member server ID by using the
ClusterMemberList command.
/SAVECERT Specify the file path name to save the certificate you obtained. You
can save the certificate in X.509 format.
6.3.17 ClusterConnectionStatusGet - Get Connection Status to Cluster

Controller
Command Name ClusterConnectionStatusGet

Outline of Get Connection Status to Cluster Controller
Command
Explanation Use this command when the VPN Server is operating as a cluster
controller to get the status of connection to the cluster controller.
You can get the following information: [Controller IP Address],
[Port Number], [Connection Status], [Connection Start Time],
[First Connection Established Time], [Current Connection
Established Time], [Number of Connection Attempts], [Number of
Successful Connections], [Number of Failed Connections].
Commandline ClusterConnectionStatusGet
format
Command Name ServerCertGet

Outline of Get SSL Certificate of VPN Server
Command
Explanation Use this to get the SSL certificate that the VPN Server provides to
the connected client. You can save the certificate as an X.509
format file.
Commandline ServerCertGet [cert]
format
cert Specify the file path name to save the certificate you obtained. You
can save the certificate in X.509 format.
Command Name ServerKeyGet
Outline of Get SSL Certificate Private Key of VPN Server

Command
Explanation Use this to get the SSL certificate private key that the VPN Server
provides to the connected client. You can save the private key as a
Base 64 encoded file.
Commandline ServerKeyGet [key]
format
key Specify the file path name to save the private key you obtained.
You can save the private key in a Base 64 encoded format.
6.3.20 ServerCertSet - Set SSL Certificate and Private Key of VPN

Server
Command Name ServerCertSet

Outline of Set SSL Certificate and Private Key of VPN Server
Command
Explanation You can set the SSL certificate that the VPN Server provides to the
connected client and the private key for that certificate. The
certificate must be in X.509 format and the private key must be
Base 64 encoded format.
Commandline ServerCertSet [/LOADCERT:cert] [/LOADKEY:key]
format
/LOADCERT Specify the X.509 format certificate file to use.

/LOADKEY Specify the Base 64 encoded private key file for the certificate to
use.

Communication.
Command Name ServerCipherGet

Outline of Get the Encrypted Algorithm Used for VPN Communication.
Command
Explanation Use this to get the current setting of the algorithm used for the
electronic signature and encrypted for SSL connection to be used
for communication between the VPN Server and the connected
client and the list of algorithms that can be used on the VPN
Server.
Commandline ServerCipherGet
format

Communication.
Command Name ServerCipherSet

Outline of Set the Encrypted Algorithm Used for VPN Communication.
Command
Explanation Use this to set the algorithm used for the electronic signature and
encrypted for SSL connections to be used for communication
between the VPN Server and the connected client.
By specifying the algorithm name, the specified algorithm will be
used later between the VPN Client and VPN Bridge connected to
this server and the data will be encrypted.
Commandline ServerCipherSet [name]
format
name This specifies the encrypted and electronic signature algorithm to

set. You can obtain the list of usable algorithms by using the
ServerCipherGet command.
6.3.23 KeepEnable - Enable the Keep Alive Internet Connection

Function
Command Name KeepEnable

Outline of Enable the Keep Alive Internet Connection Function
Command
Explanation This allows you to enable the [Keep Alive Internet Connection
Function] By using the [Keep Alive Internet Connection Function]
for network connection environments where connections will
automatically be disconnected when there are periods of no
communication that are longer than a set period, it is possible to
keep alive the Internet connection by sending packets to a
nominated server on the Internet at set intervals.
You can set a destination host name etc, by using the KeepSet
command.
To execute this command on a VPN Server or VPN Bridge, you
must have administrator privileges.
Commandline KeepEnable
format
6.3.24 KeepDisable - Disable the Keep Alive Internet Connection

Function
Command Name KeepDisable

Outline of Disable the Keep Alive Internet Connection Function
Command
Explanation This allows you to disable the [Keep Alive Internet Connection
Function]
Commandline KeepDisable
format
Command Name KeepSet

Outline of Set the Keep Alive Internet Connection Function
Command
Explanation Use this to set the destination host name etc. of the [Keep Alive
Internet Connection Function]. For network connection
environments where connections will automatically be
disconnected where there are periods of no communication that
are longer than a set period, by using the [Keep Alive Internet
Connection Function], it is possible to keep alive the Internet
connection by sending packets to a nominated server on the
Internet at set intervals.
When using this command, you can specify the following: [Host
Name], [Port Number], [Packet Send Interval], and [Protocol].
Packets sent to keep alive the Internet connection will have
random content and personal information that could identify a
computer or user is not sent.

You can use the KeepEnable command or KeepDisable command
to enable/disable the Keep Alive Internet Connection Function.
KeepSet does not change the enabled/disabled status.
Commandline KeepSet [/HOST:host:port] [/PROTOCOL:tcp|udp]
format [/INTERVAL:interval]
/HOST Specify the host name or IP address, and port number of the
destination using the format [host name:port number].
/PROTOCOL Specify either tcp or udp.
/INTERVAL Specify, in seconds, the interval between the sending of packets.
Command Name KeepGet

Outline of Get the Keep Alive Internet Connection Function
Command
Explanation Use this to get the current setting contents of the [Keep Alive
Internet Connection Function]. In addition to the destination's
[Host Name], [Port Number], [Packet Send Interval] and
[Protocol], you can obtain the current enabled/disabled status of
the [Keep Alive Internet Connection Function].
Commandline KeepGet
format
Command Name SyslogEnable

Outline of Set syslog Send Function
Command
Explanation Use this to set the usage of syslog send function and which syslog
server to use.
Commandline SyslogEnable [1|2|3] [/HOST:host:port]
format
1|2|3 Specify, using an integer, 1, 2 or 3 for the setting to use the

syslog send function. 1: Send server log by syslog. 2: Send server
and Virtual HUB security logs by syslog. 3: Send server, Virtual
HUB security, and packet logs by syslog.
syslog server using the format [host name:port number]. If the
port number is omitted, 514 will be used.
Command Name SyslogDisable

Outline of Disable syslog Send Function
Command
Explanation Use this to disable the syslog send function.
Commandline SyslogDisable
format
Command Name SyslogGet

Outline of Get syslog Send Function
Command
Explanation This allows you to get the current setting contents of the syslog
send function. You can get the usage setting of the syslog function
and the host name and port number of the syslog server to use.
Commandline SyslogGet
format
6.3.30 ConnectionList - Get List of TCP Connections Connecting to the

VPN Server
Command Name ConnectionList

Outline of Get List of TCP Connections Connecting to the VPN Server
Command
Explanation Use this to get a list of TCP/IP connections that are currently
connecting to the VPN Server. It does not display the TCP
connections that have been established as VPN sessions. To get

the list of TCP/IP connections that have been established as VPN
sessions, you can use the SessionList command.
You can get the following: [Connection Name], [Connection
Source], [Connection Start] and [Type]
Commandline ConnectionList
format
6.3.31 ConnectionGet - Get Information of TCP Connections Connecting

to the VPN Server
Command Name ConnectionGet

Outline of Get Information of TCP Connections Connecting to the VPN Server
Command
Explanation Use this to get detailed information of a specific TCP/IP connection
that is connecting to the VPN Server.
You can get the following information: [Connection Name],
[Connection Type], [Source Hostname], [Source IP Address],
[Source Port Number (TCP)], [Connection Start], [Server Product
Name], [Server Version], [Server Build Number], [Client Product
Name], [Client Version], and [Client Build Number].
Commandline ConnectionGet [name]
format
name This allows you to specify the name of the connection whose
information you want to get. To get a list of connection names,
you can use the ConnectionList command.
6.3.32 ConnectionDisconnect - Disconnect TCP Connections Connecting

to the VPN Server
Command Name ConnectionDisconnect

Outline of Disconnect TCP Connections Connecting to the VPN Server
Command
Explanation Use this to forcefully disconnect specific TCP/IP connections that
are connecting to the VPN Server.

Commandline ConnectionDisconnect [name]
format
name Specify the name of the connection to disconnect. To get a list of

connection names, you can use the ConnectionList command.
6.3.33 BridgeDeviceList - Get List of Network Adapters Usable as Local

Bridge
Command Name BridgeDeviceList

Outline of Get List of Network Adapters Usable as Local Bridge
Command
Explanation Use this to get a list of Ethernet devices (network adapters) that
can be used as a bridge destination device as part of a Local
Bridge connection.
You can use a device displayed here by using the BridgeCreate
command.
Commandline BridgeDeviceList
format
Command Name BridgeList

Outline of Get List of Local Bridge Connection
Command
Explanation Use this to get a list of the currently defined Local Bridge
connections.
You can get the Local Bridge connection Virtual HUB name and the
bridge destination Ethernet device (network adapter) name or tap
device name, as well as the operating status.
Commandline BridgeList
format
Command Name BridgeCreate

Outline of Create Local Bridge Connection
Command
Explanation Use this to create a new Local Bridge connection on the VPN
Server.
By using a Local Bridge, you can configure a Layer 2 bridge
connection between a Virtual HUB operating on this VPN server
and a physical Ethernet Device (Network Adapter).
You can create a tap device (virtual network interface) on the
system and connect a bridge between Virtual HUBs (the tap device
is only supported by Linux versions).
It is possible to establish a bridge to an operating network adapter
of your choice for the bridge destination Ethernet device (network
adapter), but in high load environments, we recommend you
prepare a network adapter dedicated to serve as a bridge.
Commandline BridgeCreate [hubname] [/DEVICE:device_name] [/TAP:yes|no]
format
hubname Specify the Virtual HUB to create bridge. To get a list of Virtual
HUBs, you can use the HubList command. It is not essential that
you specify a Virtual HUB that is currently operating. If you specify
a Virtual HUB name that is not currently operating or that does not
exist, the Local Bridge connection will become enabled when the
actual operation of that Virtual HUB begins.
/DEVICE Specify the bridge destination Ethernet device (network adapter)
or tap device name. You can get the list of Ethernet device names
by using the BridgeDeviceList command.
/TAP Specify yes if you are using a tap device rather than a network
adapter for the bridge destination (only supported for Linux
versions). When this is omitted, it will be treated the same as
when no is specified.
Command Name BridgeDelete

Outline of Delete Local Bridge Connection
Command
Explanation Use this to delete an existing Local Bridge connection. To get a list
of current Local Bridge connections use the BridgeDeviceList
command.
Commandline BridgeDelete [hubname] [/DEVICE:device_name]
format
hubname Specify the Virtual HUB of the Local Bridge to delete.

/DEVICE Specify the device name (network adapter or tap device name) of
the Local Bridge to delete.
Command Name Caps

Outline of Get List of Server Functions/Capability
Command
Explanation Use this get a list of functions and capability of the VPN Server
currently connected and being managed.
The function and capability of VPN Servers are different depending
on the operating VPN server's edition and version. Sometimes
commands may be included in the command line management
utility that cannot operate because of the function and capability of
the destination VPN Server. Using this command, you can find out
the capability of the target VPN Server and report it.
If the version of the VPN Server is newer than the command line
management utility and there are functions that the command line
management utility does not recognize, you can display the
contents strings (variable names) as they are.
Commandline Caps
format
Command Name Reboot

Outline of Reboot VPN Server Service
Command
Explanation Use this to restart the VPN Server service.
When you restart the VPN Server, all currently connected sessions
and TCP connections will be disconnected and no new connections

will be accepted until the restart process has completed.
By using this command, only the VPN Server service program will
be restarted and the physical computer that VPN Server is
operating on does not restart. This management session will also
be disconnected, so you will need to reconnect to continue
management.
Also, by specifying the /RESTCONFIG:yes parameter, the contents
of the configuration file (.config) held by the current VPN Server
will be initialized.
Commandline Reboot [/RESETCONFIG:yes|no]
format
/RESETCONFIG By specifying yes, the contents of the configuration file (.config)

held by the current VPN Server will be initialized. Please carefully
consider the implications when setting this parameter.
Command Name ConfigGet

Outline of Get the current configuration of the VPN Server
Command
Explanation Use this to get a text file (.config file) that contains the current
configuration contents of the VPN server. You can get the status
on the VPN Server at the instant this command is executed.
When part of the contents of the configuration file does not specify
a parameter, it will be displayed on screen as it is. By specifying a
save destination file name by parameter, the contents will be
saved by that file name.
You can edit the configuration file by using a regular text editor.
To write an edited configuration to the VPN Server, use the
ConfigSet command.
Commandline ConfigGet [path]
format
path When you want to save the contents of the configuration file to a
file, use this to specify the file name. If left unspecified, the
configuration contents will be displayed on screen. If the
configuration file contains multiple-byte characters, the encoding

must be saved as Unicode (UTF-8).
Command Name ConfigSet

Outline of Write Configuration File to VPN Server
Command
Explanation Use this to write the configuration file to the VPN Server. By
executing this command, the contents of the specified
configuration file will be applied to the VPN Server and the VPN
Server program will automatically restart and upon restart,
operate according to the new configuration contents.
Because it is difficult for an administrator to write all the contents
of a configuration file, we recommend you use the ConfigGet
command to get the current contents of the VPN Server
configuration and save it to file. You can then edit these contents
in a regular text editor and then use the ConfigSet command to
rewrite the contents to the VPN Server.
This command is for people with a detailed knowledge of the VPN
Server and if an incorrectly configured configuration file is written
to the VPN Server, it not only could cause errors, it could also
result in the lost of the current setting data. Take special care
when carrying out this action.
Commandline ConfigSet [path]
format
path Specify the file name of the write destination configuration file. If
the write destination file contains multiple-byte characters, the
encoding must be Unicode (UTF-8).
Command Name RouterList

Outline of Get List of Virtual Layer 3 Switches
Command
Explanation Use this to get the list of Virtual Layer 3 Switches defined on the
VPN Server. You can get the following information on the Virtual
Layer 3 Switches: [Switch Name], [Operating Status], [Number of
Interfaces], [Number of Routing Tables].
Also, this command does not operate on VPN Bridge.
Commandline RouterList
format
Command Name RouterAdd

Outline of Define New Virtual Layer 3 Switch
Command
Explanation Use this to define a new Virtual Layer 3 Switch on the VPN Server.
[Explanation on Virtual Layer 3 Switch Function]

You can define Virtual Layer 3 Switches between multiple Virtual
HUBs operating on this VPN Server and configure routing between
different IP networks.
[Caution About the Virtual Layer 3 Switch Function]

The Virtual Layer 3 Switch functions are provided for network
administrators and other people who know a lot about networks
and IP routing. If you are using the regular VPN functions, you do
not need to use the Virtual Layer 3 Switch functions.
If the Virtual Layer 3 Switch functions are to be used, the person
who configures them must have sufficient knowledge of IP routing
and be perfectly capable of not impacting the network.
Commandline RouterAdd [name]
format
name Use this to specify the name of the newly created Virtual Layer 3
Switch name. You cannot add a name that is identical to an
existing Virtual Layer 3 Switch.
Command Name RouterDelete

Outline of Delete Virtual Layer 3 Switch
Command
Explanation Use this to delete an existing Virtual Layer 3 Switch that is defined
on the VPN Server. When the specified Virtual Layer 3 Switch is
operating, it will be automatically deleted after operation stops.
To get a list of existing Virtual Layer 3 Switches, use the RouterList
command.
Commandline RouterDelete [name]
format
name Use this to specify the name of the Virtual Layer 3 Switch to be
deleted.
Command Name RouterStart

Outline of Start Virtual Layer 3 Switch Operation
Command
Explanation Use this to start the operation of an existing Virtual Layer 3 Switch
defined on the VPN Server whose operation is currently stopped.
command.
[Explanation on Virtual Layer 3 Switch Function]

You can define Virtual Layer 3 Switches between multiple Virtual
HUBs operating on this VPN Server and configure routing between
different IP networks.
[Caution About the Virtual Layer 3 Switch Function]

The Virtual Layer 3 Switch functions are provided for network
administrators and other people who know a lot about networks
and IP routing. If you are using the regular VPN functions, you do
not need to use the Virtual Layer 3 Switch functions.
If the Virtual Layer 3 Switch functions are to be used, the person
who configures them must have sufficient knowledge of IP routing
and be perfectly capable of not impacting the network.
Commandline RouterStart [name]
format
name Use this to specify the name of the Virtual Layer 3 Switch to start.
Command Name RouterStop

Outline of Stop Virtual Layer 3 Switch Operation
Command
Explanation Use this to stop the operation of an existing Virtual Layer 3 Switch
defined on the VPN Server whose operation is currently operating.
command.
Commandline RouterStop [name]
format
name Use this to specify the name of the Virtual Layer 3 Switch to stop.
6.3.46 RouterIfList - Get List of Interfaces Registered on the Virtual

Layer 3 Switch
Command Name RouterIfList

Outline of Get List of Interfaces Registered on the Virtual Layer 3 Switch
Command
Explanation Use this to get a list of virtual interfaces when virtual interfaces
have been defined on a specified Virtual Layer 3 Switch.
You can define multiple virtual interfaces and routing tables for a
single Virtual Layer 3 Switch.
A virtual interface is associated to a virtual HUB and operates as a
single IP host on the Virtual HUB when that Virtual HUB is
operating. When multiple virtual interfaces that respectively
belong to a different IP network of a different Virtual HUB are
defined, IP routing will be automatically performed between these
interfaces.
Commandline RouterIfList [name]
format
name Use this to specify the name of the Virtual Layer 3 Switch.
Command Name RouterIfAdd

Outline of Add Virtual Interface to Virtual Layer 3 Switch
Command
Explanation Use this to add to a specified Virtual Layer 3 Switch, a virtual
interface that connects to a Virtual HUB operating on the same
VPN Server.
You can define multiple virtual interfaces and routing tables for a
single Virtual Layer 3 Switch.
A virtual interface is associated to a virtual HUB and operates as a
single IP host on the Virtual HUB when that Virtual HUB is
operating. When multiple virtual interfaces that respectively
belong to a different IP network of a different Virtual HUB are
defined, IP routing will be automatically performed between these
interfaces.
You must define the IP network space that the virtual interface
belongs to and the IP address of the interface itself.
Also, you must specify the name of the Virtual HUB that the
interface will connect to.
You can specify a Virtual HUB that currently doesn't exist for the
Virtual HUB name.
The virtual interface must have one IP address in the Virtual HUB.
You also must specify the subnet mask of an IP network that the
IP address belongs to.
Routing via the Virtual Layer 3 Switches of IP spaces of multiple
virtual HUBs operates based on the IP address specified here.
To execute this command, the target Virtual Layer 3 Switch must
be stopped. If it is not stopped, first use the RouterStop command
to stop it and then execute this command.
Commandline RouterIfAdd [name] [/HUB:hub] [/IP:ip/mask]
format
/HUB Use this to specify the name of the Virtual HUB to be the
connection destination of the virtual interface to be newly added.
To get a list of Virtual HUBs, you can use the HubList command. It
is not essential that you specify a Virtual HUB that is currently

operating. If you specify a Virtual HUB name that is not currently
operating or that does not exist, the Virtual Layer 3 Switch will
become enabled when the actual operation of that Virtual HUB
begins.
/IP Using the format: [IP address/subnet mask], specify the IP
address and subnet mask held by the virtual interface to be newly
added. Specify the IP address by separating the decimal values
using dots such as 192.168.0.1 For the subnet mask, either
specify decimal values separated by dots such as 255.255.255.0,
or you can specify the bit length from the header using a decimal
value such as 24.
Command Name RouterIfDel

Outline of Delete Virtual Interface of Virtual Layer 3 Switch
Command
Explanation Use this to delete a virtual interface already defined in the
specified Virtual Layer 3 Switch.
You can get a list of the virtual interfaces currently defined, by
using the RouterIfList command.
Commandline RouterIfDel [name] [/HUB:hub]
format
/HUB Use this to specify the name of the Virtual HUB to be the
connection destination of the virtual interface to be deleted.
6.3.49 RouterTableList - Get List of Routing Tables of Virtual Layer 3

Switch
Command Name RouterTableList

Outline of Get List of Routing Tables of Virtual Layer 3 Switch
Command
Explanation Use this to get a list of routing tables when routing tables have
been defined on a specified Virtual Layer 3 Switch.
If the destination IP address of the IP packet does not belong to

any IP network that belongs to a virtual interface, the IP routing
engine of the Virtual Layer 3 Switch will reference this routing
table and execute routing.
Commandline RouterTableList [name]
format
6.3.50 RouterTableAdd - Add Routing Table Entry for Virtual Layer 3

Switch
Command Name RouterTableAdd

Outline of Add Routing Table Entry for Virtual Layer 3 Switch
Command
Explanation Here you can add a new routing table entry to the routing table of
the specified Virtual Layer 3 Switch.
If the destination IP address of the IP packet does not belong to
any IP network that belongs to a virtual interface, the IP routing
engine of the Virtual Layer 3 Switch will reference the routing table
and execute routing.
You must specify the contents of the routing table entry to be
added to the Virtual Layer 3 Switch. You must specify any IP
address that belongs to the same IP network in the virtual
interface of this Virtual Layer 3 Switch as the gateway address.
Commandline RouterTableAdd [name] [/NETWORK:ip/mask] [/GATEWAY:gwip]
format [/METRIC:metric]
/NETWORK Using the format: [IP address/subnet mask], specify the network
address and subnet mask of the routing table entry to be newly
added. Specify the network address by separating the decimal
values using dots such as "192.168.0.1". For the subnet mask,
either specify decimal values separated by dots such as

255.255.255.0, or you can specify the bit length from the header
using a decimal value such as 24. If you specify 0.0.0.0/0.0.0.0,
the default route will be used.
/GATEWAY Specify the gateway IP address.
/METRIC Specify a metric value. Specify an integer (1 or higher).
6.3.51 RouterTableDel - Delete Routing Table Entry of Virtual Layer 3

Switch
Command Name RouterTableDel

Outline of Delete Routing Table Entry of Virtual Layer 3 Switch
Command
Explanation Use this to delete a routing table entry that is defined in the
specified Virtual Layer 3 Switch.
You can get a list of the already defined routing table entries by
using the RouterTableList command.
Commandline RouterTableDel [name] [/NETWORK:ip/mask] [/GATEWAY:gwip]
format [/METRIC:metric]
/NETWORK Using the format: [IP address/subnet mask], specify the network
address of the routing table entry to be deleted.
/GATEWAY Specify the gateway IP address.
/METRIC Specify a metric value. Specify an integer (1 or higher).
Command Name LogFileList

Outline of Get List of Log Files
Command
Explanation Use this to display a list of log files outputted by the VPN Server
that have been saved on the VPN Server computer. By specifying a
log file file name displayed here and calling it using the LogFileGet
command you can download the contents of the log file.
If you are connected to the VPN Server in server admin mode, you
can display or download the packet logs and security logs of all
Virtual HUBs and the server log of the VPN Server.
When connected in Virtual HUB Admin Mode, you are able to view
or download only the packet log and security log of the Virtual HUB
that is the target of management.
Commandline LogFileList
format
Command Name LogFileGet

Outline of Download Log file
Command
Explanation Use this to download the log file that is saved on the VPN Server
computer. To download the log file first display the list of log files
using the LogFileList command and then download the log file
using the LogFileGet command. If you are connected to the VPN
Server in server admin mode, you can display or download the
packet logs and security logs of all Virtual HUBs and the server log
of the VPN Server. When connected in Virtual HUB Admin Mode,
you are able to view or download only the packet log and security
log of the Virtual HUB that is the target of management.
If you have specified the file name as a parameter, the
downloaded log file will be saved to the file of that file name. If the
destination file is not specified, the log file will be displayed
onscreen.
The size of the log file can get very big, so pay careful attention to
this issue.
Commandline LogFileGet [name] [/SERVER:server] [/SAVEPATH:savepath]
format
name Specify the name of the log file to be downloaded. To get a list of
downloadable log files, use the LogFileList command.
/SERVER Use this to specify the server name when making a download
request to a cluster controller. Specify the server that will be
displayed by the LogFileGet command.
/SAVEPATH Use this to specify the destination file name for when saving the
downloaded log file. When this is left unspecified, the file will be
displayed onscreen.
Command Name HubCreate

Outline of Create New Virtual HUB
Command
Explanation Use this to create a new Virtual HUB on the VPN Server.
The created Virtual HUB will begin operation immediately.
When the VPN Server is operating on a cluster, this command is
only valid for the cluster controller. Also, the new Virtual HUB will
operate as a dynamic Virtual HUB. You can change it to a static
Virtual HUB by using the HubSetStatic command. To get a list of
Virtual HUBs that are already on the VPN Server, use the HubList
command.
Also, this command does not operate on VPN Servers that are
operating as a VPN Bridge or cluster member.
When issuing the command to a cluster controller on a cluster to
create a Virtual HUB, use either the HubCreateStatic command or
the HubCreateDynamic command (issuing the HubCreate
command to a cluster controller has the same operational effect as
issuing the HubCreateDynamic command).
Commandline HubCreate [name] [/PASSWORD:password]
format
name Specify the name of the Virtual HUB to create.

/PASSWORD Specify an administrator password when the administrator
password is going to be set for the Virtual HUB to be created. If
this is not specified, a prompt will appear to input the password.
6.3.55 HubCreateDynamic - Create New Dynamic Virtual HUB (For

Clustering)
Command Name HubCreateDynamic

Outline of Create New Dynamic Virtual HUB (For Clustering)
Command
Explanation Use this to create a new dynamic Virtual HUB on the VPN Server.
command.
operating as a VPN Bridge, cluster member or standalone server.
Commandline HubCreateDynamic [name] [/PASSWORD:password]
format

6.3.56 HubCreateStatic - Create New Static Virtual HUB (For

Clustering)
Command Name HubCreateStatic

Outline of Create New Static Virtual HUB (For Clustering)
Command
Explanation Use this to create a new static Virtual HUB on the VPN Server.
command.
Commandline HubCreateStatic [name] [/PASSWORD:password]
format

Command Name HubDelete

Outline of Delete Virtual HUB
Command
Explanation Use this to delete an existing Virtual HUB on the VPN Server.
If you delete the Virtual HUB, all sessions that are currently
connected to the Virtual HUB will be disconnected and new
sessions will be unable to connect to the Virtual HUB.
Also, this will also delete all the HUB settings, user objects, group
objects, certificates and Cascade Connections.
Once you delete the Virtual HUB, it cannot be recovered.
operating as a VPN Bridge or cluster member.
Commandline HubDelete [name]
format
name Specify the name of the Virtual HUB to delete.
Command Name HubSetStatic

Outline of Change Virtual HUB Type to Static Virtual HUB
Command
Explanation Use this when a VPN Server is operating on a cluster and you want
to change the type of the Virtual HUB to a static Virtual HUB.
When the type of the Virtual HUB is changed, all sessions that are
currently connected to the Virtual HUB will be disconnected.
When there is a Virtual HUB operating as a static virtual HUB, a
Virtual HUB with that name will be created on all the cluster
member servers. A user who attempts to connect this Virtual HUB
will be connected to one of the cluster members hosting this
Virtual HUB as determined by an algorithm based on each server's
load status.
A static Virtual HUB, for example, could be used for a remote
access VPN that allows thousands or tens of thousands of users to
connect at the same time for the purpose of remotely accessing an
internal company LAN from the Internet for business.
This command cannot be used for VPN Servers that are newer
than Build 5190.

Commandline HubSetStatic [name]
format
name Specify the name of the Virtual Hub to be set as the static Virtual
HUB.
6.3.59 HubSetDynamic - Change Virtual HUB Type to Dynamic Virtual

HUB
Command Name HubSetDynamic

Outline of Change Virtual HUB Type to Dynamic Virtual HUB
Command
Explanation Use this when a VPN Server is operating on a cluster and you want
to change the type of the Virtual HUB to a dynamic Virtual HUB.
When the type of the Virtual HUB is changed, all sessions that are
currently connected to the Virtual HUB will be disconnected.
When there is not even one client connected to a dynamic Virtual
HUB defined on the cluster, then that Virtual HUB does not exist
on any cluster member. When the first client to attempt to connect
to the dynamic Virtual HUB does so, the server with the lowest
load on the cluster starts hosting that Virtual HUB. When the
second and subsequent clients attempt to connect to the same
virtual HUB, they are automatically connected to the server
hosting the Virtual HUB. When all the clients are disconnected
from a particular dynamic Virtual HUB, the Virtual HUB will return
to the original state of not existing on any of the servers.
There is a broad range of applications for dynamic Virtual HUBs,
such as a Virtual HUB defined for each business section within a
company so that employees can connect to the Virtual HUB of their
own department to do their work in a centralized management
environment that is deployed on a single cluster.
This command cannot be used for VPN Servers that are newer
than Build 5190.
Commandline HubSetDynamic [name]
format
name Specify the name of the Virtual Hub to be set as the dynamic
Virtual HUB.
Command Name HubList

Outline of Get List of Virtual HUBs
Command
Explanation Use this to get a list of existing Virtual HUBs on the VPN Server.
For each Virtual HUB, you can get the following information:
[Virtual HUB Name], [Status], [Type], [Number of Users],
[Number of Groups], [Number of Sessions], [Number of MAC
Tables], [Number of IP Tables], [Number of Logins], [Last Login],
and [Last Communication]
Note that when connecting in Virtual HUB Admin Mode, if in the
options of a Virtual HUB that you do not have administrator
privileges for, the option Don't Enumerate this Virtual HUB for
Anonymous Users is enabled then that Virtual HUB will not be
enumerated. If you are connected in Server Admin Mode, then the
list of all Virtual HUBs will be displayed.
When connecting to and managing a non-cluster-controller cluster
member of a clustering environment, only the Virtual HUB
currently being hosted by that VPN Server will be displayed. When
connecting to a cluster controller for administration purposes, all
the Virtual HUBs will be displayed.
Commandline HubList
format
Command Name Hub

Outline of Select Virtual HUB to Manage
Command
Explanation Use this to select the Virtual HUB to be the target of
administration. For an administration utility with the status of
being connected to a VPN Server, before executing a command to
set or manage a Virtual HUB, you must use the Hub command to
select the Virtual HUB to manage.
When in the status of being connected to a VPN Server in Virtual
HUB Admin Mode, you can select a single Virtual HUB to be the
target of administration but you cannot select other Virtual HUBs.
When having the status of being connected to the VPN Server in
Server Admin Mode, you can make all Virtual HUBs the target of
administration.
To get a list of Virtual HUBs that currently exist on the VPN Server,
use the HubList command.
For the VPN Bridge, you can only select the Virtual HUB that has
the name "BRIDGE".
Commandline Hub [name]
format
name Specify the name of the Virtual HUB to manage. If this parameter
is left unspecified, the Select Virtual HUB to Manage will be
cancelled.
Command Name LicenseAdd

Outline of Add License Key Registration
Command
Explanation Use this to register a new license key on the PacketiX VPN Server.
To use PacketiX VPN Server you must acquire a valid license and
register the license key. The license keys are 36 alphanumeric
characters in length plus hyphens. They are key codes that certify
the ownership of a license.
When a license certificate is received together with this software,
the license key is printed on this license certificate. If the license
for this software was purchased online, the license key is provided
by email and on the website window at the time the license is
purchased. The license key may also be written down by some
other method. If you don't know where the license key is written
down, ask the vendor who sold you the license.
To get the list of currently registered licenses, use the LicenseList

command.
To display the license status of the current VPN Server, use the
LicenseStatus command.
Commandline LicenseAdd [key]
format
key Specify the license key to register. Specify 36 digits of
alphanumeric characters and group the digits in groups of 6

separating them by hyphen.
Command Name LicenseDel

Outline of Delete Registered License
Command
Explanation Use this to delete a specified license from the license list that is
currently registered on the PacketiX VPN Server.
To get the list of currently registered licenses, use the LicenseList

command.
Commandline LicenseDel [id]
format
id Specify the license number to delete.
Command Name LicenseList

Outline of Get List of Registered Licenses
Command
Explanation Use this to display a list of license information currently registered
on the PacketiX VPN Server including: license key, license type
name, status, expiration date, license ID, license type ID, server
ID and serial ID.
Commandline LicenseList
format
Command Name LicenseStatus

Outline of Get License Status of Current VPN Server
Command
Explanation Use this to get and display the license status of the current
PacketiX VPN Server.
The following current information on the PacketiX VPN Server will
be displayed: product edition, server ID, product license expiration
date, number of usable Client Connection Licenses and number of
Bridge Connection Licenses.

Commandline LicenseStatus
format
Command Name MakeCert

Outline of Create New X.509 Certificate and Private Key
Command
Explanation Use this to create a new X.509 certificate and private key and save
it as a file.
The algorithm used to create the public key and private key of the
certificate is RSA 1024 bit.
You can choose to create a root certificate (self-signed certificate)
or a certificate signed by another certificate. To create a certificate
that is signed by another certificate, you require a private key file
(base 64 encoded) that is compatible with the certificate that uses
the signature (X.509 format file).
When creating a certificate, you can specify the following: Name

(CN), Organization (O), Organization Unit (OU), Country (C), State
(ST), Locale (L), Serial Number, and Expiration Date.
The created certificate will be saved as an X.509 format file and
the private key file will be saved in a Base 64 encoded RSA 1024
bit format file.
The MakeCert command is a tool that provides the most

rudimentary function for creating certificates. If you want to create
a more substantial certificate, we recommend that you use either
free software such as OpenSSL, or commercial CA (certificate
authority) software.
Note: This command can be called from the PacketiX VPN

Command Line Management Utility. You can also execute this
command while connected to the current VPN Server or VPN Client
in Administration Mode but, what actually performs the RSA
computation, generates the certificate data and saves it to file is
the computer on which the command is running, and all this is
executed in a context that has absolutely no relationship to the
computer that is the destination of the Administration Mode
connection.
Commandline MakeCert [/CN:cn] [/O:o] [/OU:ou] [/C:c] [/ST:st] [/L:l]
format [/SERIAL:serial] [/EXPIRES:expires] [/SIGNCERT:signcert]
[/SIGNKEY:signkey] [/SAVECERT:savecert] [/SAVEKEY:savekey]
/CN Specify the Name (CN) item of the certificate to create. You can
specify "none".
/O Specify the Organization (O) item of the certificate to create. You
can specify "none".
/OU Specify the Organization Unit (OU) item of the certificate to create.
You can specify "none".
/C Specify the Country (C) item of the certificate to create. You can
specify "none".
/ST Specify the State (ST) item of the certificate to create. You can
specify "none".
/L Specify the Locale (L) item of the certificate to create. You can
specify "none".
/SERIAL Specify the Serial Number item of the certificate to create. Specify
using hexadecimal values. You can specify "none".
/EXPIRES Specify the Expiration Date item of the certificate to create. If you
specify "none" or "0", 3650 days (approx. 10 years) will be used.
You can specify a maximum of 10950 days (about 30 years).
/SIGNCERT For cases when the certificate to be created is signed by an
existing certificate, specify the X.509 format certificate file name
to be used to sign the signature. When this parameter is omitted,
such signature signing is not performed and the new certificate is
created as a root certificate.
/SIGNKEY Specify a private key (RSA, base-64 encoded) that is compatible
with the certificate specified by /SIGNCERT.

/SAVECERT Specify the file name to save the certificate you created. The
certificate is saved as an X.509 file that includes a public key that
is RSA format 1024 bit.
/SAVEKEY Specify the file name to save private key that is compatible with
the certificate you created. The private key will be saved as an
RSA-format 1024-bit private key file.
6.3.67 TrafficClient - Execute Communication Throughput

Measurement Tool Client
Command Name TrafficClient

Outline of Execute Communication Throughput Measurement Tool Client
Command
Explanation Use this to execute the communication throughput measurement
tool's client program.
Two commands, TrafficClient and TrafficServer, are used for the
communication throughput measurement tool to enable the
measurement of communication throughput that can be
transferred between two computers connected by IP network. The
TrafficServer command is used first on another computer which
puts the communication throughput measurement tool server in a
listening condition. Then the TrafficClient command is used to
connect to that server by specifying its host name or IP address
and port number, which makes it possible to measure the
Measurement of the communication speed is carried out by
concurrently establishing multiple TCP connections and calculating
the actual number of bits of data that can be transferred within a
specified time based on the respective results of transferring the
maximum stream data on each connection and then using that to
calculate the average value (bps) of communication throughput.
Normally when there is one TCP connection, it is common to only
be able to achieve communication speeds slower than the actual
net throughput because of limitations related to the TCP algorithm.
We therefore recommend the establishment of multiple concurrent
TCP connections when measuring communication results. Because
the throughput that is measured using this measurement method
is calculated from the bit length of the data that arrives on the
receiver side as a stream by TCP, the packet loss that occurs
during transfer and the packets with corrupted data are not
included in the packets that actually arrive, which means it is
possible to calculate a genuine value that is close to the maximum
possible communication bandwidth of the network.
Using the measurement results, i.e. the stream size transferred by
TCP, the approximate value of data volume that actually passed

through the network is calculated and this is divided by time to
calculate the bits per sec (bps). The calculation assumes the type
of the physical network is Ethernet (IEEE802.3) and the MAC
frame payload size is 1,500 bytes (TCP MSS is 1,460 bytes). By
specifying the /RAW option, the calculation will not make
corrections for the TCP/IP header and MAC header data volume.

in Administration Mode but, what actually conducts communication
and measures the throughput is the computer on which the
command is running, and all this is executed in a context that has
absolutely no relationship to the computer that is the destination
of the Administration Mode connection.
Commandline TrafficClient [host:port] [/NUMTCP:numtcp]
format [/TYPE:download|upload|full] [/SPAN:span] [/DOUBLE:yes|no]
[/RAW:yes|no]
host:port Specify the host name or IP address and port number that the
communication throughput measurement tool server
(TrafficServer) is listening for. If the port number is omitted, 9821
will be used.
/NUMTCP Specify the number of TCP connections to be concurrently
established between the client and the server for data transfer. If
omitted, 32 will be used.
/TYPE Specify the direction of data flow when throughput measurement
is performed. Specify one of the following options: "download",
"upload" or "full". By specifying "download" the data will be
transmitted from the server side to the client side. By specifying
"upload" the data will be transmitted from the client side to the
server side. By specifying "full", the data will be transferred in both
directions. When "full" is specified, the NUMTCP value must be an
even number of two or more (half the number will be used for
concurrent TCP connections in the download direction and the
other half will be used in the upload direction). If this parameter is
omitted, "full" will be used.
/SPAN Specify, using seconds, the time span to conduct data transfer for
the measurement of throughput. If this parameter is omitted, "15"
will be used.
/DOUBLE When "yes" is specified, the throughput of the measured result will
be doubled and then displayed. This option is used for cases when
a network device etc. is somewhere on the data route and the
total throughput capability that is input and output by this network

device is being measured.
/RAW By specifying "yes", the calculation will not make corrections for
the TCP/IP header and MAC header data volume.
6.3.68 TrafficServer - Execute Communication Throughput

Measurement Tool Server
Command Name TrafficServer

Outline of Execute Communication Throughput Measurement Tool Server
Command
tool's server program.
transferred between two computers connected by IP network.
To set the TCP port of this computer to the Listen status to listen
for the connection from the TrafficClient of another computer,
specify the port number and start the server program using the
TrafficServer command.
You can display more detailed information on the communication
throughput measurement tool by inputting "TrafficClient /?".

Commandline TrafficServer [port]
format
port Specify, using an integer, the port number at which to listen for
the connection. If the specified port is already being used by
another program, or if the port cannot be opened, an error will
occur.
Command Name Check
Outline of Check if PacketiX VPN Operation is Possible

Command
Explanation Use this to check if the current computer that is running vpncmd is
a suitable operation platform for PacketiX VPN Server / Bridge.
If this check passes on a system, it is highly likely that PacketiX
VPN software will operate correctly on that system.
Also, if this check does not pass on a system, then this indicates
that some type of trouble may arise if PacketiX VPN software is
used on that system.
Commandline Check
format
< 6.2 General Usage of vpncmd 6.4 VPN Server / VPN Bridge Management Command
Reference (For Virtual HUB)>
< 6.3 VPN Server / VPN Bridge Management 6.5 VPN Client Management Command Reference>
Command Reference (For Entire Server)
6.4 VPN Server / VPN Bridge Management Command

Reference (For Virtual HUB)
This section describes the commands for configuring and managing a Virtual HUB
selected with the Hub command from among the commands that can be called when
using vpncmd in VPN Server or VPN Bridge management mode. For information about
the commands for configuring and managing the entire VPN Server, please refer to
「6.3 VPN Server / VPN Bridge Management Command Reference (For Entire Server)」 .
Command Name Online

Outline of Switch Virtual HUB to Online
Command
Explanation Use this when the Virtual HUB currently being managed is offline
to switch it to online. A Virtual HUB with an offline status cannot
receive VPN connections from clients. By switching the Virtual HUB
to online, that Virtual HUB becomes able to receive connections
from users and provide services.
You cannot execute this command for Virtual HUBs of VPN Servers
operating as a cluster.
Commandline Online
format
Command Name Offline

Outline of Switch Virtual HUB to Offline
Command
Explanation Use this when the Virtual HUB currently being managed is online
to switch it to offline. If there are sessions currently connected to
the Virtual HUB, all sessions will be disconnected. A Virtual HUB
with an offline status cannot receive VPN connections from clients.
Commandline Offline
format
6.4.3 SetMaxSession - Set the Max Number of Concurrently Connected

Sessions for Virtual HUB
Command Name SetMaxSession

Outline of Set the Max Number of Concurrently Connected Sessions for
Command Virtual HUB
Explanation Use this to set the maximum number of sessions that can be
concurrently connected to the Virtual HUB that is currently being
managed. When there are more sessions than the maximum
number of concurrently connected sessions that are being
connected from the VPN Client or VPN Bridge, when the maximum
number of sessions is reached, clients will no longer be able to
connect. This limit on the maximum number of concurrently
connected sessions does not include sessions generated in the
Virtual HUB by Local Bridges, Virtual NAT, and Cascade
Connections.
You can get the current setting for the max number of
concurrently connected sessions by using the OptionsGet
command.
Commandline SetMaxSession [max_session]
format
max_session Using an integer, specify the maximum number of concurrently

connected sessions to set. Specifying 0 results in a setting of
unlimited.
Command Name SetHubPassword

Outline of Set Virtual HUB Administrator Password
Command
Explanation Use this to set the Administrator Password for the Virtual HUB that
is currently being managed. When a Virtual HUB administrator
password has been set, you are able to connect to that Virtual HUB
from a VPN Server connection utility in Virtual HUB Admin Mode,
by specifying the password. It is also possible to make a VPN
connection from a VPN client or VPN Bridge by specifying
"Administrator" for the user name and the password for the Virtual
HUB administrator password.
Commandline SetHubPassword [password]
format
password Specify the password you wish to set. If a password is not

specified by parameter, a prompt will appear to input the
password.
6.4.5 SetEnumAllow - Allow Enumeration by Virtual HUB Anonymous

Users
Command Name SetEnumAllow

Outline of Allow Enumeration by Virtual HUB Anonymous Users
Command
Explanation Use this to change the options setting of the Virtual HUB you are
currently managing to allow anonymous users to enumerate this
Virtual HUB. By setting this option, it makes it possible for VPN
Client users to enumerate this Virtual HUB simply by inputting this

VPN Server address. Also, by using the SetEnumDeny command,
you can deny anonymous users the ability to enumerate. At the
time a Virtual HUB is created, enumeration will be allowed.
Commandline SetEnumAllow
format
6.4.6 SetEnumDeny - Deny Enumeration by Virtual HUB Anonymous

Users
Command Name SetEnumDeny

Outline of Deny Enumeration by Virtual HUB Anonymous Users
Command
Explanation Use this to change the options setting of the Virtual HUB you are
currently managing to prevent anonymous users from
enumerating this Virtual HUB. By setting this option, the VPN
Client user will be unable to enumerate this Virtual HUB even if
they send a Virtual HUB enumeration request to the VPN Server.
Also, by using the SetEnumAllow command, you can allow
anonymous users to enumerate.
Commandline SetEnumDeny
format
Command Name OptionsGet

Outline of Get Options Setting of Virtual HUBs
Command
Explanation Use this to get a list of the Options setting of the Virtual HUB
currently being managed. You can get the following: Allow/Deny
Virtual HUB Enumeration, Maximum Concurrent Connections,
Online/Offline Status, and Virtual HUB Type in Clustering

Environment.
Commandline OptionsGet
format
6.4.8 RadiusServerSet - Set RADIUS Server to use for User

Authentication
Command Name RadiusServerSet

Outline of Set RADIUS Server to use for User Authentication
Command
Explanation When users are connected to the currently managed Virtual HUB in
RADIUS server authentication mode, you can specify an external
RADIUS server that confirms the user name and password.
The RADIUS server must be set to receive requests from IP
addresses of this VPN Server. Also, authentication by Password
Authentication Protocol (PAP) must be enabled.
Commandline RadiusServerSet [server_name:port] [/SECRET:secret]
format
server_name:port Using the format [host name:port number], specify the host name
or IP address, and the UDP port number of the RADIUS server
being used. If the port number is omitted, 1812 will be used.
/SECRET Specify the shared secret (password) used for communication with
the RADIUS Server
6.4.9 RadiusServerDelete - Delete Setting to Use RADIUS Server for

User Authentication
Command Name RadiusServerDelete

Outline of Delete Setting to Use RADIUS Server for User Authentication
Command
Explanation Use this to delete the setting related to using a RADIUS server
when a user connects to the currently managed Virtual HUB in
RADIUS Server Authentication Mode and disable the RADIUS

authentication. To get the settings related to the current RADIUS
server use the RadiusServerGet command.
Commandline RadiusServerDelete
format

Authentication
Command Name RadiusServerGet

Outline of Get Setting of RADIUS Server Used for User Authentication
Command
Explanation Use this to get the current settings for the RADIUS server used
when a user connects to the currently managed Virtual HUB using
RADIUS Server Authentication Mode.
Commandline RadiusServerGet
format
Command Name StatusGet

Outline of Get Current Status of Virtual HUB
Command
Explanation Use this to get the current status of the Virtual HUB currently
being managed. You can get the following information: Virtual HUB
Type, Number of Sessions, Number of Each Type of Object,
Number of Logins, Last Login, Last Communication, and
Communication Statistical Data.
Commandline StatusGet
format
Command Name LogGet

Outline of Get Log Save Setting of Virtual HUB
Command
Explanation Use this to get the log save setting for the Virtual HUB that is
currently being managed. You can get the setting information such
as the save setting related to security logs and packet logs and
information on what is saved.
Commandline LogGet
format
Command Name LogEnable

Outline of Enable Security Log or Packet Log
Command
Explanation Use this to enable a security log or packet log of the Virtual HUB
currently being managed.
To get the current setting, you can use the LogGet command.
Commandline LogEnable [security|packet]
format
security|packet Select the type of log to enable. Specify either "security" or

"packet".
Command Name LogDisable

Outline of Disable Security Log or Packet Log
Command
Explanation Use this to disable a security log or packet log of the Virtual HUB
currently being managed.
Commandline LogDisable [security|packet]
format
security|packet Select the type of log to disable. Specify either "security" or

"packet".
Command Name LogSwitchSet

Outline of Set Log File Switch Cycle
Command
Explanation Use this to set the log file switch cycle for the security log or
packet log that the currently managed Virtual HUB saves. The log
file switch cycle can be changed to switch in every second, every
minute, every hour, every day, ebery month , or not switch .
Commandline LogSwitchSet [security|packet]
format [/SWITCH:sec|min|hour|day|month|none]
security|packet Select the type of log to change setting. Specify either "security"
or "packet".
/SWITCH Select the switch cycle to set. Specify sec, min, hour, day, month
or none.
6.4.16 LogPacketSaveType - Set Save Contents and Type of Packet to

Save to Packet Log
Command Name LogPacketSaveType

Outline of Set Save Contents and Type of Packet to Save to Packet Log
Command
Explanation Use this to set the save contents of the packet log for each type of
packet to be saved by the currently managed Virtual HUB. There
are the following packet types: [TCP Connection Log], [TCP Packet
Log], [DHCP Packet Log], [UDP Packet Log], [ICMP Packet Log],
[IP Packet Log], [ARP Packet Log], and [Ethernet Packet Log]
Commandline LogPacketSaveType
format [/TYPE:tcpconn|tcpdata|dhcp|udp|icmp|ip|arp|ether]
[/SAVE:none|header|full]
/TYPE Specify tcpconn, tcpdata, dhcp, udp, icmp, ip, arp, or ether to
specify the type of packet whose save contents are going to be

changed.
/SAVE Specify the save contents of the packet log. Specify either none:
save nothing header: header information only full: all packet
contents
Command Name CAList

Outline of Get List of Trusted CA Certificates
Command
Explanation Here you can manage the certificate authority certificates that are
trusted by this currently managed Virtual HUB. The list of
certificate authority certificates that are registered is used to verify
certificates when a VPN Client is connected in signed certificate
authentication mode.
operating as a member server on a cluster.
Commandline CAList
format
Command Name CAAdd

Outline of Add Trusted CA Certificate
Command
Explanation Use this to add a new certificate to a list of CA certificates trusted
by the currently managed Virtual HUB. The list of certificate
authority certificates that are registered is used to verify
certificates when a VPN Client is connected in signed certificate
authentication mode.
To get a list of the current certificates you can use the CAList
command.
The certificate you add must be saved in the X.509 file format.
Commandline CAAdd [path]
format
path Specify the file name of the X.509 certificate to register.
Command Name CADelete

Outline of Delete Trusted CA Certificate
Command
Explanation Use this to delete an existing certificate from the list of CA
certificates trusted by the currently managed Virtual HUB.
To get a list of the current certificates you can use the CAList
command.
Commandline CADelete [id]
format
id Specify the ID of the certificate to delete.
Command Name CAGet

Outline of Get Trusted CA Certificate
Command
Explanation Use this to get an existing certificate from the list of CA certificates
trusted by the currently managed Virtual HUB and save it as a file
in X.509 format.
Commandline CAGet [id] [/SAVECERT:path]
format
id Specify the ID of the certificate to get.

/SAVECERT Specify the file name to save the certificate you obtained.
Command Name CascadeList

Outline of Get List of Cascade Connections
Command
Explanation Use this to get a list of Cascade Connections that are registered on
the currently managed Virtual HUB.
By using a Cascade Connection, you can connect this Virtual HUB
by Layer 2 Cascade Connection to another Virtual HUB that is
operating on the same or a different computer.
[Warning About Cascade Connections]

By connecting using a Cascade Connection you can create a Layer
2 bridge between multiple Virtual HUBs but if the connection is
incorrectly configured, a loopback Cascade Connection could
inadvertently be created. When using a Cascade Connection
function please design the network topology with care.
Commandline CascadeList
format
Command Name CascadeCreate

Outline of Create New Cascade Connection
Command
Explanation Use this to create a new Cascade Connection on the currently
managed Virtual HUB.
By using a Cascade Connection, you can connect this Virtual HUB
by Cascade Connection to another Virtual HUB that is operating on
the same or a different computer.
To create a Cascade Connection, you must specify the name of the
Cascade Connection, destination server and destination Virtual
HUB and user name. When a new Cascade Connection is created,
the type of user authentication is initially set as [anonymous
authentication] and the proxy server setting and the verification
options of the server certificate is not set. To change these
settings and other advanced settings after a Cascade Connection
has been created, use the other commands that begin with the
name "Cascade".
[Warning About Cascade Connections]
By connecting using a Cascade Connection you can create a Layer

2 bridge between multiple Virtual HUBs but if the connection is
incorrectly configured, a loopback Cascade Connection could
inadvertently be created. When using a Cascade Connection
function please design the network topology with care.
Commandline CascadeCreate [name] [/SERVER:hostname:port]
format [/HUB:hubname] [/USERNAME:username]
name Specify the name of the Cascade Connection to create.

/SERVER Specify the host name and port number of the destination VPN
Server using the format [host name:port number]. You can also
specify by IP address.
/HUB Specify the Virtual HUB on the destination VPN Server.
/USERNAME Specify the user name to use for user authentication when
connecting to the destination VPN Server.
Command Name CascadeSet

Outline of Set the Destination for Cascade Connection
Command
Explanation Use this to set the destination VPN Server host name and port
number, Virtual HUB name and the user name that will use the
connection for the Cascade Connection registered on the currently
managed virtual HUB.
Commandline CascadeSet [name] [/SERVER:hostname:port] [/HUB:hubname]
format
name Specify the name of the Cascade Connection whose setting you
want to change.
Command Name CascadeGet

Outline of Get the Cascade Connection Setting
Command
Explanation Use this to get the Connection Setting of a Cascade Connection
that is registered on the currently managed Virtual HUB.
To change the Connection Setting contents of the Cascade
Connection, use the other commands that begin with the name
"Cascade" after creating the Cascade Connection.
Commandline CascadeGet [name]
format
want to get.
Command Name CascadeDelete

Outline of Delete Cascade Connection Setting
Command
Explanation Use this to delete a Cascade Connection that is registered on the
currently managed Virtual HUB. If the specified Cascade
Connection has a status of online, the connections will be
automatically disconnected and then the Cascade Connection will
be deleted.
Commandline CascadeDelete [name]
format
name Specify the name of the Cascade Connection to delete.
6.4.26 CascadeUsernameSet - Set User Name to Use Connection of

Cascade Connection
Command Name CascadeUsernameSet

Outline of Set User Name to Use Connection of Cascade Connection
Command
Explanation When a Cascade Connection registered on the currently managed

Virtual HUB is specified and that Cascade Connection connects to
the VPN Server, use this to specify the user name required for
user authentication.
In some cases it is necessary to specify the type of user
authentication and specify the required parameters. To change this
information you can use commands such as
CascadeAnonymousSet, CascadePasswordSet, and
CascadeCertSet.
Commandline CascadeUsernameSet [name] [/USERNAME:username]
format
want to change.
/USERNAME Specify the user name required for user authentication when the
Cascade Connection connects to the VPN Server.
6.4.27 CascadeAnonymousSet - Set User Authentication Type of

Cascade Connection to Anonymous Authentication
Command Name CascadeAnonymousSet

Outline of Set User Authentication Type of Cascade Connection to
Command Anonymous Authentication
the VPN Server, set the user authe type to [anonymous
authentication].
Commandline CascadeAnonymousSet [name]
format
want to change.
6.4.28 CascadePasswordSet - Set User Authentication Type of Cascade

Connection to Password Authentication
Command Name CascadePasswordSet
Outline of Set User Authentication Type of Cascade Connection to Password

Command Authentication
the VPN Server, use this to set the user auth type to [password
authentication]. Specify [Standard Password Authentication] and
[Radius or NT Domain Authentication] as the password
Commandline CascadePasswordSet [name] [/PASSWORD:password]
format [/TYPE:standard|radius]
want to change.
/PASSWORD Specify the password to use for password authentication. If this is
not specified, a prompt will appear to input the password.
/TYPE Specify either "standard" (Standard Password Authentication) or
"radius" [Radius or NT Domain Authentication] as the password
6.4.29 CascadeCertSet - Set User Authentication Type of Cascade

Connection to Client Certificate Authentication
Command Name CascadeCertSet

Outline of Set User Authentication Type of Cascade Connection to Client
Command Certificate Authentication
the VPN Server, use this to set the user auth type to [client
certificate authentication]. For this certificate, you must specify a
certificate file in the X.509 format and a private key file that is
Base 64 encoded.
Commandline CascadeCertSet [name] [/LOADCERT:cert] [/LOADKEY:key]
format
want to change.
/LOADCERT Specify the X.509 format certificate file to provide for certificate
authentication.
/LOADKEY Specify the Base-64-encoded private key file name for the
certificate.
6.4.30 CascadeCertGet - Get Client Certificate to Use for Cascade

Connection
Command Name CascadeCertGet

Outline of Get Client Certificate to Use for Cascade Connection
Command
Virtual HUB is specified and that Cascade Connection uses client
certificate authentication, use this to get the certificate that is
provided as the client certificate and save the certificate file in
X.509 format.
Commandline CascadeCertGet [name] [/SAVECERT:cert]
format
want to get.
/SAVECERT Specify the file name to save the certificate you obtained in X.509
format.
6.4.31 CascadeEncryptEnable - Enable Encryption when

Command Name CascadeEncryptEnable

Outline of Enable Encryption when Communicating by Cascade Connection
Command
Virtual HUB is specified and that Cascade Connection is used for
communication between VPN Servers via a VPN connection, use
this to set the communication contents between the VPN Servers
to be encrypted by SSL.
Normally communication between VPN Servers is encrypted by
SSL to prevent eavesdropping of information and fraud. You can
also disable encryption. When encryption is disabled, the
communication throughput improves but the communication data
flows over the network in plain text.
Commandline CascadeEncryptEnable [name]

format
want to change.
6.4.32 CascadeEncryptDisable - Disable Encryption when

Command Name CascadeEncryptDisable

Outline of Disable Encryption when Communicating by Cascade Connection
Command
not to be encrypted.
Commandline CascadeEncryptDisable [name]
format
want to change.
6.4.33 CascadeCompressEnable - Enable Data Compression when

Command Name CascadeCompressEnable

Outline of Enable Data Compression when Communicating by Cascade
Command Connection
to be compressed.
It is possible to achieve a maximum of 80% compression.
Compression however places higher loads on the CPU of both the

client and server machines. When the line speed is about 10 Mbps
or greater, compression can lower throughput, but sometimes it
can have the opposite effect.
Commandline CascadeCompressEnable [name]
format
want to change.

Command Name CascadeCompressDisable

Outline of Disable Data Compression when Communicating by Cascade
Command Connection
to be not compressed.
Commandline CascadeCompressDisable [name]
format
want to change.
6.4.35 CascadeProxyNone - Specify Direct TCP/IP Connection as the

Connection Method of Cascade Connection
Command Name CascadeProxyNone

Outline of Specify Direct TCP/IP Connection as the Connection Method of
Command Cascade Connection
Virtual HUB is specified and that Cascade Connection connects to a
VPN Server, use this to set [Direct TCP/IP Connection] as the
connection method to use, in which case the connection route will
not be via a proxy server.

Commandline CascadeProxyNone [name]
format
want to change.
6.4.36 CascadeProxyHttp - Set Connection Method of Cascade

Connection to be via an HTTP Proxy Server
Command Name CascadeProxyHttp

Outline of Set Connection Method of Cascade Connection to be via an HTTP
Command Proxy Server
VPN Server, use this to set [Connect via HTTP Proxy Server] as the
method of connection to use, which requires the specification of
the host name and port number of the HTTP Proxy server to
communicate via as well as a user name and password (when
required).
The HTTP server that communication will travel via must be
compatible with the CONNECT method to use HTTPS
communication.
Commandline CascadeProxyHttp [name] [/SERVER:hostname:port]
format [/USERNAME:username] [/PASSWORD:password]
want to change.
/SERVER Specify the host name or IP address, and port number of the on-
route HTTP proxy server using the format [host name:port
number].
/USERNAME When user authentication is required to connect to the on-route
HTTP proxy server, specify the user name. Also, specify
the /PASSWORD parameter at the same time. If the
parameters /USERNAME and /PASSWORD are not specified, the
user authentication data will not be set.
/PASSWORD When user authentication is required to connect to the on-route
HTTP proxy server, specify the password. Specify this together
with the /USERNAME parameter.
6.4.37 CascadeProxySocks - Set Connection Method of Cascade

Connection to be via an SOCKS Proxy Server
Command Name CascadeProxySocks

Outline of Set Connection Method of Cascade Connection to be via an SOCKS
Command Proxy Server
VPN Server, use this to set [Connect via SOCKS Proxy Server] as
the method of connection to use, which requires the specification
of the host name and port number of the SOCKS Proxy server to
required).
The on-route SOCKS server must be compatible with SOCKS
Version 4.
Commandline CascadeProxySocks [name] [/SERVER:hostname:port]
want to change.
route SOCKS proxy server using the format [host name:port
number].
/USERNAME When user authentication is required to connect to the on-route
SOCKS proxy server, specify the user name. Also, specify
the /PASSWORD parameter at the same time. If the
parameters /USERNAME and /PASSWORD are not specified, the
user authentication data will not be set.
SOCKS proxy server, specify the password. Specify this together
6.4.38 CascadeServerCertEnable - Enable Cascade Connection Server

Command Name CascadeServerCertEnable

Outline of Enable Cascade Connection Server Certificate Verification Option
Command

VPN Server, use this to enable the option to check whether the
SSL certificate provided by the destination VPN Server can be
trusted.
If this option is enabled you must either use the
CascadeServerCertSet command to save the connection
destination server SSL certificate beforehand in the Cascade
Connection Settings beforehand, or use the CAAdd command etc.
to register a root certificate containing the signed server SSL
certificate in the list of Virtual HUB trusted CA certificates.
If the certificate of the connected VPN Server cannot be trusted
under the condition where the option to verify server certificates
was enabled for the Cascade Connection, the connection will be
promptly cancelled and continual reattempts at connection will be
made.
Commandline CascadeServerCertEnable [name]
format
want to change.
6.4.39 CascadeServerCertDisable - Disable Cascade Connection Server

Command Name CascadeServerCertDisable

Outline of Disable Cascade Connection Server Certificate Verification Option
Command
VPN Server, use this to disable the option to check whether the
SSL certificate provided by the destination VPN Server can be
trusted.
Commandline CascadeServerCertDisable [name]
format
want to change.
6.4.40 CascadeServerCertSet - Set the Server Individual Certificate for

Cascade Connection
Command Name CascadeServerCertSet

Outline of Set the Server Individual Certificate for Cascade Connection
Command
VPN Server, use this to register beforehand the same certificate as
the SSL certificate provided by the destination VPN Server.
If the option to verify server certificates for Cascade Connections is
enabled, you must either use this command to save the connection
destination server SSL certificate beforehand in the Cascade
Connection Settings beforehand, or use the CAAdd command etc.
to register a root certificate containing the signed server SSL
certificate in the list of Virtual HUB trusted CA certificates.
was enabled for the Cascade Connection, the connection will be
made.
Commandline CascadeServerCertSet [name] [/LOADCERT:cert]
format
want to change.
/LOADCERT Specify X.509 format certificate file name that the server individual
certificate you wish to set is saved under.
6.4.41 CascadeServerCertDelete - Delete the Server Individual

Certificate for Cascade Connection
Command Name CascadeServerCertDelete

Outline of Delete the Server Individual Certificate for Cascade Connection
Command
Virtual HUB is specified and a server individual certificate is
registered for that Cascade Connection, use this to delete that
server individual certificate.
Commandline CascadeServerCertDelete [name]
format
want to change.
6.4.42 CascadeServerCertGet - Get the Server Individual Certificate for

Cascade Connection
Command Name CascadeServerCertGet

Outline of Get the Server Individual Certificate for Cascade Connection
Command
Virtual HUB is specified and a server individual certificate is
registered for that Cascade Connection, use this to get that
certificate and save it as an X.509 format certificate file.
Commandline CascadeServerCertGet [name] [/SAVECERT:path]
format
want to change.
/SAVECERT Specify the certificate file name to save the server individual
certificate in X.509 format.
6.4.43 CascadeDetailSet - Set Advanced Settings for Cascade

Connection
Command Name CascadeDetailSet

Outline of Set Advanced Settings for Cascade Connection
Command
Explanation Use this to customize the VPN protocol communication settings
used when a Cascade Connection registered on the currently
managed Virtual HUB is specified and that Cascade Connection
connects to the VPN Server.
Commandline CascadeDetailSet [name] [/MAXTCP:max_connection]
format [/INTERVAL:interval] [/TTL:disconnect_span] [/HALF:yes|no]
[/NOQOS:yes|no]
want to change.
/MAXTCP Specify, using an integer in the range 1 to 32, the number of TCP
connections to be used for VPN communication. By using data
transmission by multiple TCP connections for VPN communication
sessions with VPN Servers it is sometimes possible to increase
communication speed. Note: We recommend about 8 lines when
the connection lines to the server are fast, and 1 line when using a
slow connection such as dialup.
/INTERVAL When communicating by VPN by establishing multiple TCP
connections, specify in seconds, the establishing interval for each
TCP connection. The standard value is 1 second.
/TTL When specifying connection life of each TCP connection specify in
seconds the keep-alive time from establishing a TCP connection
until disconnection. If 0 is specified, keep-alive will not be set.
/HALF Specify "yes" when enabling half duplex mode. When using two or
more TCP connections for VPN communication, it is possible to use
[Half Duplex Mode]. By enabling half duplex mode it is possible to
automatically fix data transmission direction as half and half for
each TCP connection. In the case where a VPN using 8 TCP
connections is established, for example, when half-duplex is
enabled, communication can be fixes so that 4 TCP connections
are dedicated to the upload direction and the other 4 connections
are dedicated to the download direction.
/NOQOS Specify "yes" when disabling VoIP / QoS functions. Normally "no"
is specified.
6.4.44 CascadePolicySet - Set Cascade Connection Session Security

Policy
Command Name CascadePolicySet

Outline of Set Cascade Connection Session Security Policy
Command
Virtual HUB is specified and that Cascade Connection is
established, use this to change the security policy contents that
are applied to the session generated by the Virtual HUB.
When a Virtual HUB makes a Cascade Connection to another VPN
Server, a [Cascade Session] will be newly generated on the Virtual
HUB that is the Cascade Connection source. You can use this
command to set the security policy contents that will set this
Cascade session.
Commandline [name] [/NAME:policy_name] [/VALUE:num|yes|no]
format
want to change.
/NAME Specify the name of policy whose values you want to change. You
can use the PolicyList command to display a list of policy names
and values that can be set.
/VALUE Specify a new policy value. If the policy is an integer value, specify
an integer. Specify yes or no for Boolean types. You can view the
type and value that can be set by using the PolicyList command.
6.4.45 PolicyList - Display List of Security Policy Types and Settable

Values
Command Name PolicyList

Outline of Display List of Security Policy Types and Settable Values
Command
Explanation Use this to display a list of item names, descriptions, and settable
values in the security policies that can be set for VPN Server users
and groups and Cascade Connections.
By running the PolicyList command without specifying any
parameters, a list of all supported security policy names and
descriptions will be displayed.
By specifying the name using the PolicyList command parameter, a
detailed description related to this value and the type and range of
the settable value will be displayed.
Commandline PolicyList [name]
format
name This allows you to specify the policy name whose description you
want to display. If you don’t specify a name, a list of all
supported security names and descriptions will be displayed.
Command Name CascadeStatusGet

Outline of Get Current Cascade Connection Status
Command
Virtual HUB is specified and that Cascade Connection is currently
online, use this to get its connection status and other information.
Commandline CascadeStatusGet [name]
format
name Specify the name of the Cascade Connection whose information

you want to get.
Command Name CascadeRename

Outline of Change Name of Cascade Connection
Command
Virtual HUB is specified, use this to change the name of that
Cascade Connection.
Commandline CascadeRename [name] [/NEW:new_name]
format
name Specify the current name of the Cascade Connection whose name
you want to change.
/NEW Specify the new name after the change.
Command Name CascadeOnline

Outline of Switch Cascade Connection to Online Status
Command
Virtual HUB is specified, use this to switch that Cascade
Connection to online status. The Cascade Connection that is
switched to online status begins the process of connecting to the
destination VPN Server in accordance with the Connection Setting.
The Cascade Connection that is switched to online status will
establish normal connection to the VPN Server or continue to
attempt connection until it is switched to offline status.

Commandline CascadeOnline [name]
format
name Specify the name of the Cascade Connection to switch to online

status.
Command Name CascadeOffline

Outline of Switch Cascade Connection to Offline Status
Command
Virtual HUB is specified, use this to switch that Cascade
Connection to offline status. The Cascade Connection that is
switched to offline will not connect to the VPN Server until next
time it is switched to the online status using the CascadeOnline
command
Commandline CascadeOffline [name]
format
name Specify the name of the Cascade Connection to switch to offline

status.
Command Name AccessAdd

Outline of Add Access List Rules
Command
Explanation Use this to add a new rule to the access list of the currently
The access list is a set of packet file rules that are applied to
packets that flow through the Virtual HUB. You can register
multiple rules in an access list and you can also define an priority
for each rule. All packets are checked for the conditions specified
by the rules registered in the access list and based on the
operation that is stipulated by the first matching rule, they either
pass or are discarded. Packets that do not match any rule are
implicitly allowed to pass.
Commandline AccessAdd [pass|discard] [/MEMO:memo] [/PRIORITY:priority]
format [/SRCIP:ip/mask] [/DESTIP:ip/mask]
[/PROTOCOL:tcp|udp|icmp|ip|num] [/SRCPORT:start-end]
[/DESTPORT:start-end] [/SRCUSERNAME:username]
[/DESTUSERNAME:username]
pass|discard When a packet matches this rule condition, this operation is

decided. When pass is specified, the packet is allowed to pass, and
when discard is specified, the packet is discarded.
/MEMO Specify a description (memo) for this rule.
/PRIORITY Specify an integer of 1 or higher to indicate the priority of the rule.
Higher priority is given to rules with the lower priority values.
/SRCIP Specify a source IP address as a rule condition. Specify the IP
address by separating the decimal values using dots such as
192.168.0.1 For the subnet mask, either specify decimal values
separated by dots such as 255.255.255.0, or you can specify the
bit length from the header using a decimal value such as 24. If
you specify 0.0.0.0/0.0.0.0, this means all hosts.
/DESTIP Specify a destination IP address as a rule condition. Use the same
method of specification as for the /SRCIP parameter.
/PROTOCOL Specify a protocol type as a rule condition. Input the IP protocol
number using decimal values or specify one of the keywords
"tcp" (TCP/IP protocol, no.6), "udp" (UDP/IP protocol, no.17),
"icmp" (ICMP protocol, no.1) or "ip" (all protocols, no.0). Specify 0
to make the rule apply to all IP protocols.
/SRCPORT If the specified protocol is TCP/IP or UDP/IP, specify the source
port number as the rule condition. Protocols other than this will be
ignored. When this parameter is not specified, the rules will apply
to all port numbers. When specifying, do so using the following
method "1-1024" (1 to 1024), "23" (only 23).
/DESTPORT If the specified protocol is TCP/IP or UDP/IP, specify the
destination port number as the rule condition. Protocols other than
this will be ignored. Use the same method of specification as for
the /SRCPORT parameter.
/SRCUSERNAME You can apply this rule to only the packets sent by a user session
of a user name that has been specified as a rule condition. In this
case, specify the user name.
/DESTUSERNAME You can apply this rule to only the packets received by a user
session of a user name that has been specified as a rule condition.

In this case, specify the user name.
Command Name AccessList

Outline of Get Access List Rule List
Command
Explanation Use this to get a list of packet filter rules that are registered on
access list of the currently managed Virtual HUB.
The access list is a set of packet file rules that are applied to
packets that flow through the Virtual HUB. You can register
multiple rules in an access list and you can also define an priority
for each rule. All packets are checked for the conditions specified
by the rules registered in the access list and based on the
operation that is stipulated by the first matching rule, they either
pass or are discarded. Packets that do not match any rule are
implicitly allowed to pass.
Commandline AccessList
format
Command Name AccessDelete

Outline of Delete Rule from Access List
Command
Explanation Use this to specify a packet filter rule registered on the access list
of the currently managed Virtual HUB and delete it.
To delete a rule, you must specify that rule's ID. You can display
the ID by using the AccessList command.
If you wish not to delete the rule but to only temporarily disable it,
use the AccessDisable command.
Commandline AccessDelete [id]
format
id Specify the ID of the rule to delete.
Command Name AccessEnable

Outline of Enable Access List Rule
Command
of the currently managed Virtual HUB and enable it. The enabled
rule will be used by packet filtering.
To enable a rule, you must specify that rule's ID. You can display
Commandline AccessEnable [id]
format
id Specify the ID of the rule to enable.
Command Name AccessDisable

Outline of Disable Access List Rule
Command
of the currently managed Virtual HUB and disable it. The disabled
rule will be used by packet filtering.
To disable a rule, you must specify that rule's ID. You can display
Commandline AccessDisable [id]
format
id Specify the ID of the rule to disable.
Command Name UserList

Outline of Get List of Users
Command
Explanation Use this to get a list of users that are registered on the security
account database of the currently managed Virtual HUB.
Commandline UserList
format
Command Name UserCreate

Outline of Create User
Command
Explanation Use this to create a new user in the security account database of
By creating a user, the VPN Client can connect to the Virtual HUB
by using the authentication information of that user.
When a user is created using the UserCreate command and the
auth type of that user is registered as [password authentication], a
random string will be assigned as the password. Therefore, that
user will not be able to connect to the Virtual HUB in that state.
After creating the user, you must always use the UserPasswordSet
command to specify the user password, or alternatively use the
UserAnonymousSet command, UserCertSet command,
UserSignedSet command, UserRadiusSet command or
UserNTLMSet command to change the user's auth type.
Note that a user whose user name has been created as "*" (a
single asterisk character) will automatically be registered as a
RADIUS authentication user. For cases where there are users with
"*" as the name, when a user, whose user name that was
provided when a client connected to a VPN Server does not match
existing user names, is able to be authenticated by a RADIUS
server or NT domain controller by inputting a user name and
password, the authentication settings and security policy settings
will follow the setting for the user "*".
To change the user information of a user that has been created,
use the UserSet command.

Commandline UserCreate [name] [/GROUP:group] [/REALNAME:realname]
format [/NOTE:note]
name Specify the user name of the user to be newly created.

/GROUP When assigning a user in a group, specify the group name. When
not assigning a user to any group, specify /GROUP:none.
/REALNAME Specify the user's real name. If you are not specifying this,
specify /REALNAME:none.
/NOTE Specify a description of the user. If you are not specifying this,
specify /NOTE:none
Command Name UserSet

Outline of Change User Information
Command
Explanation Use this to change user information that is registered on the
security account database of the currently managed Virtual HUB.
The user information that can be changed using this command are
the three items that are specified when a new user is created
using the UserCreate command: [Group Name], [Real Name], and
[Description].
To get the list of currently registered users, use the UserList
command.
Commandline UserSet [name] [/GROUP:group] [/REALNAME:realname]
format [/NOTE:note]
name Specify the user name of the user whose setting you want to
change.
/GROUP When assigning a user in a group, specify the group name. When
not assigning a user to any group, specify /GROUP:none.
/REALNAME Specify the user's real name. If you are not specifying this,
specify /REALNAME:none
/NOTE Specify a description of the user. If you are not specifying this,
specify /NOTE:none.
Command Name UserDelete

Outline of Delete User
Command
Explanation Use this to delete a user that is registered on the security account
database of the currently managed Virtual HUB. By deleting the
user, that user will no long be able to connect to the Virtual HUB.
You can use the UserPolicySet command to instead of deleting a
user, set the user to be temporarily denied from logging in.
command.
Commandline UserDelete [name]
format
name Specify the name of the user to delete.
Command Name UserGet

Outline of Get User Information
Command
Explanation Use this to get user registration information that is registered on
the security account database of the currently managed Virtual
HUB.
The information that you can get using this command are [User
Name], [Real Name], [Group Name], [Expiration Date], [Security
Policy], [Auth Type], as well as parameters that are specified as
auth type attributes and the statistical data of that user.
command.
Commandline UserGet [name]
format
name Specify the user name of the user whose information you want to
get.
6.4.60 UserAnonymousSet - Set Anonymous Authentication for User

Auth Type
Command Name UserAnonymousSet

Outline of Set Anonymous Authentication for User Auth Type
Command
Explanation Use this to set [Anonymous Authentication] as the auth type for a
user that is registered on the security account database of the
currently managed Virtual HUB. A VPN Client that has connected to
a Virtual HUB using a user name of a user set to anonymous
authentication can connect to a Virtual HUB without undergoing
user authentication and without conditions. The anonymous
authentication function is ideally suited to public VPN Servers that
are setup to allow anyone to connect via the Internet etc.
command.
Commandline UserAnonymousSet [name]
format
change.
6.4.61 UserPasswordSet - Set Password Authentication for User Auth

Type and Set Password
Command Name UserPasswordSet

Outline of Set Password Authentication for User Auth Type and Set Password
Command
Explanation Use this to set [Password Authentication] as the auth type for a
currently managed Virtual HUB. Password Authentication requires
a user-defined password to be set for the user object in the
security account database of the Virtual HUB and when a user
attempts to connect to the Virtual HUB using this user name, they
will be prompted to input a password and if it is the matching
password, connection will be allowed.
The user password is actually saved in hash code which means

even if the VPN Server setting file is analyzed, the original
password cannot be deciphered.
command.
Commandline UserPasswordSet [name] [/PASSWORD:password]
format
change.
/PASSWORD Specify the password to be set for the user. If this parameter is
not specified a prompt will appear to input the password.
6.4.62 UserCertSet - Set Individual Certificate Authentication for User

Auth Type and Set Certificate
Command Name UserCertSet

Outline of Set Individual Certificate Authentication for User Auth Type and
Command Set Certificate
Explanation Use this to set [Individual Certificate Authentication] as the Auth
Type for a user that is registered on the security account database
of the currently managed Virtual HUB. Individual Certificate
Authentication requires one X.509 format certificate to be set for
the user object in the security account database of the Virtual HUB
and when a user attempts to connect to the Virtual HUB using this
user name, an RSA algorithm is used to verify if the provided
certificate matches the registered certificate and whether the client
holds a private key that corresponds to that certificate and if so,
connection is allowed.
command.
Commandline UserCertSet [name] [/LOADCERT:cert]
format
change.
/LOADCERT Specify the certificate to set for the user by specifying an X.509
format certificate file.
6.4.63 UserCertGet - Get Certificate Registered for Individual

Certificate Authentication User
Command Name UserCertGet

Outline of Get Certificate Registered for Individual Certificate Authentication
Command User
Explanation Use this to get an X.509 format certificate registered for a user of
[Individual Certificate Authentication] who is registered in the
security account database of the currently managed Virtual HUB
and save it to file.
If the specified user is not set as [Individual Certificate
Authentication] an error will occur.
command.
Commandline UserCertGet [name] [/SAVECERT:cert]
format
name Specify the user name of the user whose information you want to
get.
/SAVECERT Specify the file name to save, in X.509 format, the user certificate
you obtained.
6.4.64 UserSignedSet - Set Signed Certificate Authentication for User

Auth Type
Command Name UserSignedSet

Outline of Set Signed Certificate Authentication for User Auth Type
Command
Explanation Use this to set [Signed Certificate Authentication] as the auth type
for a user that is registered on the security account database of
the currently managed Virtual HUB. When a user connects to a
Virtual HUB using a user name that is set for signed certificate
authentication, an RSA algorithm is used to verify whether the
certificate provided by the user is signed by any of the certificates
in the list of trusted CA certificates of that Virtual HUB and
whether the client holds a private key that corresponds with that
certificate, and if so, connection is allowed.
It is also possible to set the connection to be allowed only when a

certificate common name (CN) and serial number that is expected
for each user is registered and the contents of the certificate after
the abovementioned verification is passed matches the set value.
command.
Commandline UserSignedSet [name] [/CN:cn] [/SERIAL:serial]
format
change.
/CN When this parameter is set, after it has been verified that the
certificate that the user provided has been signed by the trusted
certificate authority, connection will only be allowed when the
value of the common name (CN) of this certificate is compared
with the value set by this parameter and the values match. When
"none" is specified, this check is not made.
/SERIAL When this parameter is set, after it has been verified that the
certificate that the user provided has been signed by the trusted
certificate authority, connection will only be allowed when the
value of the serial number of this certificate is compared with the
value set by this parameter and the values match. When "none" is
specified, this check is not made.
Command Name UserRadiusSet

Outline of Set RADIUS Authentication for User Auth Type
Command
Explanation Use this to set [RADIUS Authentication] as the auth type for a user
that is registered on the security account database of the currently
managed Virtual HUB. When a user connects to a Virtual HUB
using a user name that is set for RADIUS authentication, the user
name and the user input password is sent to the RADIUS server
where the RADIUS SERVER checks the user name and password,
then if the verification is successful, that user is allowed VPN
connection.
In order to user RADIUS authentication, the RADIUS server used
for this verification must be set in the Virtual HUB beforehand by
using the RadiusServerSet command.

command.
Commandline UserRadiusSet [name] [/ALIAS:alias_name]
format
change.
/ALIAS When this parameter is set, it is possible to make the user name
sent to the RADIUS server different to the user name on the
Virtual HUB. When this is not set, please specify /ALIAS:none (the
user name on the Virtual HUB will be used). If the user name is
"*", the /ALIAS parameter will be ignored. To read an explanation
of the "*" user, please input UserCreate/HELP to display this
information.
6.4.66 UserNTLMSet - Set NT Domain Authentication for User Auth

Type
Command Name UserNTLMSet

Outline of Set NT Domain Authentication for User Auth Type
Command
Explanation Use this to set [NT Domain Authentication] as the auth type for a
currently managed Virtual HUB. When a user connects to a Virtual
HUB using a user name that is set for NT Domain authentication,
the user name and the user input password is sent to the Windows
NT / 2000 / Server 2003 / Windows Server 2008 Domain
Controller or Active Directory Server where the server checks the
user name and password, then if the verification is successful, that
user is allowed VPN connection.
To use NT Domain authentication, the VPN Server must be
operating on a Windows NT 4.0, Windows 2000, Windows XP,
Windows Vista or Windows Server 2008 operating system that is
connected to that domain. For details please contact the VPN
Server's administrator.
command.
Commandline UserNTLMSet [name] [/ALIAS:alias_name]

format
change.
/ALIAS When this parameter is set, it is possible to make the user name
sent to the NT Domain or Active Directory server different to the
user name on the Virtual HUB. When this is not set, please
specify /ALIAS:none (the user name on the Virtual HUB will be
used). If the user name is "*", the /ALIAS parameter will be
ignored. To read an explanation of the "*" user, please input
UserCreate/HELP to display this information.
Command Name UserPolicyRemove

Outline of Delete User Security Policy
Command
Explanation Use this to delete the security policy setting that is set for a user
managed Virtual HUB. A user who has had their security policy
setting deleted will be assigned the security policy setting of the
group that user is assigned to. In the cases where the user is not
assigned to a group or when a security policy setting has not been
set for the group, the default values (Allow Access: Enabled,
Maximum Number of TCP Connections: 32, Time-out Period: 20
seconds) will be applied.
command.
Commandline UserPolicyRemove [name]
format
change.
Command Name UserPolicySet
Outline of Set User Security Policy

Command
Explanation Use this to set the security policy contents that are set for a user
When a user has not been set a security policy, use this to change
the specified values after a new default security policy has been
set.
command.
Commandline UserPolicySet [name] [/NAME:policy_name] [/VALUE:num|yes|no]
format
change.
Command Name UserExpiresSet

Outline of Set User's Expiration Date
Command
Explanation Use this to set the user's expiration date that is registered on the
security account database of the currently managed Virtual HUB. A
user whose expiration date has expired cannot connect to the
Virtual HUB.
command.
Commandline UserExpiresSet [name] [/EXPIRES:expires]
format
change.
/EXPIRES Specify the user expiration date and time. The date and time must
be in the same format as "2005/10/08 19:30:00" where 6 integers
are specified, representing year/month/day hour:minute:second
separated by forward slashes, a space and then colons. Specify 4
digits for the year. If you put a space in a value, the entire value
must be enclosed by "". For this specification, local time (standard
time for the computer on which the command line management
utility is running) can be specified. By specifying /EXPIRES:none,
you can remove the expiration date restriction.
Command Name GroupList

Outline of Get List of Groups
Command
Explanation Use this to get a list of groups that are registered on the security
Commandline GroupList
format
Command Name GroupCreate

Outline of Create Group
Command
Explanation Use this to create a new group in the security account database of
You can register multiple users in a group. To register users in a
group use the GroupJoin command.
Commandline GroupCreate [name] [/REALNAME:realname] [/NOTE:note]
format
name Specify the name of the group to create.

/REALNAME Specify the group's real name. For example, if the group
corresponds to an actual section or department name, specify that
name. If you are not specifying this, specify /REALNAME:none
/NOTE Specify a description of the group. If you are not specifying this,
specify /NOTE:none
Command Name GroupSet

Outline of Set Group Information
Command
Explanation Use this to set group information that is registered on the security
To get the list of currently registered groups, use the GroupList
command.
Commandline GroupSet [name] [/REALNAME:realname] [/NOTE:note]
format
name Specify the group name of the group whose setting you want to
change.
/REALNAME Specify the group's real name. For example, if the group
corresponds to an actual section or department name, specify that
name. If you are not specifying this, specify /REALNAME:none
/NOTE Specify a description of the group. If you are not specifying this,
specify /NOTE:none.
Command Name GroupDelete

Outline of Delete Group
Command
Explanation Use this to delete a group that is registered on the security
When you delete a group all users assigned to that group will
become unassigned.
command.

Commandline GroupDelete [name]
format
name Specify the name of the group to delete.
Command Name GroupGet

Outline of Get Group Information and List of Assigned Users
Command
Explanation Use this to get the information of a group that is registered on the
security account database of the currently managed Virtual HUB as
well as a list of users assigned to that group.
command.
Commandline GroupGet [name]
format
name Specify the group name of the group whose information you want
to get.
Command Name GroupJoin

Outline of Add User to Group
Command
Explanation Use this to add a user in the security account database of the
currently managed Virtual HUB to a group that is registered on
that security account database.
To get a list of users and groups that are currently registered, use
the UserList command and the GroupList command.
Commandline GroupJoin [name] [/USERNAME:username]
format
name Specify the group name of the group to which you want to add a
user.
/USERNAME Specify the user name of the user you want to add to the group
specified by "name".
Command Name GroupUnjoin

Outline of Delete User from Group
Command
Explanation Use this to delete a specified user from the group that is registered
on the security account database of the currently managed Virtual
HUB. By deleting a user from the group, that user becomes
unassigned.
To get a list of users that are currently assigned to a group, use
the GroupGet command.
command.
Commandline GroupUnjoin [name]
format
name Specify the name of the user to delete from the group.
Command Name GroupPolicyRemove

Outline of Delete Group Security Policy
Command
Explanation Use this to delete the security policy setting that is set for a group
managed Virtual HUB. Users who do not have a security policy set
for the user themselves or for the group they are assigned to, will
have the default values (Allow Access: Enabled, Maximum Number
of TCP Connections: 32, Time-out Period: 20 seconds) applied to
them.
command.
Commandline GroupPolicyRemove [name]
format
change.
Command Name GroupPolicySet

Outline of Set Group Security Policy
Command
Explanation Use this to set the security policy contents that are set for a group
When a group has not been set a security policy, use this to
change the specified values after a new default security policy has
been set.
command.
Commandline GroupPolicySet [name] [/NAME:policy_name]
format [/VALUE:num|yes|no]
change.
Command Name SessionList
Outline of Get List of Connected Sessions

Command
Explanation Use this to get a list of the sessions connected to the Virtual HUB
currently being managed. In the list of sessions, the following
information will be displayed for each connection: [Session Name],
[Session Site], [User Name], [Source Host Name], [TCP
Connection], [Transfer Bytes] and [Transfer Packets].
If the currently connected VPN Server is a cluster controller and
the currently managed Virtual HUB is a static Virtual HUB, you can
get an all-linked-together list of all sessions connected to that
Virtual HUB on all cluster members.
In all other cases, only the list of sessions that are actually
connected to the currently managed VPN Server will be obtained.
Commandline SessionList
format
Command Name SessionGet

Outline of Get Session Information
Command
Explanation Use this to specify a session currently connected to the currently
managed Virtual HUB and get the session information . The
session information includes the following: source host name and
user name, version information, time information, number of TCP
connections, communication parameters, session key, statistical
information on data transferred, and other client and server
information.
To get the list of currently connected sessions, use the SessionList
command.
Commandline SessionGet [name]
format
name Specify the session name of the session whose information you
want to get.
Command Name SessionDisconnect
Outline of Disconnect Session

Command
Explanation Use this to specify a session currently connected to the currently
managed Virtual HUB and forcefully disconnect that session using
manager privileges.
Note that when communication is disconnected by settings on the
source client side and the automatically reconnect option is
enabled, it is possible that the client will reconnect.
To get the list of currently connected sessions, use the SessionList
command.
Commandline SessionDisconnect [name]
format
name Specify the session name of the session to disconnect.
Command Name MacTable

Outline of Get the MAC Address Table Database
Command
Explanation Use this to get the MAC address table database that is held by the
currently managed Virtual HUB.
The MAC address table database is a table that the Virtual HUB
requires to perform the action of switching Ethernet frames and
the Virtual HUB decides the sorting destination session of each
Ethernet frame based on the MAC address table database. The
MAC address database is built by the Virtual HUB automatically
analyzing the contents of the communication throughput.
By specifying the session name you can get the MAC address table
entry that has been associated with that session.
Commandline MacTable [session_name]
format
session_name By specifying the session name as a parameter, you can display

only the MAC address table entry that is associated with that
session. When this is left unspecified, all the entries will be
displayed.
Command Name MacDelete
Outline of Delete MAC Address Table Entry

Command
Explanation Use this command to operate the MAC address table database held
by the currently managed Virtual HUB and delete a specified MAC
address table entry from the database.
To get the contents of the current MAC address table database use
the MacTable command.
Commandline MacDelete [id]
format
id Specify the ID of the MAC address table entry to delete.
Command Name IpTable

Outline of Get the IP Address Table Database
Command
Explanation Use this to get the IP address table database that is held by the
The IP address table database is a table that is automatically
generated by analyzing the contents of communication so that the
Virtual HUB can always know which session is using which IP
address and it is frequently used by the engine that applies the
Virtual HUB security policy.
By specifying the session name you can get the IP address table
entry that has been associated with that session.
Commandline IpTable [session_name]
format
session_name By specifying the session name as a parameter, you can display

only the IP address table entry that is associated with that session.
When this is left unspecified, all the entries will be displayed.
Command Name IpDelete

Outline of Delete IP Address Table Entry
Command
Explanation Use this command to operate the IP address table database held
by the currently managed Virtual HUB and delete a specified IP
address table entry from the database.
To get the contents of the current IP address table database use

the IpTable command.
Commandline IpDelete [id]
format
id Specify the ID of the IP address table entry to delete.
6.4.86 SecureNatEnable - Enable the Virtual NAT and DHCP Server

Function (SecureNat Function)
Command Name SecureNatEnable

Outline of Enable the Virtual NAT and DHCP Server Function (SecureNat
Command Function)
Explanation Use this to enable the Virtual NAT and DHCP Server function
(SecureNat Function) on the currently managed Virtual HUB and
begin its operation. Before executing this command, you must first
check the setting contents of the current Virtual NAT function and
DHCP Server function using the SecureNatHostGet command,
NatGet command and DhcpGet command.
By enabling the SecureNAT function, you can virtually operate a
NAT router (IP masquerade) and the DHCP Server function on a
virtual network on the Virtual HUB.
[Warning about SecureNAT Function]

The SecureNAT function is recommended only for system
administrators and people with a detailed knowledge of networks.
If you use the SecureNAT function correctly, it is possible to
achieve a safe form of remote access via a VPN. However when
used in the wrong way, it can put the entire network in danger.
Anyone who does not have a thorough knowledge of networks and
anyone who does not have the network administrators permission
must not enable the SecureNAT function. For a detailed
explanation of the SecureNAT function, please refer to the VPN
Server's manual and online documentation.
Commandline SecureNatEnable
format
6.4.87 SecureNatDisable - Disable the Virtual NAT and DHCP Server

Function (SecureNat Function)
Command Name SecureNatDisable

Outline of Disable the Virtual NAT and DHCP Server Function (SecureNat
Command Function)
Explanation Use this to disable the Virtual NAT and DHCP Server function
(SecureNat Function) on the currently managed Virtual HUB. By
executing this command the Virtual NAT function immediately
stops operating and the Virtual DHCP Server function deletes the
DHCP lease database and stops the service.
Commandline SecureNatDisable
format
6.4.88 SecureNatStatusGet - Get the Operating Status of the Virtual

NAT and DHCP Server Function (SecureNat Function)
Command Name SecureNatStatusGet

Outline of Get the Operating Status of the Virtual NAT and DHCP Server
Command Function (SecureNat Function)
Explanation Use this to get the operating status of the Virtual NAT and DHCP
Server function (SecureNat Function) when it is operating on the
Commandline SecureNatStatusGet
format
6.4.89 SecureNatHostGet - Get Network Interface Setting of Virtual

Host of SecureNAT Function
Command Name SecureNatHostGet

Outline of Get Network Interface Setting of Virtual Host of SecureNAT
Command Function
Explanation Use this to get the virtual host network interface setting from the
setting items of the Virtual NAT and DHCP Server function

(SecureNAT function) on the currently managed Virtual HUB.
The SecureNAT function holds one virtual network adapter on the
L2 segment inside the Virtual HUB and it has been assigned a MAC
address and an IP address. By doing this, another host connected
to the same L2 segment is able to communicate with the
SecureNAT virtual host as if it is an actual IP host existing on the
network.

Commandline SecureNatHostGet
format
6.4.90 SecureNatHostSet - Change Network Interface Setting of Virtual

Host of SecureNAT Function
Command Name SecureNatHostSet

Outline of Change Network Interface Setting of Virtual Host of SecureNAT
Command Function
Explanation Use this to change and save the virtual host network interface
setting in the setting items of the Virtual NAT and DHCP Server
function (SecureNAT function) on the currently managed Virtual
HUB.
The SecureNAT function holds one virtual network adapter on the
L2 segment inside the Virtual HUB and it has been assigned a MAC
address and an IP address. By doing this, another host connected
to the same L2 segment is able to communicate with the
SecureNAT virtual host as if it is an actual IP host existing on the
network.

Commandline SecureNatHostSet [/MAC:mac] [/IP:ip] [/MASK:mask]
format
/MAC Specify the MAC address to assign for the virtual interface. Specify
a MAC address using a string like "00-AC-01-23-45-67".
When /MAC:none is specified, no changes will be made to the
current setting.
/IP Specify the IP address to assign for the virtual interface.
When /IP:none is specified, no changes will be made to the current
setting.
/MASK Specify the subnet mask to assign for the virtual interface.
When /MASK:none is specified, no changes will be made to the
current setting.
6.4.91 NatGet - Get Virtual NAT Function Setting of SecureNAT

Function
Command Name NatGet

Outline of Get Virtual NAT Function Setting of SecureNAT Function
Command
Explanation Use this to get the virtual NAT setting from the setting items of the
Virtual NAT and DHCP Server function (SecureNAT function) on the
Commandline NatGet
format
Command Name NatEnable

Outline of Enable Virtual NAT Function of SecureNAT Function
Command
Explanation Use this to enable the Virtual NAT function on the currently
If the SecureNAT function is still not operating even after this
command has been used to enable the Virtual NAT function,
Virtual NAT is not operating. To start the operation of the
SecureNAT Function, use the SecureNatEnable command.
Commandline NatEnable
format
6.4.93 NatDisable - Disable Virtual NAT Function of SecureNAT

Function
Command Name NatDisable

Outline of Disable Virtual NAT Function of SecureNAT Function
Command
Explanation Use this to disable the Virtual NAT function on the currently
Commandline NatDisable
format
6.4.94 NatSet - Change Virtual NAT Function Setting of SecureNAT

Function
Command Name NatSet

Outline of Change Virtual NAT Function Setting of SecureNAT Function
Command
Explanation Use this to change the Virtual NAT setting of the currently
managed Virtual HUB. The contents of the Virtual NAT setting

includes: MTU value, TCP session timeout and UDP session timeout
Commandline NatSet [/MTU:mtu] [/TCPTIMEOUT:tcp_timeout]
format [/UDPTIMEOUT:udp_timeout] [/LOG:yes|no]
/MTU Set the MTU (Maximum transferable unit size) using an integer to
specify the byte length unit. This value is the maximum payload
length excluding the MAC header of the Ethernet frame that the
Virtual NAT sends and the default is 1500 bytes.
/TCPTIMEOUT This sets how many seconds a condition of non-communication
continues in a TCP session that the Virtual NAT is relaying before a
timeout occurs and the session is discarded.
/UDPTIMEOUT This sets how many seconds a condition of non-communication
continues in a UDP session that the Virtual NAT is relaying before a
timeout occurs and the session is discarded.
/LOG Specify whether or not to save the Virtual NAT operation in the
Virtual HUB security log. Specify "yes" to save it, and "no" to not
save it.
6.4.95 NatTable - Get Virtual NAT Function Session Table of SecureNAT

Function
Command Name NatTable

Outline of Get Virtual NAT Function Session Table of SecureNAT Function
Command
Explanation Use this to get the table of TCP and UDP sessions currently
communicating via the Virtual NAT (NAT table) in cases when the
Virtual NAT function is operating on the currently managed Virtual
HUB.
Commandline NatTable
format
6.4.96 DhcpGet - Get Virtual DHCP Server Function Setting of

SecureNAT Function
Command Name DhcpGet

Outline of Get Virtual DHCP Server Function Setting of SecureNAT Function
Command
Explanation Use this to get the virtual DHCP Server setting from the setting
items of the Virtual NAT and DHCP Server function (SecureNAT
function) on the currently managed Virtual HUB.
Commandline DhcpGet
format
6.4.97 DhcpEnable - Enable Virtual DHCP Server Function of SecureNAT

Function
Command Name DhcpEnable

Outline of Enable Virtual DHCP Server Function of SecureNAT Function
Command
Explanation Use this to enable the Virtual DHCP Server function on the
If the SecureNAT function is still not operating even after this
command has been used to enable the Virtual DHCP function,
Virtual DHCP Server is not operating. To start the operation of the
SecureNAT Function, use the SecureNatEnable command.
Commandline DhcpEnable
format
6.4.98 DhcpDisable - Disable Virtual DHCP Server Function of

SecureNAT Function
Command Name DhcpDisable

Outline of Disable Virtual DHCP Server Function of SecureNAT Function
Command
Explanation Use this to disable the Virtual DHCP Server function on the
Commandline DhcpDisable
format
6.4.99 DhcpSet - Change Virtual DHCP Server Function Setting of

SecureNAT Function
Command Name DhcpSet

Outline of Change Virtual DHCP Server Function Setting of SecureNAT
Command Function
Explanation Use this to change the Virtual DHCP Server setting of the currently
managed Virtual HUB. The Virtual DHCP Server settings include
the following items: distribution address band, subnet mask, lease
limit, and option values assigned to clients.
Commandline DhcpSet [/START:start_ip] [/END:end_ip] [/MASK:subnetmask]
format [/EXPIRE:sec] [/GW:gwip] [/DNS:dns] [/DOMAIN:domain]
[/LOG:yes|no]
/START Specify the start point of the address band to be distributed to the
client. (Example: 192.168.30.10)
/END Specify the end point of the address band to be distributed to the
client. (Example: 192.168.30.200)
/MASK Specify the subnet mask to be specified for the client. (Example:
255.255.255.0)
/EXPIRE Specify the expiration date in second units for leasing an IP
address to a client.
/GW Specify the IP address of the default gateway to be notified to the
client. You can specify a SecureNAT Virtual Host IP address for this
when the SecureNAT Function's Virtual NAT Function has been
enabled and is being used also. If you specify 0 or none, then the
client will not be notified of the default gateway.
/DNS Specify the IP address of the DNS Server to be notified to the
client. You can specify a SecureNAT Virtual Host IP address for this
when the SecureNAT Function's Virtual NAT Function has been
enabled and is being used also. If you specify 0 or none, then the
client will not be notified of the DNS Server address.
/DOMAIN Specify the domain name to be notified to the client. If you specify
none, then the client will not be notified of the domain name.
/LOG Specify whether or not to save the Virtual DHCP Server operation
in the Virtual HUB security log. Specify "yes" to save it. This value
is interlinked with the Virtual NAT Function log save setting.
6.4.100 DhcpTable - Get Virtual DHCP Server Function Lease Table of

SecureNAT Function
Command Name DhcpTable

Outline of Get Virtual DHCP Server Function Lease Table of SecureNAT
Command Function
Explanation Use this to get the lease table of IP addresses, held by the Virtual
DHCP Server, that are assigned to clients in cases when the Virtual
NAT function is operating on the currently managed Virtual HUB.
Commandline DhcpTable
format
6.4.101 AdminOptionList - Get List of Virtual HUB Administration

Options
Command Name AdminOptionList

Outline of Get List of Virtual HUB Administration Options
Command
Explanation Use this to get a list of Virtual HUB administration options that are
set on the currently managed Virtual HUB.
The purpose of the Virtual HUB administration options is for the
VPN Server Administrator to set limits for the setting ranges when
the administration of the Virtual HUB is to be trusted to each
Virtual HUB administrator.
Only an administrator with administration privileges for this entire
VPN Server is able to add, edit and delete the Virtual HUB
administration options. The Virtual HUB administrators are unable
to make changes to the administration options, however they are
able to view them.
There is an exception however. If
allow_hub_admin_change_option is set to "1", even Virtual HUB
administrators are able to edit the administration options.
Commandline AdminOptionList
format
6.4.102 AdminOptionSet - Set Values of Virtual HUB Administration

Options
Command Name AdminOptionSet

Outline of Set Values of Virtual HUB Administration Options
Command
Explanation Use this to change the values of Virtual HUB administration options
that are set on the currently managed Virtual HUB.
The purpose of the Virtual HUB administration options is for the
VPN Server Administrator to set limits for the setting ranges when
the administration of the Virtual HUB is to be trusted to each
Virtual HUB administrator.
Only an administrator with administration privileges for this entire
VPN Server is able to add, edit and delete the Virtual HUB
administration options. The Virtual HUB administrators are unable
to make changes to the administration options, however they are
able to view them.
There is an exception however. If
allow_hub_admin_change_option is set to "1", even Virtual HUB
administrators are able to edit the administration options.
Commandline AdminOptionSet [name] [/VALUE:value]
format
name Specify the name of the administration option whose value you
want to change. You can get a list of names by using the
AdminOptionList command.
/VALUE Specify an integer for the setting value.
Command Name CrlList

Outline of Get List of Certificates Revocation List
Command
Explanation Use this to get a Certificates Revocation List that is set on the
By registering certificates in the Certificates Revocation List, the
clients who provide these certificates will be unable to connect to
this Virtual HUB using certificate authentication mode.
Normally with this function, in cases where the security of a
private key has been compromised or where a person holding a
certificate has been stripped of their privileges, by registering that
certificate as invalid on the Virtual HUB, it is possible to deny user
authentication when that certificate is used by a client to connect
to the Virtual HUB.
Commandline CrlList
format
Command Name CrlAdd

Outline of Add a Revoked Certificate
Command
Explanation Use this to add a new revoked certificate definition in the
Certificate Revocation List that is set on the currently managed
Virtual HUB.
Specify the contents to be registered in the Certificate Revocation
List by using the parameters of this command. When a user
connects to a Virtual HUB in certificate authentication mode and
that certificate matches 1 or more of the contents registered in the
certificates revocation list, the user is denied connection.
A certificate that matches all the conditions that are defined by the
parameters specified by this command will be judged as invalid.
The items that can be set are as follows: [Name (CN)],
[Organization (O)], [Organization Unit (OU)], [Country (C)], [State
(ST)], [Locale (L)], [Serial Number (hexadecimal)], [MD5 Digest
Value (hexadecimal, 128 bit)], and [SHA-1 Digest Value
(hexadecimal, 160 bit)]. For the specification of a digest value
(hash value) a certificate is optionally specified depending on the
circumstances. Normally when a MD5 or SHA-1 digest value is
input, it is not necessary to input the other items.

Commandline CrlAdd [/SERIAL:serial] [/MD5:md5] [/SHA1:sha1] [/CN:cn]
format [/O:o] [/OU:ou] [/C:c] [/ST:st] [/L:l]
/SERIAL Use this parameter to specify the value for the certificate serial
number (hexadecimal) when it is set as a condition.
/MD5 Use this parameter to specify the value for the certificate MD5
digest value (hexadecimal, 128 bits) when it is set as a condition.
If this parameter specification is other than a hexadecimal value of
32 characters (16 bytes), it will be ignored.
/SHA1 Use this parameter to specify the value for the certificate SHA1
digest value (hexadecimal, 160 bits) when it is set as a condition.
If this parameter specification is other than a hexadecimal value of
40 characters (16 bytes), it will be ignored.
/CN Use this parameter to specify the name (CN) of the certificate
when it is set as a condition.
/O Use this parameter to specify the organization (O) of the certificate
/OU Use this parameter to specify the organization unit (OU) of the
certificate when it is set as a condition.
/C Use this parameter to specify the country (C) of the certificate
/ST Use this parameter to specify the state (ST) of the certificate when
it is set as a condition.
/L Use this parameter to specify the locale (L) of the certificate when
it is set as a condition.
Command Name CrlDel

Outline of Delete a Revoked Certificate
Command
Explanation Use this to specify and delete a revoked certificate definition from
the certificate revocation list that is set on the currently managed
Virtual HUB.
To get the list of currently registered revoked certificate
definitions, use the CrlList command.
Commandline CrlDel [id]

format
id Specify the ID of the revoked certificate definition you want to

delete.
Command Name CrlGet

Outline of Get a Revoked Certificate
Command
Explanation Use this to specify and get the contents of a revoked certificate
definition from the Certificates Revocation List that is set on the
To get the list of currently registered revoked certificate
definitions, use the CrlList command.
Commandline CrlGet [id]
format
id Specify the ID of the revoked certificate definition you want to get.
Command Name AcList

Outline of Get List of Rule Items of IP Access Control List
Command
Explanation Use this to get a list of IP access control list rules that is set on the
You can allow or deny VPN connections to this Virtual HUB
according to the client computer's source IP address. You can
define multiple rules and set an priority for each rule. The search
proceeds from the rule with the highest order or priority and based
on the action of the rule that the IP address first matches, the
connection from the client is either allowed or denied.
Commandline AcList
format
Command Name AcAdd

Outline of Add Rule to IP Access Control List
Command
Explanation Use this to add a new rule to the IP access control list that is set
on the currently managed Virtual HUB.
The items set here will be used to decide whether to allow or deny
connection from a VPN Client when this client attempts connection
to the Virtual HUB.
You can specify a client IP address, or IP address or subnet mask
to match the rule as the contents of the rule item. By specifying an
IP address only, there will only be one specified computer that will
match the rule, but by specifying an IP net mask address or
subnet mask address, all the computers in the range of that
subnet will match the rule.
You can specify the priority for the rule. You can specify an integer
of 1 or greater for the priority and the smaller the number, the
higher the priority.
To get a list of the currently registered IP access control list, use
the AcList command.
Commandline AcAdd [allow|deny] [/PRIORITY:priority] [/IP:ip/mask]
format
allow|deny Set whether to "allow" or "deny" the connection from a client that
matches the rule.
/PRIORITY Specify an integer of 1 or higher to indicate the priority of the rule.
The smaller the value the higher the priority.
/IP Using the format: [IP address/subnet mask], specify the range of
client IP addresses. Specify the IP address by separating the
decimal values using dots such as 192.168.0.1 For the subnet
mask, either specify decimal values separated by dots such as
255.255.255.0, or you can specify the bit length from the header
using a decimal value such as 24. When the subnet mask address
is not specified, it will be treated as a single host.
Command Name AcDel

Outline of Delete Rule from IP Access Control List
Command
Explanation Use this to delete a rule from the IP access control list that is set
on the currently managed Virtual HUB.
To get a list of the currently registered IP access control list, use
the AcList command.
Commandline AcDel [id]
format
id Specify the ID of the rule in the IP access control list that you want
to delete.
< 6.3 VPN Server / VPN Bridge Management 6.5 VPN Client Management Command Reference>
Command Reference (For Entire Server)
< 6.4 VPN Server / VPN Bridge Management 6.6 VPN Tools Command Reference>
Command Reference (For Virtual HUB)
This section describes all commands that can be called when using vpncmd in VPN Client
management mode.
Command Name About

Command
Commandline About
format
Command Name VersionGet

Outline of Get Version Information of VPN Client Service
Command
Explanation Use this to get the version information of the currently managed
VPN Client Service program.
Commandline VersionGet
format
6.5.3 PasswordSet - Set the password to connect to the VPN Client

service.
Command Name PasswordSet

Outline of Set the password to connect to the VPN Client service.
Command
Explanation You can make it mandatory to input a password for occasions
when the Command Line Management Utility and the VPN Client
Manager connect to a VPN Client service to control it. You can use
this command to set the password that must be input.
You can also make it mandatory for this password to be input
when doing remote operations (from a computer that is not
localhost)
Commandline PasswordSet [password] [/REMOTEONLY:yes|no]
format
password Specify the password you wish to set. You can delete the password
setting by specifying "none".
/REMOTEONLY Specify "yes" to only require the password to be input when
operation is done remotely (from a computer that is not localhost).
This stops the password being required when the connection is
from localhost. When this parameter is omitted, it will be regarded
as "no".
6.5.4 PasswordGet - Get Password Setting to Connect to VPN Client
Service
Command Name PasswordGet

Outline of Get Password Setting to Connect to VPN Client Service
Command
Explanation Use this to get the setting that determines whether to input a
password for occasions when the Command Line Management
Utility and the VPN Client Manager connect to a VPN Client service
to control it.
In the case when a password is requested, it also gets the setting
that determines whether this password is only requested when
operation is performed remotely (from a computer that is not
localhost).
Commandline PasswordGet
format
Command Name CertList

Outline of Get List of Trusted CA Certificates
Command
Explanation Here you can manage the list of certificate authority certificates
that are trusted by VPN client. You can use the registered CA
certificate list to verify server certificates when connecting to VPN
Servers.
Commandline CertList
format
Command Name CertAdd

Outline of Add Trusted CA Certificate
Command
Explanation Use this to add a new certificate to a list of CA certificates trusted
by the VPN Client. You can use the registered CA certificate list to
verify server certificates when connecting to VPN Servers.
To get a list of the current certificates you can use the CertList
command.
The certificate you add must be saved in the X.509 file format.
Commandline CertAdd [path]
format
path Specify the file name of the X.509 certificate to register.
Command Name CertDelete

Outline of Delete Trusted CA Certificate
Command
Explanation Use this to delete an existing certificate from a list of CA
certificates trusted by the VPN Client.
To get a list of the current certificates you can use the CertList
command.
Commandline CertDelete [id]
format
id Specify the ID of the certificate to delete.
Command Name CertGet

Outline of Get Trusted CA Certificate
Command
Explanation Use this to get an existing certificate from the list of CA certificates
trusted by the VPN Client and save it as a file in X.509 format.
Commandline CertGet [id] [/SAVECERT:path]
format
id Specify the ID of the certificate to get.

/SAVECERT Specify the file name to save the certificate you obtained.
Command Name SecureList

Outline of Get List of Usable Smart Card Types
Command
Explanation Use this to display a list of smart cards that are supported by VPN
Client.
The types of smart cards listed in this list have had their drivers
installed on the current computer and are supported by VPN
software.
If there is a type of smart card that is currently being used that
does not appear in the list, it may be possible to enable use by
updating the VPN software to a newer version.
Commandline SecureList
format
Command Name SecureSelect

Outline of Select the Smart Card Type to Use
Command
Explanation Use this to select the type of the smart card to be used by the VPN
Client.
To get the list of usable smart card types, use the SecureList
command.
Commandline SecureSelect [id]
format
id Specify the ID of the smart card type.
Command Name SecureGet

Outline of Get ID of Smart Card Type to Use
Command
Explanation Use this to get the ID of the smart card type that is set to be used
for the current VPN Client. By viewing the results of the SecureList
command based on this ID, you can get the type of the currently
selected smart card.
If there is no smart card that is currently selected, 0 will be
displayed for the ID.
Commandline SecureGet
format
Command Name NicCreate

Outline of Create New Virtual Network Adapter
Command
Explanation Use this to add a new Virtual Network Adapter to the system. You
can give the virtual network adapter a name of your choice.
You can set a name that consists of alphanumeric characters for
the virtual network adapter. For Windows 2000 or newer systems,
this name can be up to 31 characters, but for Windows 98, 98SE
and ME it can be up to 4 characters.
If the NicCreate command was called, a new virtual network
adapter device driver will be installed on the operating system that
the VPN Client is operating on.
In this case, depending on the operating system, a dialog box may
appear to confirm if it is OK to install the device driver.
Commandline NicCreate [name]
format
name Specify the name of the virtual network adapter.
Command Name NicDelete

Outline of Delete Virtual Network Adapter
Command
Explanation Use this to delete an existing virtual network adapter from the
system.
When you delete a virtual network adapter from the system, all
the connections which are using that virtual network adapter will
be disconnected.
Also, the Connection Settings that are set to use a virtual network
adapter that has been deleted will have their settings
automatically changed to use another virtual network adapter.
This command can be used when VPN Client is operating on
Windows 2000 or newer operating systems.
Commandline NicDelete [name]
format
Command Name NicUpgrade

Outline of Upgrade Virtual Network Adapter Device Driver
Command
Explanation If the device driver version of the existing virtual network adapter
is old, then this upgrades to the latest device driver that was
bundled with the currently operating VPN client. Even if an
upgrade is not performed, the device driver will be reinstalled.
In this case, depending on the operating system, a dialog box may
appear to confirm if it is OK to install the device driver.
Commandline NicUpgrade [name]
format
Command Name NicGetSetting

Outline of Get Virtual Network Adapter Setting
Command
Explanation Use this to get the MAC address setting of the existing virtual
network adapter.
Commandline NicGetSetting [name]
format
Command Name NicSetSetting

Outline of Change Virtual Network Adapter Setting
Command
Explanation Use this to change the MAC address setting of the existing virtual
network adapter. When this command is executed, the currently
operating virtual network adapter device drivers will be restarted.
Commandline NicSetSetting [name] [/MAC:mac]
format

/MAC Specify the MAC address you wish to set. Specify a 6-byte
hexadecimal string for the MAC address. Example:
00:AC:01:23:45:67 or 00-AC-01-23-45-67
Command Name NicEnable

Outline of Enable Virtual Network Adapter
Command
Explanation Use this to enable an existing, disabled virtual network adapter.
Commandline NicEnable [name]
format
Command Name NicDisable

Outline of Disable Virtual Network Adapter
Command
Explanation Use this to disable an existing, enabled virtual network adapter.
Commandline NicDisable [name]
format
Command Name NicList

Outline of Get List of Virtual Network Adapters
Command
Explanation This allows you to get a list of virtual network adapters registered
on the current system.
Commandline NicList
format
Command Name AccountList

Outline of Get List of VPN Connection Settings
Command
Explanation Use this to get a list of VPN Connection Settings registered on the
VPN Client.
Commandline AccountList
format
Command Name AccountCreate

Outline of Create New VPN Connection Setting
Command
Explanation Use this to create a new VPN Connection Setting on the VPN
Client.
To create a VPN Connection Setting, in addition to specifying the
VPN Connection Setting name and destination server as initial
parameters and the destination virtual HUB, and user name, you
must also specify the name of the virtual network adapter to use.
When a new VPN Connection Setting is created, the type of user
authentication is initially set as [anonymous authentication] and
the proxy server setting and the verification options of the server
certificate is not set. To change these settings and other advanced
settings after the VPN Connection Setting has been created, use
the other commands that begin with the name "Account".
Commandline AccountCreate [name] [/SERVER:hostname:port]

format [/HUB:hubname] [/USERNAME:username] [/NICNAME:nicname]
name Specify the name of the VPN Connection Setting to create.

/USERNAME Specify the user name to use for user authentication when
connecting to the destination VPN Server.
/NICNAME Specify the virtual network adapter to use to connect.
6.5.22 AccountSet - Set the VPN Connection Setting Connection

Destination
Command Name AccountSet

Outline of Set the VPN Connection Setting Connection Destination
Command
Explanation Use this to set, for the VPN Connection Setting registered on the
VPN Client, the destination VPN Server host name and port
number, Virtual HUB name, user name used for connection and
virtual network adapter name to use.
Commandline AccountSet [name] [/SERVER:hostname:port] [/HUB:hubname]
format
name Specify the name of the VPN Connection Setting whose setting you
want to change.
Command Name AccountGet

Outline of Get Setting of VPN Connection Setting
Command
Explanation Use this to get the VPN Connection Setting contents of a VPN
Connection Setting registered on the VPN Client.
To change the VPN Connection Setting contents of the VPN
Connection Setting, use the other commands that begin with the
name "Account" after creating the VPN Connection Setting.
Commandline AccountGet [name]
format
want to get.
Command Name AccountDelete

Outline of Delete VPN Connection Setting
Command
Explanation Use this to delete VPN Connection Setting that is registered on the
VPN Client. If the specified VPN Connection Setting has a status of
online, the connections will be automatically disconnected and
then the VPN Connection Setting will be deleted.
Commandline AccountDelete [name]
format
name Specify the name of the VPN Connection Setting to delete.
6.5.25 AccountUsernameSet - Set User Name of User to Use

Connection of VPN Connection Setting
Command Name AccountUsernameSet

Outline of Set User Name of User to Use Connection of VPN Connection
Command Setting
Explanation When a VPN Connection Setting registered on the VPN Client is
specified and that VPN Connection Setting connects to the VPN
Server, use this to specify the user name required for user
authentication.
In some cases it is necessary to specify the type of user
authentication and specify the required parameters. To change this
information you can use commands such as
AccountAnonymousSet, AccountPasswordSet, AccountCertSet and
AccountSecureCertSet.
Commandline AccountUsernameSet [name] [/USERNAME:username]
format
want to change.
/USERNAME Specify the user name required for user authentication when the
VPN Connection Setting connects to the VPN Server.
6.5.26 AccountAnonymousSet - Set User Authentication Type of VPN

Connection Setting to Anonymous Authentication
Command Name AccountAnonymousSet

Outline of Set User Authentication Type of VPN Connection Setting to
Command Anonymous Authentication
Explanation Use this to set the user auth type to [Anonymous Authentication]
for when a VPN Connection Setting registered on the VPN Client is
Server.
Commandline AccountAnonymousSet [name]
format
want to change.
6.5.27 AccountPasswordSet - Set User Authentication Type of VPN

Connection Setting to Password Authentication
Command Name AccountPasswordSet

Outline of Set User Authentication Type of VPN Connection Setting to
Command Password Authentication
Explanation Use this to set the user auth type to [Password Authentication] for
when a VPN Connection Setting registered on the VPN Client is
Server. Specify [Standard Password Authentication] and [Radius or
NT Domain Authentication] as the password authentication type.
Commandline AccountPasswordSet [name] [/PASSWORD:password]
format [/TYPE:standard|radius]
want to change.
/PASSWORD Specify the password to use for password authentication. If this is
not specified, a prompt will appear to input the password.
/TYPE Specify either "standard" (Standard Password Authentication) or
"radius" [RADIUS or NT Domain Authentication] as the password
6.5.28 AccountCertSet - Set User Authentication Type of VPN

Connection Setting to Client Certificate Authentication
Command Name AccountCertSet

Outline of Set User Authentication Type of VPN Connection Setting to Client
Command Certificate Authentication
Explanation Use this to set the user auth type to [Client Certificate
Authentication] for when a VPN Connection Setting registered on
the VPN Client is specified and that VPN Connection Setting
connects to the VPN Server. For this certificate, you must specify a
certificate file in the X.509 format and a private key file that is
Base 64 encoded.
Commandline AccountCertSet [name] [/LOADCERT:cert] [/LOADKEY:key]
format
want to change.
/LOADCERT Specify the X.509 format certificate file to provide for certificate
authentication.
/LOADKEY Specify the Base-64-encoded private key file name for the
certificate.
6.5.29 AccountCertGet - Get Client Certificate to Use for Cascade

Connection
Command Name AccountCertGet

Outline of Get Client Certificate to Use for Cascade Connection
Command
Explanation When a VPN Connection Setting registered on VPN Client is
specified and that VPN Connection Setting uses client certificate
authentication, use this to get the certificate that is provided as
the client certificate and save the certificate file in X.509 format.
Commandline AccountCertGet [name] [/SAVECERT:cert]
format
want to get.
/SAVECERT Specify the file name to save the certificate you obtained in X.509
format.
6.5.30 AccountEncryptDisable - Disable Encryption when

Communicating by VPN Connection Setting
Command Name AccountEncryptDisable

Outline of Disable Encryption when Communicating by VPN Connection
Command Setting
specified and that VPN Connection Setting is used for
not to be encrypted.
Commandline AccountEncryptDisable [name]
format
want to change.
6.5.31 AccountEncryptEnable - Enable Encryption when

Command Name AccountEncryptEnable

Outline of Enable Encryption when Communicating by VPN Connection
Command Setting
to be encrypted by SSL.
Commandline AccountEncryptEnable [name]
format
want to change.
6.5.32 AccountCompressEnable - Enable Data Compression when

Command Name AccountCompressEnable

Outline of Enable Data Compression when Communicating by VPN
Command Connection Setting
to be compressed.
It is possible to achieve a maximum of 80% compression.
Compression however places higher loads on the CPU of both the
client and server machines. When the line speed is about 10 Mbps
or greater, compression can lower throughput, but sometimes it
can have the opposite effect.
Commandline AccountCompressEnable [name]
format
want to change.
6.5.33 AccountCompressDisable - Disable Data Compression when

Command Name AccountCompressDisable

Outline of Disable Data Compression when Communicating by VPN
not to be compressed.
Commandline AccountCompressDisable [name]
format
want to change.
6.5.34 AccountProxyNone - Specify Direct TCP/IP Connection as the

Connection Method of VPN Connection Setting
Command Name AccountProxyNone

Outline of Specify Direct TCP/IP Connection as the Connection Method of VPN
specified and that VPN Connection Setting connects to a VPN
Server, use this to set [Direct TCP/IP Connection] as the
connection method to use, in which case the connection route will
not be via a proxy server.
Commandline AccountProxyNone [name]
format
want to change.
6.5.35 AccountProxyHttp - Set Connection Method of VPN Connection

Setting to be via an HTTP Proxy Server
Command Name AccountProxyHttp

Outline of Set Connection Method of VPN Connection Setting to be via an
Command HTTP Proxy Server
Server, use this to set [Connect via HTTP Proxy Server] as the
the host name and port number of the HTTP Proxy server to
required).
The HTTP proxy server that communication will travel via must be
compatible with the CONNECT method to use HTTPS
communication.
Commandline AccountProxyHttp [name] [/SERVER:hostname:port]
want to change.
route HTTP proxy server using the format [host name:port
number].
HTTP proxy server, specify the password. Specify this together
6.5.36 AccountProxySocks - Set Connection Method of VPN Connection

Setting to be via an SOCKS Proxy Server
Command Name AccountProxySocks

Outline of Set Connection Method of VPN Connection Setting to be via an
Command SOCKS Proxy Server
Server, use this to set [Connect via SOCKS Proxy Server] as the
the host name and port number of the SOCKS Proxy server to
required).
The on-route SOCKS server must be compatible with SOCKS
Version 4.
Commandline AccountProxySocks [name] [/SERVER:hostname:port]
want to change.
route SOCKS proxy server using the format [host name:port
number].
SOCKS proxy server, specify the password. Specify this together
6.5.37 AccountServerCertEnable - Enable VPN Connection Setting

Server Certificate Verification Option
Command Name AccountServerCertEnable

Outline of Enable VPN Connection Setting Server Certificate Verification
Command Option
Server, use this to enable the option to check whether the SSL
certificate provided by the destination VPN Server can be trusted.
If this option is enabled, we recommend that you either use the

AccountServerCertSet command to save the connection
destination server SSL certificate beforehand in the VPN
Connection Setting settings beforehand, or use the CertAdd
command etc. to register a root certificate containing the signed
server SSL certificate in the list of Virtual HUB trusted CA
certificates. If it is not registered, a confirmation message
sometimes is displayed on the initial connection.
was enabled for the VPN Connection Setting, the connection will be
made.
Commandline AccountServerCertEnable [name]
format
want to change.
6.5.38 AccountServerCertDisable - Disable VPN Connection Setting

Server Certificate Verification Option
Command Name AccountServerCertDisable

Outline of Disable VPN Connection Setting Server Certificate Verification
Command Option
Server, use this to disable the option to check whether the SSL
certificate provided by the destination VPN Server can be trusted.
Commandline AccountServerCertDisable [name]
format
want to change.

Connection Setting
Command Name AccountServerCertSet

Outline of Set Server Individual Certificate for VPN Connection Setting
Command

Server, use this to register the same certificate as the SSL
certificate provided by the destination VPN Server.
If the option to verify server certificates for VPN Connection
Settings is enabled, you must either use this command to save the
connection destination server SSL certificate beforehand in the
VPN Connection Setting settings beforehand, or use the CAAdd
command etc. to register a root certificate containing the signed
server SSL certificate in the list of Virtual HUB trusted CA
certificates.
was enabled for the VPN Connection Setting, the connection will be
made.
Commandline AccountServerCertSet [name] [/LOADCERT:cert]
format
want to change.
/LOADCERT Specify X.509 format certificate file name that the server individual
certificate you wish to set is saved under.
6.5.40 AccountServerCertDelete - Delete Server Individual Certificate

for VPN Connection Setting
Command Name AccountServerCertDelete

Outline of Delete Server Individual Certificate for VPN Connection Setting
Command
specified and a server individual certificate is registered for that
VPN Connection Setting, use this to delete that certificate.
Commandline AccountServerCertDelete [name]
format
want to change.
6.5.41 AccountServerCertGet - Get Server Individual Certificate for

VPN Connection Setting
Command Name AccountServerCertGet

Outline of Get Server Individual Certificate for VPN Connection Setting
Command
Explanation When a VPN Connection Setting is specified and a server Individual
certificate is registered for that VPN Connection Setting, use this to
get that certificate and save it as an X.509 format certificate file.
Commandline AccountServerCertGet [name] [/SAVECERT:path]
format
want to change.
/SAVECERT Specify the certificate file name to save the server individual
certificate in X.509 format.
6.5.42 AccountDetailSet - Set Advanced Settings for VPN Connection

Setting
Command Name AccountDetailSet

Outline of Set Advanced Settings for VPN Connection Setting
Command
Explanation Use this to customize the VPN protocol communication settings
used when a VPN Connection Setting registered on a VPN Client is
Server.
Commandline AccountDetailSet [name] [/MAXTCP:max_connection]
format [/INTERVAL:additional_interval] [/TTL:disconnect_span]
[/HALF:yes|no] [/BRIDGE:yes|no] [/MONITOR:yes|no]
[/NOTRACK:yes|no] [/NOQOS:yes|no]
want to change.
/MAXTCP Specify, using an integer in the range 1 to 32, the number of TCP
connections to be used for VPN communication. By using data
transmission by multiple TCP connections for VPN communication
sessions with VPN Servers it is sometimes possible to increase
communication speed. Note: We recommend about 8 lines when
the connection lines to the server are fast, and 1 line when using a
slow connection such as dialup.
/INTERVAL When communicating by VPN by establishing multiple TCP
connections, specify in seconds, the establishing interval for each
TCP connection. The standard value is 1 second.
/TTL When specifying connection life of each TCP connection specify in

seconds the keep-alive time from establishing a TCP connection
until disconnection. If 0 is specified, keep-alive will not be set.
/HALF Specify "yes" when enabling half duplex mode. When using two or
more TCP connections for VPN communication, it is possible to use
[Half Duplex Mode]. By enabling half duplex mode it is possible to
automatically fix data transmission direction as half and half for
each TCP connection. In the case where a VPN using 8 TCP
connections is established, for example, when half-duplex is
enabled, communication can be fixes so that 4 TCP connections
are dedicated to the upload direction and the other 4 connections
are dedicated to the download direction.
/BRIDGE Specify "yes" when connecting to the VPN Server using [Bridge /
Router Mode]. When using Bridge / Router Mode to connect, it is
possible to provide bridging or routing to another network on the
side of the virtual network adapter of the VPN Client. However, if
the security policy of the user who is being used for connection
denies the use of bridges or routing, then connection will fail.
/MONITOR Specify "yes" when connecting to the VPN Server using
[Monitoring Mode]. When a connection is made using Monitoring
Mode, you can receive all packets that flow through the Virtual
HUB. However, if the security policy of the user who is being used
for connection does not allow Monitoring Mode, then connection
will fail.
/NOTRACK Specify "yes" when rewrite processing of routing table is not done.
Normally "no" is specified.
/NOQOS Specify "yes" when disabling VoIP / QoS functions. Normally "no"
is specified.
Command Name AccountRename

Outline of Change VPN Connection Setting Name
Command
Explanation Use this to specify a VPN Connection Setting registered on the VPN
Client and change its name.
Commandline AccountRename [name] [/NEW:new_name]
format
name Specify the current name of the VPN Connection Setting whose
name you want to change.
/NEW Specify the new name after the change.
6.5.44 AccountConnect - Start Connection to VPN Server using VPN

Connection Setting
Command Name AccountConnect

Outline of Start Connection to VPN Server using VPN Connection Setting
Command
Client and start a connection to the VPN Server using that VPN
Connection Setting. A VPN Connection Setting that has a
connecting status or a connected status will continue to be
connected to the VPN Server, or continue to attempt to connect to
the VPN Server until the AccountDisconnect command is used to
disconnect the connection (Note however, if the AccountRetrySet
command is used to specify the number of retries, connection
attempts will be aborted when the specified value is reached.)
Commandline AccountConnect [name]
format
name Specify the name of the VPN Connection Setting whose connection
you want to start.
6.5.45 AccountDisconnect - Disconnect VPN Connection Setting During

Connection
Command Name AccountDisconnect

Outline of Disconnect VPN Connection Setting During Connection
Command
Explanation Use this to specify a VPN Connection Setting that is registered on
the VPN Client and that is either in the condition of connecting or
is connected, and immediately disconnect it.
Commandline AccountDisconnect [name]
format
name Specify the name of the VPN Connection Setting to disconnect.
Command Name AccountStatusGet

Outline of Get Current VPN Connection Setting Status
Command
Explanation When a VPN Connection Setting that is registered on the VPN

Client is specified and that VPN Connection Setting is currently
connected, use this to get its connection status and other
information.
Commandline AccountStatusGet [name]
format
name Specify the name of the VPN Connection Setting whose

information you want to get.
6.5.47 AccountNicSet - Set Virtual Network Adapter for VPN

Connection Setting to Use
Command Name AccountNicSet

Outline of Set Virtual Network Adapter for VPN Connection Setting to Use
Command
Explanation Use this to change the Virtual Network Adapter name that the
existing VPN Connection Settings registered on the VPN Client will
use for the connection to a VPN Server.
Commandline AccountNicSet [name] [/NICNAME:nicname]
format
want to change.
/NICNAME Specify the Virtual Network Adapter name to use when connecting
to the VPN Server.
6.5.48 AccountStatusShow - Set Connection Status and Error Screen to

Display when Connecting to VPN Server
Command Name AccountStatusShow

Outline of Set Connection Status and Error Screen to Display when
Command Connecting to VPN Server
Explanation When a communication setting is registered on the VPN Client and
that communication setting is being used to connect to the VPN
Server, use this to set the connection status and error screen to be
displayed on the computer display.
Commandline AccountStatusShow [name]
format
want to change.
6.5.49 AccountStatusHide - Set Connection Status and Error Screen to

be Hidden when Connecting to VPN Server
Command Name AccountStatusHide

Outline of Set Connection Status and Error Screen to be Hidden when
Command Connecting to VPN Server
Explanation When a communication setting is registered on the VPN Client and
that communication setting is being used to connect to the VPN
Server, use this to set the connection status and error screen to
not be displayed on the computer display.
Commandline AccountStatusHide [name]
format
want to change.
6.5.50 AccountSecureCertSet - Set User Authentication Type of VPN

Connection Setting to Smart Card Authentication
Command Name AccountSecureCertSet

Outline of Set User Authentication Type of VPN Connection Setting to Smart
Command Card Authentication
Explanation Use this to set the user auth type to [Smart Card Authentication]
for when a VPN Connection Setting registered on the VPN Client is
Server. Also, you must specify the names of the certificate object
and the private key object stored on the smart card.
Commandline AccountSecureCertSet [name] [/CERTNAME:cert] [/KEYNAME:key]
format
want to change.
/CERTNAME Specify the name of the certificate object stored on the smart
card.
/KEYNAME Specify the name of the private key object stored on the smart
card. The private key must be compatible with the certificate
specified by /CERTNAME.
6.5.51 AccountRetrySet - Set Interval between Connection Retries for

Connection Failures or Disconnections of VPN Connection Setting
Command Name AccountRetrySet

Outline of Set Interval between Connection Retries for Connection Failures or
Command Disconnections of VPN Connection Setting
specified and that VPN Connection Setting attempts to connect to
a VPN Server, use this to specify the interval to wait between
connection attempts and the limit of how many times to retry
connecting when communication with the VPN Server was
disconnected or when the connection process failed.
If the user authentication type is [Smart Card Authentication], no
connection retry will be performed regardless of the Number of
Connection Attempts setting.
Commandline AccountRetrySet [name] [/NUM:num_retry]
format [/INTERVAL:retry_interval]
want to change.
/NUM Specify the number of times to make consecutive retries. By
specifying "999", there will be limitless attempts to reconection
(always connect). By specifying "0", not attempt at reconnection
will be made.
/INTERVAL When attempting a reconnection, this sets how many seconds to
wait after the previous disconnection or connection failure before
starting the reconnection process.
6.5.52 AccountStartupSet - Set VPN Connection Setting as Startup

Connection
Command Name AccountStartupSet

Outline of Set VPN Connection Setting as Startup Connection
Command
Client and set it as the startup connection. The VPN Connection
Setting that is set as the startup connection will automatically start
the connection process when the VPN Client service starts.
Commandline AccountStartupSet [name]
format
want to change.
6.5.53 AccountStartupRemove - Remove Startup Connection of VPN

Connection Setting
Command Name AccountStartupRemove

Outline of Remove Startup Connection of VPN Connection Setting
Command
specified and that VPN Connection Setting is currently set as a
startup connection, use this to delete the startup connection.
Commandline AccountStartupRemove [name]
format
want to change.
Command Name AccountExport

Outline of Export VPN Connection Setting
Command
Client and export its contents as a text file. By exporting a VPN
Connection Setting file, and then later, importing it, you can
duplicate the contents of a VPN Connection Setting. Also, because
it gets saved as a text file, you can edit the contents using a
conventional text editor.
The export destination file is saved as a UTF-8 format text file.
Also, it is convenient to save the file name with the file
extension .vpn as this file extension is associated to the Windows
Edition VPN Client Manager.
Commandline AccountExport [name] [/SAVEPATH:savepath]
format
name Specify the name of the VPN Connection Setting to export.

/SAVEPATH Specify a file name for the save destination.
Command Name AccountImport
Outline of Import VPN Connection Setting

Command
Explanation Use this to import the VPN Connection Setting file that was
exported by the AccountExport command and add it to the VPN
Client.
Commandline AccountImport [path]
format
path Specify the file name of the import source.
6.5.56 RemoteEnable - Allow Remote Management of VPN Client

Service
Command Name RemoteEnable

Outline of Allow Remote Management of VPN Client Service
Command
Explanation Use this to allow management of a VPN Client service from a
remote computer, that is not localhost, via a remote connection by
Command Line Management Utility or VPN Client Manager.
Commandline RemoteEnable
format
6.5.57 RemoteDisable - Deny Remote Management of VPN Client

Service
Command Name RemoteDisable

Outline of Deny Remote Management of VPN Client Service
Command
Explanation Use this to deny management of a VPN Client service from a
remote computer, that is not localhost, via a remote connection by
Command Line Management Utility or VPN Client Manager.
Commandline RemoteDisable
format
6.5.58 KeepEnable - Enable the Keep Alive Internet Connection
Function
Command Name KeepEnable

Outline of Enable the Keep Alive Internet Connection Function
Command
Explanation This allows you to enable the [Keep Alive Internet Connection
Function] By using the [Keep Alive Internet Connection Function]
for network connection environments where connections will
automatically be disconnected when there are periods of no
communication that are longer than a set period, it is possible to
keep alive the Internet connection by sending packets to a
nominated server on the Internet at set intervals.
You can set a destination host name etc, by using the KeepSet
command.
Commandline KeepEnable
format
6.5.59 KeepDisable - Disable the Keep Alive Internet Connection

Function
Command Name KeepDisable

Outline of Disable the Keep Alive Internet Connection Function
Command
Explanation This allows you to disable the [Keep Alive Internet Connection
Function]
Commandline KeepDisable
format
Command Name KeepSet

Outline of Set the Keep Alive Internet Connection Function
Command
Explanation Use this to set the destination host name etc. of the [Keep Alive
Internet Connection Function]. For network connection

environments where connections will automatically be
disconnected where there are periods of no communication that
are longer than a set period, by using the [Keep Alive Internet
Connection Function], it is possible to keep alive the Internet
connection by sending packets to a nominated server on the
Internet at set intervals.
When using this command, you can specify the following: [Host
Name], [Port Number], [Packet Send Interval], and [Protocol].
Packets sent to keep alive the Internet connection will have
random content and personal information that could identify a
computer or user is not sent.
You can use the KeepEnable command or KeepDisable command
to enable/disable the Keep Alive Internet Connection Function.
KeepSet does not change the enabled/disabled status.
Commandline KeepSet [/HOST:host:port] [/PROTOCOL:tcp|udp]
format [/INTERVAL:interval]
destination using the format [host name:port number].
/PROTOCOL Specify either tcp or udp.
/INTERVAL Specify, in seconds, the interval between the sending of packets.
Command Name KeepGet

Outline of Get the Keep Alive Internet Connection Function
Command
Explanation Use this to get the current setting contents of the [Keep Alive
Internet Connection Function]. In addition to the destination's
[Host Name], [Port Number], [Packet Send Interval] and
[Protocol], you can obtain the current enabled/disabled status of
the [Keep Alive Internet Connection Function].
Commandline KeepGet
format

Command
it as a file.

bit format file.


connection.
specify "none".
can specify "none".

specify "none".
specify "none".
specify "none".
6.5.63 TrafficClient - Execute Communication Throughput

Measurement Tool Client

Command


[/RAW:yes|no]
will be used.
will be used.
6.5.64 TrafficServer - Execute Communication Throughput

Measurement Tool Server

Command


format
occur.
Command Name Check

Command
Commandline Check
format
< 6.4 VPN Server / VPN Bridge Management 6.6 VPN Tools Command Reference>
Command Reference (For Virtual HUB)
< 6.5 VPN Client Management Command Reference Chapter 7 Installing PacketiX VPN Server 2.0>
This section describes all commands that can be called when using vpncmd in Use VPN
Tools Command (Create Certificate or Measure Communication Throughput) mode.
Command Name About

Command
Commandline About
format

Command
it as a file.

bit format file.


connection.
specify "none".
can specify "none".
specify "none".
specify "none".
specify "none".
6.6.3 TrafficClient - Execute Communication Throughput Measurement

Tool Client

Command

[/RAW:yes|no]
will be used.
will be used.
6.6.4 TrafficServer - Execute Communication Throughput Measurement

Tool Server

Command

format
occur.
Command Name Check

Command

Commandline Check
format
< 6.5 VPN Client Management Command Reference Chapter 7 Installing PacketiX VPN Server 2.0>
< 6.6 VPN Tools Command Reference 7.1 Installation Precautions>
This chapter describes the detailed procedure for installing PacketiX VPN Server 2.0 to a
Windows- or Linux-based server computer and configuring the default settings. For
details on the PacketiX VPN Server 2.0 functions, please refer to 「Chapter 3 PacketiX
VPN Server 2.0 Manual」 .


7.4.3 Checking the Current License Status and the Usage Status of the Number of
Connections
< 6.6 VPN Tools Command Reference 7.1 Installation Precautions>
< Chapter 7 Installing PacketiX VPN Server 2.0 7.2 Installing to Windows and Configuring the Default
Settings>
This section describes the precautions to take before installing PacketiX VPN Server 2.0.
Before installing PacketiX VPN Server to a computer, check that the computer hardware
and operating system support PacketiX VPN Server.
PacketiX VPN Server supports Windows, Linux, FreeBSD, Solaris, and Mac OS X;
however, this product formally supports only operating systems with Windows 2000 or
later and certain Linux distributions. PacketiX VPN Server can be installed on other
operating systems, but SoftEther Corporation is not responsible for its operations. For
information about the operating environment of PacketiX VPN Server, please refer to
「12.1 PacketiX VPN Server 2.0 Specs」 .
Before installing PacketiX VPN Server, be sure to back up data stored in the installation
directory of the computer (including the system registry in Windows).
As described in 「3.10 Logging Service」 , PacketiX VPN Server writes large operation
log files to the hard disk during operation. In addition, when the hard disk space reaches
a certain size, VPN Server deletes the oldest log files written to the hard disk during VPN
Server operation.
Although the data size of logs written by VPN Server varies greatly depending on the
operation status of VPN Server, the number of users connected on a daily basis, and the
selection of saved packet log items configured by the Virtual HUB administrator, as a
guideline, it is a good idea to have between 30 and 100 GB of available disk space when
using VPN Server for a general remote-access VPN or for a VPN connection between
bases.
The processing speed of VPN Server depends on the CPU speed. Therefore, check that
the CPU speed of the hardware you want to use as the VPN server computer has
sufficient speed. If the CPU speed is too slow, we recommend upgrading the system.
As a guideline for the CPU speed, we recommend providing a CPU with a speed of 2.0
GHz or faster when connecting to a network using a physical line with a communication
speed of 100 Mbps. If the CPU speed is too slow, the communication delay time may
increase and throughput may decrease.
It is essential that you make sure that the operation speed of VPN Server is not
adversely affected and server operations are not disrupted by software conflicts that can
occur when VPN Server is installed on a computer with a personal firewall or antivirus
software from a different manufacturer. If there are signs that the VPN functions are not
operating properly due to a conflict with this type of software, we recommend
temporarily disabling that software and try operating VPN Server again.
Please note that VPN Server conflicts with VPN Bridge. Generally, VPN Bridge does not
need to be installed on the same computer on which VPN Server is installed.
< Chapter 7 Installing PacketiX VPN Server 2.0 7.2 Installing to Windows and Configuring the Default
Settings>
< 7.1 Installation Precautions 7.3 Installing to Linux and Configuring the Default
Settings>
7.2 Installing to Windows and Configuring the Default

Settings
This section describes how to install PacketiX VPN Server to an operating system with
Windows 2000 or later. This assumes that in the Windows operating system, no extra
application software is installed after performing a clean install of the system. This also
assumes that the Windows function for blocking communication to TCP/IP ports from the
outside (firewall function) is disabled.
As described in 「3.2 Operating Modes」 , PacketiX VPN Server can be operated in either
service mode or user mode. When configuring VPN Server for use as part of an everyday
operation system, we recommend installing PacketiX VPN Server in service mode. The
installer for the Windows version of VPN Server installs the VPN Server program to the
system in service mode.
Preparing the Installer File
The installation of the Windows version of PacketiX VPN Server is very easy as it is
almost completely performed automatically. To install VPN Server, use any of the
following methods to obtain the Windows installer file.
When PacketiX VPN Server 2.0 is purchased as a product, the installer file is
distributed on a CD-ROM. Place the CD-ROM on the CD-ROM drive of the computer
and select the executable file to install the Windows version of VPN Server.
You can also download the latest VPN Server installer file from the SoftEther
Corporation website ( http://www.softether.com/ ). We recommend checking the
above website for the latest version of VPN Server even if you have the CD-ROM with
the installer file. If you signed a maintenance contract with a partner supporting
PacketiX VPN 2.0, please contact your partner representative in advance and check
whether the latest version can be installed.
If you received the latest version of VPN Server on a CD-ROM or as electronic files
from your partner using PacketiX VPN 2.0, install the software using those files.
The VPN Server Windows version installer file is an executable file with the name
vpnserver-build-number-win32-x86.exe. At the time of writing this manual, the
installer file of the latest build is vpnserver-5070-rtm-win32-x86.exe.
Figure 7-2-1 VPN Server Installer
Starting the Installer
Start the installer by double-clicking the VPN Server installer file. The Windows Installer-
based installer starts automatically. Using the installation wizard, you can select the
name of the installation directory. (By default, the program is installed to Program
Files\PacketiX VPN Server on the system drive.) The VPN Server process writes large
log files to the installation directory, so we recommend selecting an area on the hard
drive that has high transfer rate and a large amount of unused space.
Figure 7-2-2 Specifying the VPN Server Installation Directory
During the installation, the end-user license agreement may be displayed. Please
thoroughly read the agreement. If you agree to the terms and conditions, the installation
continues.
Figure 7-2-3 VPN Server End-User License Agreement
The installer automatically registers the PacketiX VPN Server system service and sets the
program to automatically start in background mode at Windows startup.
The window for optimizing the TCP/IP communication settings may be displayed during
installation of VPN Server.
Figure 7-2-4 Changing the TCP/IP Communication Settings
The TCP/IP communication settings optimization function can be used to perform the
following.
Using a TCP/IP send/receive window buffer size of 64 KB or more by means of the

window scaling option can improve the communication speed over a broadband line.
The buffer size of the Windows AFD service can be rewritten to a value for high-speed
communication.
However, there are reports that enabling the TCP/IP window scaling option can create
unstable communication or completely block communication through a firewall device,
such as some transparent proxies. These problems seem to occur with older versions of
firewall devices on a network that do not support the window scaling option. If, after
optimizing the TCP/IP communication settings, TCP/IP communication becomes
unstable, you can restore the optimized TCP/IP communication settings to their original
settings. To restore the optimized TCP/IP communication settings (and use the default
values of the operating system), we recommend clicking [Start] > [PacketiX VPN Server]
> [TCP Communication Optimization Utility], and then changing the [TCP Incoming
Window Size] and [TCP Outgoing Window Size] values to [Use OS Default Value].
Figure 7-2-5 Restoring the TCP/IP Communication

Settings to the Default Values of the Operating
System
When installation of the Windows version of VPN Server is completed, the PacketiX VPN
Server service is already running in the background on the Windows system. Normally,
the computer does not have to be restarted after installation of the program. However, if
you expect to use the local bridge function while using a network adapter that supports
hardware offloading, as described in 「3.6.10 Points to Note when Local Bridging in
Windows」 , we recommend that you restart the computer.
To check whether the VPN Server installer properly installed the PacketiX VPN Server
service to the Windows system, click [Control Panel] > [Administrative Tools] >
[Services], and check that [PacketiX VPN Server] is displayed on the list of services.
Figure 7-2-6 Completion of VPN Server Installer
VPN Server Manager
After VPN Server is installed, the program can be properly configured and the VPN client
computers can be provided with the function that allows the program to operate as a
VPN server.
PacketiX VPN Server Manager can be used on Windows to manage VPN Server. For
information about the detailed management method, please refer to 「Chapter 3
PacketiX VPN Server 2.0 Manual」 .
Start VPN Server Manager, which is installed at the same time as the Windows version of
VPN Server, connect to [localhost] (the host itself) on the server window, and configure
the default settings.
To configure or manage the Linux or other Unix version of VPN Server, you can also use
the Windows version of VPN Server Manager from a remote computer. For information
about manually installing VPN Server Manager on a computer without VPN Server
installed, please refer to 「2.4.4 Installing VPN Server Manager Alone」 .
Default Settings of VPN Server Manager
When VPN Server Manager is started for first time, nothing is registered to the [PacketiX
VPN Server Connection Settings] list on the startup window.
Figure 7-2-7 VPN Server Manager
To create a connection setting, click [Create New Setting] and specify the host name,
port number, and other information of VPN Server to which to establish a management
connection. Once a connection setting is registered, it is displayed the next time VPN
Server Manager is started.
Figure 7-2-8 Window for Creating a Connection Setting
After creating a connection setting, double-click that connection setting to try to connect
to VPN Server.
You can also use the command line-based vpncmd software to configure and manage
VPN Server. This is helpful in cases where VPN Server is installed to a Linux or other
Unix operating system and a separate Windows computer is not available locally,
therefore VPN Server Manager cannot be used. In this case, you can use vpncmd to
configure the default settings. You can also use vpncmd to configure the settings on the
Windows version of VPN Server. For information about detailed vpncmd operations,
please refer to 「Chapter 6 Command Line Management Utility Manual」 .
SoftEther Corporation recommends using VPN Server Manager on a Windows computer

to configure and manage VPN Server and using vpncmd as a supplemental management
utility for automating simple repetitive tasks.
The installer for the Windows version of VPN Server automatically installs the PacketiX
VPN Server service. This service continually operates while Windows is running, and it
automatically shuts down when Windows shuts down.
If the service must be restarted for management reasons or because VPN Server
operations become unstable, you can click [Control Panel] > [Administrative Tools] >
[Services], and start or stop the service. An easier and more reliable method is to call
the net command at the command prompt and start or stop the service.
To stop the service, type the following command.
> net stop vpnserver
To start the service, type the following command.
> net start vpnserver
If, in the unlikely event, the VPN Server process hangs and cannot be controlled using
the net command, you can use Task Manager in Windows to forcibly terminate the
vpnserver.exe process.
You can add or delete the service for the vpnserver.exe process using the method
described in the description of the service mode of the Windows PacketiX VPN Server in
「3.2.1 Service Mode」 . You can use this method, for example, to move all setting files
in the VPN Server installation directory to a different directory or hard drive, and then
re-register the process as a service. (However, we cannot recommend using this method
as the uninstaller may not be able to properly uninstall the program.)
We recommend operating the Windows version of VPN Server as a service mode

program, but you can also start VPN Server in the user mode by using the method
described in 「3.2.2 User Mode」 . When VPN Server is started in user mode, critical
security holes, such as buffer overruns, exist temporarily on the VPN Server, but
because only user accounts starting VPN Server in user mode would be affected if an
attack were to occur, VPN Server can be used relatively securely and safely. However,
SoftEther Corporation does not recommend actually operating VPN Server in user mode
for the following reasons.
The local bridge function cannot be used. (For details, please refer to 「3.6 Local
Bridges」 .)
Some features of the disaster recovery function, such as automatic recovery when an
error occurs in a self process, cannot be used. (For details, please refer to 「3.3.12
Failure Recovery」 .)
To start the VPN Server process in user mode, the user must remained logged on to
the server. The user cannot operate VPN Server when the user logs off or when no
users are logged on to the server after Windows starts. For these reasons, user mode
is not suited for actual operation of VPN Server.
Settings>
< 7.2 Installing to Windows and Configuring the 7.4 Default Settings>
Default Settings
7.3 Installing to Linux and Configuring the Default

Settings
This section describes how to install PacketiX VPN Server 2.0 to a Linux operating
system. This assumes that in the Linux operating system, no extra application software
is installed after performing a clean install of the system. This also assumes that, as a
basic rule, the firewall and similar functions included in the Linux distribution are not
being used, and that the function for blocking communication to TCP/IP ports from the
Recommended Operating System Configuration
The Linux version of PacketiX VPN Server 2.0 can operate in most cases on platforms
with Linux kernel 2.4 or later; however, SoftEther Corporation recommends only those
environments using the following Linux distributions. (As of the time of writing this
manual, this is the recommended environment; however, this may change to higher
specifications in the future.)
Red Hat Enterprise Linux AS / ES Version 4 (x86 or x64)

(Use the standard update utility to update the kernel to 2.6.9-22 or later.)
Turbolinux 10 Server (x86 or x64)

Fedora Core 4 or later (x86 or x64), CentOS 4 or later (x86 or x64)

(Use the standard update utility to update the kernel to the latest version. Please
note that there is no support for PacketiX VPN 2.0 products on Fedora Core 4 or
later.)
For more information about the system requirements, please refer to 「12.1.1
Supported Operating Systems (Recommended)」 .
The descriptions for installing PacketiX VPN Server 2.0 in this chapter are based on the
use of one of the above operating systems and the fact that VPN Server will be installed
to the newly created directory /usr/local/vpnserver/.
Using Red Hat Enterprise Linux AS / ES Version 4
For operating systems using the Red Hat Enterprise Linux AS / ES Version 4 distribution,
support is only provided for environments where a clean installation of the system was
performed with one of the following methods.
1. Perform a clean installation of Red Hat Enterprise Linux AS / ES Version 4. Avoid

cases where inconsistencies may occur, such as in the libraries after upgrading
from an earlier version of Linux.
2. When creating a partition on the hard disk, be sure to allocate sufficient disk space
to the partition with the /usr/ directory. The examples in the descriptions below
are based on VPN Server being installed to /usr/local/vpnserver/. In addition,
we recommend allocating sufficient disk space to the partition to allow VPN Server
to write log files to the same directory.
3. At the stage of selecting components to be installed, at the minimum, the
development tools (compiler, etc.) and development libraries are installed
at the same time. When installing VPN Server, the make and gccbinutils utilities
and the libc (glibc), zlib, openssl, readline, and ncurses development library
versions (also called devel) are required.
4. After installing the operating system, use Red Hat Network to update to the latest
Linux kernel (2.6.9-22 or later). Because there are problems in the parallel and
synchronous processing of the kernel included in the initial install of Red Hat
Enterprise Linux AS / ES Version 4, the operations of VPN Server may become
unstable. Be sure to update the kernel.
5. Complete the installation of the program with the firewall and SELinux functions
disabled. After confirming that VPN Server is properly installed, you can enable
these functions only if necessary.
Using Turbolinux 10 Server
When using Turbolinux 10 Server, we recommend performing a clean installation of the

system with one of the following methods, and then install VPN Server to the
environment. Please note that there is no support for VPN Server products on Fedora
Core 4.
1. Perform a clean installation of Turbolinux 10 Server. Avoid cases where

inconsistencies may occur, such as in the libraries after upgrading from an earlier
version of Linux.
4. After installing the operating system, use update utility to update to the latest
synchronous processing of the kernel included in the initial install of Turbolinux 10
Server, the operations of VPN Server may become unstable. Be sure to update the
kernel.
Using Fedora Core 4

When using Fedora Core 4, we recommend performing a clean installation of the system
with one of the following methods, and then install VPN Server to the environment.
Please note that there is no support for VPN Server products on Fedora Core 4.
1. Perform a clean installation of Fedora Core 4. Avoid cases where inconsistencies

may occur, such as in the libraries after upgrading from an earlier version of Linux.
4. After installing the operating system, use update utility to update to the latest
Linux kernel. Because there are problems in the parallel and synchronous
processing of the kernel included in the initial install of Fedora Core 4, the
operations of VPN Server may become unstable. Be sure to update the kernel.
As described in 「3.1 Operating Environment」 and 「3.2 Operating Modes」 , PacketiX

VPN Server can be operated in either service mode or user mode. When configuring VPN
Server for use as part of an everyday operation system in a company, we recommend
installing PacketiX VPN Server in service mode. To install the VPN Server program to the
system in service mode on a Linux operating system, you must register the vpnserver
program as a daemon program in the Linux startup script.
The following software and libraries are required to install VPN Server to a Linux
operating system. Check that the following software and libraries are installed to the
system and are enabled. (If the recommended environment distribution is installed using
the method specified in 「7.3.1 Recommended System」 , these libraries are also
installed.)
gcc software
binutils software
tar, gzip or other software for extracting package files
chkconfig system utility
cat, cp or other basic file operation utility
EUC-JP, UTF-8 or other code page table for use in a Japanese language
environment
libc (glibc) library
zlib library
openssl library
readline library
ncurses library
pthread library
To install VPN Server, you need to prepare the file containing the VPN Server program
(package file compressed with tar.gz format).
When PacketiX VPN Server 2.0 is purchased as a product, the installer file is
distributed on a CD-ROM. Place the CD-ROM on the CD-ROM drive of the computer,
mount it to the Linux system, and copy the required files to a temporary directory.
You can also download the latest VPN Server installer file from the SoftEther
the installer file. If you signed a maintenance contract with a partner using PacketiX
VPN 2.0, please contact your partner representative in advance and check whether
the latest version can be installed.
If you received the latest version of VPN Server on a CD-ROM or as electronic files
Extracting the Package File for Installation
Extract the package file for installation using the tar command. Copy the tar.gz file to a
directory and extract the file as follows.
[root@machine root]# tar xzvf vpnserver-5070-rtm-linux-x86.tar.gz

vpnserver/
vpnserver/vpnserver.a
vpnserver/vpncmd.a
vpnserver/hamcore.se2
vpnserver/libcrypto.a
vpnserver/Makefile
vpnserver/libssl.a
vpnserver/License_ReadMeFirst.txt
vpnserver/License_ReadMeFirstUtf.txt
vpnserver/License_ReadMeFirstSjis.txt
vpnserver/.install.sh
When the package is extracted, the directory "vpnserver" is created in the working
folder, and the required installation files are extracted.
Executing a make
To install VPN Server, you must execute a make and create a vpnserver executable file.
First, go to the vpnserver directory extracted in the previous subsection and type
[make].
Next, the message "Do you want to read the License Agreement for this software?" is
displayed. Select [1] to continue.
[root@machine vpnserver]# make

./.install.sh
PacketiX VPN Software Install Utility
Do you want to read the License Agreement for this software ?

1. Yes
2. No
Please choose one of above number:
1
Next, the PacketiX VPN Server Version 2.0 end-user license agreement is displayed.
Please read and understand the license agreement. The license agreement is displayed
over several pages, so use a terminal emulator or SSH client software with a scroll
function to view the entire license agreement. If you are unable to read the entire
license agreement, press Ctrl + C to cancel the make, and then use a text editor to
directly open and view the contents of the text file with the license agreement located in
the vpnserver directory.
At the end of the license agreement, the message "Did you read and understand the
License Agreement?" is displayed. If you read and understood the license agreement,
select [1].
EULA
Did you read and understand the License Agreement ?

(If you couldn't read above text, Please read License_ReadMe.txt
file with any text editor.)
1. Yes
2. No
1
Next, the message "Do you agree to the License Agreement?" is displayed. If you agree
to the license agreement, select [1].
Did you agree the License Agreement ?

1. Agree
2. Do Not Agree
1
Once you agree to the license agreement, the vpnserver program is automatically
created.
make[1]: Entering directory /root/vpnserver'

ranlib libssl.a
ranlib libcrypto.a
ranlib vpnserver.a
gcc vpnserver.a -pthread -lrt -lm -lz libssl.a libcrypto.a -lpthread -ldl
-lreadline -lcurses -o vpnserver
strip vpnserver
ranlib vpncmd.a
gcc vpncmd.a -pthread -lrt -lm -lz libssl.a libcrypto.a -lpthread
-ldl -lreadline -lcurses -o vpncmd
strip vpncmd
make[1]: Leaving directory /root/vpnserver'
[root@machine vpnserver]#
If an error occurs during this process, creation of the vpnserver program fails. In this
case, see 「7.3.1 Recommended System」 and 「7.3.3 Checking the Required Software
and Libraries」 again and check whether any required libraries are missing.
After the vpnserver program is created, we recommend moving the vpnserver directory,
which is created when the package is extracted, to the /usr/local/ directory. Use the
following method to move the vpnserver directory to /usr/local/. The operations
hereafter must be performed as a root user.
[root@machine vpnserver]# cd ..
[root@machine root]# mv vpnserver /usr/local
[root@machine root]# ls -l /usr/local/vpnserver/
Total 13000
-rwxrwxrwx 1 root root 20245 12月 8 16:14 License_ReadMeFirst.txt*
-rwxrwxrwx 1 root root 20317 12月 8 16:14 License_ReadMeFirstSjis.txt*
-rwxrwxrwx 1 root root 30210 12月 8 16:14 License_ReadMeFirstUtf.txt*
-rwxrwxrwx 1 root root 609 12月 8 16:14 Makefile*
-rwxrwxrwx 1 root root 4018399 12月 8 16:14 hamcore.se2*
-rwxrwxrwx 1 root root 1942994 12月 9 02:23 libcrypto.a*
-rwxrwxrwx 1 root root 336070 12月 9 02:23 libssl.a*
-rwxr-xr-x 1 root root 1814216 12月 9 02:23 vpncmd*
-rwxrwxrwx 1 root root 1630858 12月 9 02:23 vpncmd.a*
-rwxr-xr-x 1 root root 1814120 12月 9 02:23 vpnserver*
-rwxrwxrwx 1 root root 1630304 12月 9 02:23 vpnserver.a*
[root@machine root]#
Confirm that all of the files are moved to the /usr/local/vpnserver/ directory, as shown
above.
If the user does not have root permissions, the files in the vpnserver directory cannot be
read, so change and protect the permissions.
[root@machine root]# cd /usr/local/vpnserver/

[root@machine vpnserver]# chmod 600 *
[root@machine vpnserver]# chmod 700 vpncmd
[root@machine vpnserver]# chmod 700 vpnserver
[root@machine vpnserver]# ls -l
Total 13000
-rw------- 1 root root 20245 12月 8 16:14 License_ReadMeFirst.txt
-rw------- 1 root root 20317 12月 8 16:14 License_ReadMeFirstSjis.txt
-rw------- 1 root root 30210 12月 8 16:14 License_ReadMeFirstUtf.txt
-rw------- 1 root root 609 12月 8 16:14 Makefile
-rw------- 1 root root 4018399 12月 8 16:14 hamcore.se2
-rw------- 1 root root 1942994 12月 9 02:23 libcrypto.a
-rw------- 1 root root 336070 12月 9 02:23 libssl.a
-rwx------ 1 root root 1814216 12月 9 02:23 vpncmd*
-rw------- 1 root root 1630858 12月 9 02:23 vpncmd.a
-rwx------ 1 root root 1814120 12月 9 02:23 vpnserver*
-rw------- 1 root root 1630304 12月 9 02:23 vpnserver.a
This completes the changing of the location of the vpnserver program.
We recommend performing a final check to see whether VPN Server can operate
properly on your computer system before starting vpnserver.
You can use the check command on the vpncmd command line management utility to
automatically check whether the system has sufficient functions to operate VPN Server.
For details, please refer to 「6.6 VPN Tools Command Reference」 .
First, start vpncmd by typing [./vpncmd]. Next, select [Use of VPN Tools (certificate
creation or communication speed measurement)] and execute the check command.
<
[root@machine vpnserver]# ./vpncmd


Select 1, 2 or 3: 3
VPN Tools was launched. By inputting HELP, you can view a list of the commands t
hat can be used.
VPN Tools>check
Check command - Check if PacketiX VPN Operation is Possible
---------------------------------------------------
PacketiX VPN Operation Environment Check Tool
Copyright (C) 2004-2006 SoftEther Corporation.

All Rights Reserved.
If this operation environment check tool is run on a system and that system pass
es, it is highly likely that PacketiX VPN software can operate on that system. T
his check may take a while. Please wait...
Checking 'Kernel System'...

[Pass]
Checking 'Memory Operation System'...
[Pass]
Checking 'ANSI / Unicode string processing system'...
[Pass]
Checking 'File system'...
[Pass]
Checking 'Thread processing system'...
[Pass]
Checking 'Network system'...
[Pass]
All checks passed. It is highly likely that PacketiX VPN Server / Bridge can ope
rate normally on this system.

VPN Tools>exit
If, after executing the check command, the message "Passed all checks. It is likely that
VPN Server / Bridge will operate properly on this system." is displayed, as shown above,
it is likely that your system has satisfied the VPN Server operation requirements and
VPN Server can safely be used.
If, however, the system fails at any of the above check items, we recommend checking
「7.3.1 Recommended System」 and 「7.3.3 Checking the Required Software and
Libraries」 again.
After installing vpnserver to the /usr/local/vpnserver/ directory using the method

described above, you can configure your system to operate the vpnserver program as a
service mode program by registering the /usr/local/vpnserver/vpnserver program
as a daemon process that continues to run in the background while Linux is starting.
To register vpnserver to Linux as a daemon process, create a startup script, as shown
below, with the name /etc/init.d/vpnserver. (The following startup script is a

description example, and you may have to rewrite part of the script for it to work
properly on your system.)
#!/bin/sh
# chkconfig: 2345 99 01
# description: PacketiX VPN Server 2.0
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
You can use a text editor or the cat command to write the above script
to /etc/init.d/vpnserver as a text file. To use the cat command to create the script, press
Ctrl + D after the line break in the final line, as shown below.
[root@machine vpnserver]# cat > /etc/init.d/vpnserver

#!/bin/sh
# chkconfig: 2345 99 01
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
exit 1
esac
exit 0
After creating the /etc/init.d/vpnserver startup script, change the permissions for this
script so that the script cannot be rewritten by a user without permissions.
[root@machine vpnserver]# chmod 755 /etc/init.d/vpnserver
Lastly, use the chkconfig command to allow the above startup script to start
automatically in the background when the Linux kernel starts.
[root@machine vpnserver]# /sbin/chkconfig --add vpnserver
VPN Server is now prepared to run as a service mode program.
VPN Server registered as a service mode program automatically starts when Linux starts
and automatically stops when Linux shuts down. You can manually stop or restart the
VPN Server service if you need to do so for management reasons.
To start or stop VPN Server registered as a service mode program, type the command
below.
Starting the VPN Server Service
With the VPN Server service not running and with root permissions, type the following to
start the VPN Server service.
[root@machine vpnserver]# /etc/init.d/vpnserver start
Stopping the VPN Server Service
With the VPN Server service running and with root permissions, type the following to
stop the VPN Server service.
[root@machine vpnserver]# /etc/init.d/vpnserver stop
Cases in Which You Must Stop the VPN Server Service
The VPN Server service must be manually stopped in the following cases.
When manually editing or replacing the configuration file
When updating the vpnserver program and other files after the release of a new
version of VPN Server (To replace the vpnserver, vpncmd and hamcore.se2 files, be
sure to stop the service in advance.)
When you want to restart the service due to erratic behavior of the operating VPN
Server
Forcibly Terminating the vpnserver Process
It is unlikely that VPN Server would malfunction due to a problem with the physical
memory of the computer or a software bug. If this should occur and the VPN Server
service does not respond when you try to stop the service using the method above, you
can stop the service by forcibly terminating the vpnserver process. For the detailed
method for forcibly terminating the vpnserver process, please refer to the method of
using the kill command described in 「3.2.2 User Mode」 .
The Linux version of VPN Server can also be started with general user rights. When
starting VPN Server as a user mode program with general user rights, the program
cannot be registered as a system service, but when a general user starts the VPN Server
program in the background by typing [./vpnserver start], unlike the Windows version,
the Linux version of the vpnserver process can continue to run even after that user logs
out. SoftEther Corporation does not recommend actually operating VPN Server in user
mode for the following reasons.
Bridges」 .)
After starting the system, the user must log on and manually start the vpnserver
process, decreasing operability.
Default Settings
< 7.3 Installing to Linux and Configuring the Default 7.5 Installing to Other Unix Systems>
Settings
After VPN Server is installed, there are several settings that first must be configured.
This section describes how to configure these settings with examples of the settings
when using PacketiX VPN Server Manager. The same settings can also be configured
using vpncmd, so as a basic rule, the corresponding vpncmd command names are also
provided. For information about detailed vpncmd operations, please refer to 「Chapter 6
At the time VPN Server is installed, the manager password for the entire VPN Server is
not set. We recommend setting the manager password as soon as you install VPN
Server.
The following alert is displayed if the VPN Server manager password is not set when
connecting to VPN Server with VPN Server Manager.
Figure 7-4-1 Alert Regarding the Manager Password
Click [Yes] to set the manager password.
Figure 7-4-2 Manager Password Setup Window
In vpncmd, use the ServerPasswordSet command.
To use VPN Server in accordance with the end-user license agreement of PacketiX VPN
Server 2.0, you must obtain a Standard Edition License issued by SoftEther Corporation
in advance and a Connect License where necessary. (For details, please refer to 「1.3
PacketiX VPN 2.0 Product Configuration and License」 .)
The license is in the form of a 36-digit alphanumeric license key. To use VPN Server as
VPN server software, you must register the license key.
To register the license key, click [Add or Delete License] on VPN Server Manager. The
following window is displayed.
Figure 7-4-3 Add or Delete License Window
Click [Register new license key] on this window to register a new license key to VPN
Server.
Figure 7-4-4 Register New License Key Window
In vpncmd, use the LicenseAdd command.
7.4.3 Checking the Current License Status and the Usage Status of the
Number of Connections
The [Add or Delete License] window displays a list of license keys registered to VPN
Server, information of each license key, the result of all license keys totaled, and the
mode in which VPN Server is currently running. For example, the following window
shows that there are 30 VPN Server 2.0 Standard Edition Licenses and Client Connect
Licenses and two Bridge Connect Licenses registered.
Figure 7-4-5 Window Displaying the License Registration Status
The [Current PacketiX VPN Server license mode] field displays the current VPN Server
product type and number of connectable clients as a result of receiving multiple
registered license keys, as well as the number of bridges, the server ID, and the license
expiration date. For more information about PacketiX VPN Server 2.0 licenses, please
refer to 「1.3 PacketiX VPN 2.0 Product Configuration and License」 .
Figure 7-4-6 Current PacketiX VPN Server License Mode Field
In vpncmd, you can obtain this information by using the LicenseList and
LicenseStatus commands.
By default, only one Virtual HUB, named "DEFAULT", is registered to VPN Server. You
can use this Virtual HUB as is. You can also delete this Virtual HUB and create a Virtual
HUB with a different name.
For the detailed operation of this setting, please refer to 「Chapter 3 PacketiX VPN
Server 2.0 Manual」 .
< 7.3 Installing to Linux and Configuring the Default 7.5 Installing to Other Unix Systems>
Settings
< 7.4 Default Settings 7.6 Uninstalling PacketiX VPN Server 2.0>
PacketiX VPN Server 2.0 also supports FreeBSD, Solaris, and Mac OS X.
You can install PacketiX VPN Server 2.0 to these operating systems, but there are
several limitations. The following limitations, in particular, are important.
The local bridge function cannot be used on Unix systems other than Linux and
Solaris.
Essentially, SoftEther Corporation and partners using PacketiX VPN cannot provide
support for these operating systems.
The performance of PacketiX VPN Server 2.0 on these operating systems is inferior to
that on Windows and Linux operating systems.
Because of these limitations, we do not recommend installing PacketiX VPN Server 2.0 to
systems other than Windows or Linux. Using PacketiX VPN Server 2.0 on these operating
systems requires a very detailed understanding of the operating system, PacketiX VPN
Server 2.0, and network operations, so caution must be exercised.
This manual does not describe how to install PacketiX VPN Server 2.0 to FreeBSD,
Solaris, or Mac OS X. However, many of the operations are similar to the procedure for
installing PacketiX VPN Server 2.0 to Linux described in 「7.3 Installing to Linux and
Configuring the Default Settings」 , so you can use this as a reference.
< 7.4 Default Settings 7.6 Uninstalling PacketiX VPN Server 2.0>
< 7.5 Installing to Other Unix Systems Chapter 8 Installing PacketiX VPN Client 2.0>
This section describes how to uninstall PacketiX VPN Server from your system if you
should no longer need this program.
You can uninstall the Windows version of VPN Server in the same way as uninstalling
other application software, by clicking [Control Panel] > [Add or Remove Programs] and
then removing the program.
Figure 7-6-1 Add or Remove Programs Window
To prevent the loss of configuration data created after VPN Server is installed and
written log files, this data is not automatically deleted. These files remain in the VPN
Server installation directory. If VPN Server is installed to the same directory thereafter,
the system uses the configuration file (vpn_server.config) remaining after the previous
uninstallation, so caution must be exercised.
You can use Explorer to delete these remaining data files.
Figure 7-6-2 Remaining Configuration Files and Log Files
To uninstall the Linux version of VPN Server when vpnserver is registered as a service,
you must perform the following operation.
Execute the /etc/init.d/vpnserver stop command to stop VPN Server.
Execute the /sbin/chkconfig --del vpnserver command to delete registration of

vpnserver as a service.
Delete the /etc/init.d/vpnserver file.
After performing the above operation, delete the directory where vpnserver is installed.
< 7.5 Installing to Other Unix Systems Chapter 8 Installing PacketiX VPN Client 2.0>
< 7.6 Uninstalling PacketiX VPN Server 2.0 8.1 Installation Precautions>
This chapter describes the detailed procedure for installing PacketiX VPN Client 2.0 to a
Windows-based computer and configuring the default settings.
For details on the PacketiX VPN Client 2.0 functions, please refer to 「Chapter 4 PacketiX
VPN Client 2.0 Manual」 .

< 7.6 Uninstalling PacketiX VPN Server 2.0 8.1 Installation Precautions>
< Chapter 8 Installing PacketiX VPN Client 2.0 8.2 Installing to Windows and Configuring the Default
Settings>
This section describes the precautions to take before installing PacketiX VPN Client 2.0.
Before installing PacketiX VPN Client to a computer, check that the computer hardware
and operating system support PacketiX VPN Client 2.0.
PacketiX VPN Client supports Windows and Linux; however, this product formally
supports only operating systems with Windows 2000 or later. PacketiX VPN Client can be
installed on other operating systems, but SoftEther Corporation is not responsible for its
operations, so caution must be exercised. For information about the operating

environment of PacketiX VPN Client, please refer to 「12.2 PacketiX VPN Client 2.0
Specs」 .
Before installing PacketiX VPN Client, be sure to back up data stored in the installation
This manual describes the installation method for the Windows version of VPN Client.
The Linux version of VPN Client is not supported, so no description of the installation
method is provided here. In addition, if you do not have an understanding of how to
install the Linux version of VPN Client, do not use this version of VPN Client.
To connect VPN Client to the desired VPN Server, you must use one of the following
methods to enable VPN communication between the computer to which VPN Client is
installed and the computer running the desired VPN Server.
z Direct TCP/IP Connection
z Connection Via HTTP Proxy Server
z Connection Via SOCKS Proxy Server
If you are unsure whether the environment network for VPN connection on VPN Client
satisfies the above information, please contact your network administrator in advance to
see if you can use VPN Client.
For more information about the above three connection methods, please refer to 「4.4
VPN Server Connection Method」 .
It is essential that you make sure that the operation speed of VPN Client is not adversely
affected and client operations are not disrupted by software conflicts that can occur
when VPN Client is installed on a client computer with a personal firewall or antivirus
software from a different manufacturer.
If there are signs that the VPN functions are not operating properly due to a conflict with
this type of software, temporarily disable that software and try operating VPN Client
again.
< Chapter 8 Installing PacketiX VPN Client 2.0 8.2 Installing to Windows and Configuring the Default
Settings>
< 8.1 Installation Precautions 8.3 Uninstalling PacketiX VPN Client 2.0>
Settings
This section describes how to install PacketiX VPN Client to an operating system with
application software is installed after performing a clean install of the system.
The installation of the Windows version of PacketiX VPN Client is very easy as it is almost
completely performed automatically. To install VPN Client, use any of the following
methods to obtain the Windows installer file.
When PacketiX VPN Client 2.0 is purchased as a product, the installer file is
and select the executable file to install the Windows version of VPN Client.
You can also download the latest VPN Client installer file from the SoftEther
If you received the latest version of VPN Client on a CD-ROM or as electronic files
The VPN client Windows version installer file is an executable file with the name
vpnclient-build-number-win32-x86.exe. At the time of writing this manual, the
installer file of the latest build is vpnclient-5070-rtm-win32-x86.exe.
Figure 8-2-1 VPN Client Installer
Start the installer by double-clicking the VPN client installer file. The Windows Installer-
Files\PacketiX VPN client on the system drive.) The VPN Server process writes large
drive that has a large amount of disk space and is quickly accessible.
Figure 8-2-2 Specifying the VPN Client Installation Directory
continues.
Figure 8-2-3 VPN Client End-User License Agreement
The installer automatically registers the PacketiX VPN Client system service and sets the
installation of VPN Client.
following.

communication.
values of the operating system), we recommend clicking [Start] > [PacketiX VPN Server]
> [TCP Communication Optimization Utility], and then changing the [TCP Incoming
Window Size] and [TCP Outgoing Window Size] values to [Use OS Default Value].
Figure 8-2-5 Restoring the TCP/IP Communication Settings to the Default

Values of the Operating System
When installation of the Windows version of VPN Client is completed, the PacketiX VPN
Client service is already running in the background on the Windows system. Normally,
To check whether the VPN Client installer properly installed the PacketiX VPN Client
[Services], and check that [PacketiX VPN Client] is displayed on the list of services.
Figure 8-2-6 Completion of VPN Client Installer
After VPN Client is installed, use PacketiX VPN Client Manager to perform all VPN Client
operations. For detailed operations of VPN Client using VPN Client Manager, please refer
to 「Chapter 4 PacketiX VPN Client 2.0 Manual」 .
You can also use the command line-based vpncmd software to control VPN Client. For
information about detailed vpncmd operations, please refer to 「Chapter 6 Command
Line Management Utility Manual」 . For example, you can combine vpncmd and an
existing schedule software program to initiate a connection to a specific connection
setting at a specified time and, later, automatically terminate the connection of the
connection setting.
SoftEther Corporation recommends using VPN Client Manager to control VPN Client and
using vpncmd as a supplemental management utility for automating simple repetitive
tasks.
The first operation that must be performed to use VPN Client is to create a Virtual
Network Adapter. For more information about creating a Virtual Network Adapter, please
refer to 「4.3.2 Virtual Network Adapter Creation and Setup」 . You cannot define a
connection setting if a Virtual Network Adapter is not registered.
After you create a Virtual Network Adapter, you must properly configure the Virtual
Network Adapter. The administrator of the destination VPN Server should have already
provided instructions for configuring the Virtual Network Adapter. Configure the Virtual
Network Adapter using these instructions.
In particular, if the DHCP server does not seem to be operating on the Layer 2 segment
of the destination Virtual HUB, the IP address of the Virtual Network Adapter must be
manually configured on the client computer.
After creating a Virtual Network Adapter, create a connection setting for connecting to a
Virtual HUB on the destination VPN Server, and try establishing a VPN connection. Follow
the instructions from the VPN Server administrator for entering the required settings. In
addition, adjust the connection method according to the configuration of the local
network to which the client computer running VPN Client is connected. For more
information about operating VPN Client, please refer to 「Chapter 4 PacketiX VPN Client
2.0 Manual」 .
After configuring all the settings, connect to the connection setting and establish VPN
communication.
< 8.1 Installation Precautions 8.3 Uninstalling PacketiX VPN Client 2.0>
< 8.2 Installing to Windows and Configuring the Chapter 9 Installing PacketiX VPN Bridge 2.0>
Default Settings
The Virtual Network Adapter created by the user when using VPN Client remains on the
computer after VPN Client is uninstalled, in the same way document files created by the
user when using a regular application remain on the computer after that application is
uninstalled. This is to prevent the deletion of the Virtual Network Adapter settings
configured by the user when VPN Client is uninstalled.
The Virtual Network Adapter that remains on the computer after uninstallation can be
deleted using the Device Manager of Windows.
Figure 8-3-3 Window for Deleting the Virtual Network Adapter
< 8.2 Installing to Windows and Configuring the Chapter 9 Installing PacketiX VPN Bridge 2.0>
Default Settings
< 8.3 Uninstalling PacketiX VPN Client 2.0 9.1 Installation Precautions>
This chapter describes the detailed procedure for installing PacketiX VPN Bridge 2.0 to a
Windows- or Linux-based server computer and configuring the default settings. For
details on the PacketiX VPN Bridge 2.0 functions, please refer to 「Chapter 5 PacketiX
VPN Bridge 2.0 Manual」 .

< 8.3 Uninstalling PacketiX VPN Client 2.0 9.1 Installation Precautions>
< Chapter 9 Installing PacketiX VPN Bridge 2.0 9.2 Installing to Windows and Configuring the Default
Settings>

This section describes the precautions to take before installing PacketiX VPN Bridge 2.0.
Before installing PacketiX VPN Bridge to a computer, check that the computer hardware
and operating system support PacketiX VPN Bridge .
PacketiX VPN Bridge supports Windows, Linux, FreeBSD, Solaris, and Mac OS X;
however, this product formally supports only operating systems with Windows 2000 or
later and certain Linux distributions. PacketiX VPN Bridge can be installed on other
operating systems, but SoftEther Corporation is not responsible for its operations. For
information about the operating environment of PacketiX VPN Bridge , please refer to
「12.1 PacketiX VPN Server 2.0 Specs」 .
Before installing PacketiX VPN Bridge , be sure to back up data stored in the installation
As described in 「3.10 Logging Service」 , PacketiX VPN Bridge writes large operation log
files to the hard disk during operation. In addition, when the hard disk space reaches a
certain size, VPN Bridge deletes the oldest log files written to the hard disk during VPN
Bridge operation.
Although the data size of logs written by VPN Bridge varies greatly depending on the
operation status of VPN Bridge , the number of users connected on a daily basis, and the
selection of saved packet log items configured by the virtual hub administrator, as a
guideline, it is a good idea to have between 30 and 100 GB of available disk space when
using VPN Bridge for a general remote-access VPN or for a VPN connection between
bases.
The processing speed of VPN Bridge depends on the CPU speed. Therefore, check that
the CPU speed of the hardware you want to use as the VPN Bridge computer has
sufficient speed. If the CPU speed is too slow, we recommend upgrading the system.
As a guideline for the CPU speed, we recommend providing a CPU with a speed of 2.0
GHz or faster when connecting to a network using a physical line with a communication
speed of 100 Mbps. If the CPU speed is too slow, the communication delay time can
increase and throughput can decrease.
It is essential that you make sure that the operation speed of VPN Bridge is not
adversely affected and server operations are not disrupted by software conflicts that can
occur when VPN Bridge is installed on a computer with a personal firewall or antivirus
software from a different manufacturer. If there are signs that the VPN functions are not
operating properly due to a conflict with this type of software, we recommend
temporarily disabling that software and try operating VPN Bridge again.
Please note that VPN Bridge conflicts with VPN Server. Generally, VPN Server does not
need to be installed on the same computer on which VPN Bridge is installed.
< Chapter 9 Installing PacketiX VPN Bridge 2.0 9.2 Installing to Windows and Configuring the Default
Settings>
Settings>

Settings
This section describes how to install PacketiX VPN Bridge to an operating system with
application software is installed after performing a clean install of the system. This also
assumes that the Windows function for blocking communication to TCP/IP ports from the
As described in 「3.2 Operating Modes」 , PacketiX VPN Bridge can be operated in either
service mode or user mode. When configuring VPN Bridge for use as part of an everyday
operation system, we recommend installing PacketiX VPN Server in Bridge mode. The
installer for the Windows version of VPN Bridge installs the VPN Bridge program to the
system in service mode.
The installation of the Windows version of PacketiX VPN Bridge is very easy as it is
almost completely performed automatically. To install VPN Bridge , use any of the
following methods to obtain the Windows installer file.
When PacketiX VPN Bridge 2.0 is purchased as a product, the installer file is
and select the executable file to install the Windows version of VPN Bridge .
You can also download the latest VPN Bridge installer file from the SoftEther
above website for the latest version of VPN Bridge even if you have the CD-ROM with
If you received the latest version of VPN Bridge on a CD-ROM or as electronic files
The VPN Bridge Windows version installer file is an executable file with the name
vpnbridge-build-number-win32-x86.exe. At the time of writing this manual, the
installer file of the latest build is vpnbridge-5070-rtm-win32-x86.exe.
Figure 9-2-1 VPN Bridge Installer
Start the installer by double-clicking the VPN Bridge installer file. The Windows Installer-
Files\PacketiX VPN Bridge on the system drive.) The VPN Bridge process writes large
drive that has a large amount of disk space and is quickly accessible.
Figure 9-2-2 Specifying the VPN Bridge Installation Directory
continues.
Figure 9-2-3 VPN Bridge End-User License Agreement
The installer automatically registers the PacketiX VPN Bridge system service and sets the
installation of VPN Bridge .
following.

communication.
values of the operating system), we recommend clicking [Start] > [PacketiX VPN
Bridge ] > [TCP Communication Optimization Utility]], and then changing the [TCP
Incoming Window Size] and [TCP Outgoing Window Size] values to [Use the default
value of the operating system].
Figure 9-2-5 Restoring the TCP/IP Communication

Settings to the Default Values of the Operating
System
When installation of the Windows version of VPN Bridge is completed, the PacketiX VPN
Bridge service is already running in the background on the Windows system. Normally,
To check whether the VPN Bridge installer properly installed the PacketiX VPN Bridge
[Services], and check that [PacketiX VPN Bridge ] is displayed on the list of services.
This section is approximately same as initial setting after the installation of VPN Server.
Please refer to "#7.2.5" about the initial setting of VPN Server.
This section is approximately same as initial setting after the installation of VPN Server.
Please refer to "#7.2.6" about the initial setting of VPN Server.
The installer for the Windows version of VPN Bridge automatically installs the PacketiX
VPN Bridge service. This service continually operates while Windows is running, and it
automatically shuts down when Windows shuts down.
If the service must be restarted for management reasons or because VPN Bridge
operations become unstable, you can click [Control Panel] > [Administrative Tools] >
[Services], and start or stop the service. An easier and more reliable method is to call
the net command at the command prompt and start or stop the service.
To stop the service, type the following command.
> net stop vpnbridge
To start the service, type the following command.
> net start vpnbridge
If, in the unlikely event, the VPN Bridge process hangs and cannot be controlled using
the net command, you can use Task Manager in Windows to forcibly terminate the
vpnbridge.exe process.
You can add or delete the service for the vpnbridge.exe process using the method
described in the description of the service mode of the Windows PacketiX VPN Bridge in
「3.2.1 Service Mode」 . You can use this method, for example, to move all setting files
in the VPN Bridge installation directory to a different directory or hard drive, and then
re-register the process as a service. (However, we cannot recommend using this method
as the uninstaller may not be able to properly uninstall the program.)
We recommend operating the Windows version of VPN Bridge as a service mode

program, but you can also start VPN Bridge in the user mode by using the method
described in 「3.2.2 User Mode」 . When VPN Bridge is started in user mode, critical
security holes, such as buffer overruns, exist temporarily on the VPN Bridge , but
because only user accounts starting VPN Bridge in user mode would be affected if an
attack were to occur, VPN Bridge can be used relatively securely and safely. However,
SoftEther Corporation does not recommend actually operating VPN Bridge in user mode
for the following reasons.
Bridges」 .)
Some features of the disaster recovery function, such as automatic recovery when an
error occurs in a self process, cannot be used. (For details, please refer to 「3.3.12
Failure Recovery」 .)
To start the VPN Bridge process in user mode, the user must remained logged on to
the server. The user cannot operate VPN Bridge when the user logs off or when no
users are logged on to the server after Windows starts. For these reasons, user mode
is not suited for actual operation of VPN Bridge .
Settings>
Default Settings
9.3 Installing to Linux and Configuring the Default

Settings
This section describes how to install PacketiX VPN Bridge 2.0 to a Linux operating
system. This assumes that in the Linux operating system, no extra application software
is installed after performing a clean install of the system. This also assumes that, as a
basic rule, the firewall and similar functions included in the Linux distribution are not
being used, and that the function for blocking communication to TCP/IP ports from the
Recommended Operating System Configuration
The Linux version of PacketiX VPN Bridge 2.0 can operate in most cases on platforms
with Linux kernel 2.4 or later; however, SoftEther Corporation recommends only those
environments using the following Linux distributions. (As of the time of writing this
manual, this is the recommended environment; however, this may change to higher
specifications in the future.)
Red Hat Enterprise Linux AS / ES Version 4 (x86 or x64)

Turbolinux 10 Server (x86 or x64)

Fedora Core 4 or later (x86 or x64), CentOS 4 or later (x86 or x64)

(Use the standard update utility to update the kernel to the latest version. Please
note that there is no support for PacketiX VPN 2.0 products on Fedora Core 4 or
later.)
For more information about the system requirements, please refer to 「12.1.1
Supported Operating Systems (Recommended)」 .
The descriptions for installing PacketiX VPN Bridge 2.0 in this chapter are based on the
use of one of the above operating systems and the fact that VPN Bridge will be installed
to the newly created directory /usr/local/vpnbridge/.
Using Red Hat Enterprise Linux AS / ES Version 4
For operating systems using the Red Hat Enterprise Linux AS / ES Version 4 distribution,
support is only provided for environments where a clean installation of the system was
performed with one of the following methods.
1. Perform a clean installation of Red Hat Enterprise Linux AS / ES Version 4. Avoid

cases where inconsistencies may occur, such as in the libraries after upgrading
from an earlier version of Linux.
are based on VPN Bridge being installed to /usr/local/vpnbridge/. In addition,
we recommend allocating sufficient disk space to the partition to allow VPN Bridge
at the same time. When installing VPN Bridge , the make and gccbinutils utilities
4. After installing the operating system, use Red Hat Network to update to the latest
synchronous processing of the kernel included in the initial install of Red Hat
Enterprise Linux AS / ES Version 4, the operations of VPN Bridge may become
unstable. Be sure to update the kernel.
disabled. After confirming that VPN Bridge is properly installed, you can enable
Using Turbolinux 10 Server
When using Turbolinux 10 Server, we recommend performing a clean installation of the

system with one of the following methods, and then install VPN Bridge to the
environment. Please note that there is no support for VPN Bridge products on Turbolinux
10 Server.
1. Perform a clean installation of Turbolinux 10 Server cases where inconsistencies

may occur, such as in the libraries after upgrading from an earlier version of Linux.

4. After installing the operating system, use Update Utility to update to the latest
synchronous processing of the kernel included in the initial install of Turbolinux 10
Server, the operations of VPN Bridge may become unstable. Be sure to update the
kernel.
Using Fedora Core 4
When using Fedora Core 4, we recommend performing a clean installation of the system
with one of the following methods, and then install VPN Server to the environment.
Please note that there is no support for VPN Server products on Fedora Core 4.
1. Perform a clean installation of Fedora Core 4 cases where inconsistencies may

occur, such as in the libraries after upgrading from an earlier version of Linux.
4. After installing the operating system, Please update the version of the Linux kernel
to the latest thing if possible. Because there are problems in the parallel and
synchronous processing of the kernel included in the initial install of Fedora Core 4,
the operations of VPN Bridge may become unstable. Be sure to update the kernel.
As described in 「3.1 Operating Environment」 and 「3.2 Operating Modes」 , PacketiX

VPN Bridge can be operated in either service mode or user mode. When configuring VPN
Bridge for use as part of an everyday operation system in a company, we recommend
installing PacketiX VPN Bridge in service mode. To install the VPN Bridge program to the
system in service mode on a Linux operating system, you must register the vpnbridge
program as a daemon program in the Linux startup script.
The following software and libraries are required to install VPN Bridge to a Linux
operating system. Check that the following software and libraries are installed to the
system and are enabled. (If the recommended environment distribution is installed using
the method specified in 「7.3.1 Recommended System」 , these libraries are also
installed.)
gcc software
binutils software
tar, gzip or other software for extracting package files
chkconfig system utility
cat, cp or other basic file operation utility
EUC-JP, UTF-8 or other code page table for use in a Japanese language
environment
libc (glibc) library
zlib library
openssl library
readline library
ncurses library
pthread library
To install VPN Bridge , you need to prepare the file containing the VPN Bridge program
(package file compressed with tar.gz format).
When PacketiX VPN Bridge 2.0 is purchased as a product, the installer file is
distributed on a CD-ROM. Place the CD-ROM on the CD-ROM drive of the computer,
mount it to the Linux system, and copy the required files to a temporary directory.?
You can also download the latest VPN Bridge installer file from the SoftEther
If you received the latest version of VPN Bridge on a CD-ROM or as electronic files
Extracting the Package File for Installation
Extract the package file for installation using the tar command. Copy the tar.gz file to a
directory and extract the file as follows.
[root@machine root]# tar xzvf vpnbridge-5070-rtm-linux-x86.tar.gz

vpnbridge/
vpnbridge/vpnbridge.a
vpnbridge/vpncmd.a
vpnbridge/hamcore.se2
vpnbridge/libcrypto.a
vpnbridge/Makefile
vpnbridge/libssl.a
vpnbridge/License_ReadMeFirst.txt
vpnbridge/License_ReadMeFirstUtf.txt
vpnbridge/License_ReadMeFirstSjis.txt
vpnbridge/.install.sh
When the package is extracted, the directory "vpnbridge" is created in the working
folder, and the required installation files are extracted.
Executing a make
To install VPN Bridge, you must execute a make and create a vpnbridge executable file.
First, go to the vpnbridge directory extracted in the previous subsection and type
[make].
Next, the message "Do you want to read the License Agreement for this software?" is
displayed. Select [1] to continue.
[root@machine vpnbridge]# make

./.install.sh
PacketiX VPN Software Install Utility
Do you want to read the License Agreement for this software ?

1. Yes
2. No
1
Next, the PacketiX VPN Bridge Version 2.0 end-user license agreement is displayed.
Please read and understand the license agreement. The license agreement is displayed
over several pages, so use a terminal emulator or SSH client software with a scroll
function to view the entire license agreement. If you are unable to read the entire
license agreement, press Ctrl + C to cancel the make, and then use a text editor to
directly open and view the contents of the text file with the license agreement located in
the vpnbridge directory.
At the end of the license agreement, the message "Did you read and understand the
License Agreement?" is displayed. If you read and understood the license agreement,
select [1].
EULA
Did you read and understand the License Agreement ?

(If you couldn't read above text, Please read License_ReadMe.txt
file with any text editor.)
1. Yes
2. No
1
Next, the message "Do you agree to the License Agreement?" is displayed. If you agree
to the license agreement, select [1].
Did you agree the License Agreement ?

1. Agree
2. Do Not Agree
1
Once you agree to the license agreement, the vpnbridge program is automatically
created.
make[1]: Entering directory /root/vpnbridge'

ranlib libssl.a
ranlib libcrypto.a
ranlib vpnbridge.a
gcc vpnbridge.a -pthread -lrt -lm -lz libssl.a libcrypto.a -lpthread -ldl
-lreadline -lcurses -o vpnserver
strip vpnbridge
ranlib vpncmd.a
gcc vpncmd.a -pthread -lrt -lm -lz libssl.a libcrypto.a -lpthread
-ldl -lreadline -lcurses -o vpncmd
strip vpncmd
make[1]: Leaving directory /root/vpnbridge'
[root@machine vpnbridge]#
If an error occurs during this process, creation of the vpnbridge program fails. In this
case, see 「7.3.1 Recommended System」 and 「7.3.3 Checking the Required Software
and Libraries」 again and check whether any required libraries are missing.
After the vpnbridge program is created, we recommend moving the vpnbridge directory,
which is created when the package is extracted, to the /usr/local/ directory. Use the
following method to move the vpnbridge directory to /usr/local/. The operations
hereafter must be performed as a root user.
[root@machine vpnbridge]# cd ..
[root@machine root]# mv vpnbridge /usr/local
[root@machine root]# ls -l /usr/local/vpnbridge/
Total 13000
-rwxrwxrwx 1 root root 20245 12月 8 16:14 License_ReadMeFirst.txt*
-rwxrwxrwx 1 root root 20317 12月 8 16:14 License_ReadMeFirstSjis.txt*
-rwxrwxrwx 1 root root 30210 12月 8 16:14 License_ReadMeFirstUtf.txt*
-rwxrwxrwx 1 root root 609 12月 8 16:14 Makefile*
-rwxrwxrwx 1 root root 4018399 12月 8 16:14 hamcore.se2*
-rwxrwxrwx 1 root root 1942994 12月 9 02:23 libcrypto.a*
-rwxrwxrwx 1 root root 336070 12月 9 02:23 libssl.a*
-rwxr-xr-x 1 root root 1814216 12月 9 02:23 vpncmd*
-rwxrwxrwx 1 root root 1630858 12月 9 02:23 vpncmd.a*
-rwxr-xr-x 1 root root 1814120 12月 9 02:23 vpnbridge*
-rwxrwxrwx 1 root root 1630304 12月 9 02:23 vpnbridge.a*
[root@machine root]#
Confirm that all of the files are moved to the /usr/local/vpnbridge/ directory, as shown
above.
If the user does not have root permissions, the files in the vpnbridge directory cannot be
read, so change and protect the permissions.
[root@machine root]# cd /usr/local/vpnbridge/

[root@machine vpnbridge]# chmod 600 *
[root@machine vpnbridge]# chmod 700 vpncmd
[root@machine vpnbridge]# chmod 700 vpnbridge
[root@machine vpnbridge]# ls -l
Total 13000
-rw------- 1 root root 20245 12月 8 16:14 License_ReadMeFirst.txt
-rw------- 1 root root 20317 12月 8 16:14 License_ReadMeFirstSjis.txt
-rw------- 1 root root 30210 12月 8 16:14 License_ReadMeFirstUtf.txt
-rw------- 1 root root 609 12月 8 16:14 Makefile
-rw------- 1 root root 4018399 12月 8 16:14 hamcore.se2
-rw------- 1 root root 1942994 12月 9 02:23 libcrypto.a
-rw------- 1 root root 336070 12月 9 02:23 libssl.a
-rwx------ 1 root root 1814216 12月 9 02:23 vpncmd*
-rw------- 1 root root 1630858 12月 9 02:23 vpncmd.a
-rwx------ 1 root root 1814120 12月 9 02:23 vpnbridge*
-rw------- 1 root root 1630304 12月 9 02:23 vpnbridge.a
This completes the changing of the location of the vpnserver program.
We recommend performing a final check to see whether VPN Bridge can operate
properly on your computer system before starting vpnbridge.
You can use the check command on the vpncmd command line management utility to
automatically check whether the system has sufficient functions to operate VPN Bridge.
For details, please refer to 「6.6 VPN Tools Command Reference」 .
First, start vpncmd by typing [./vpncmd]. Next, select [Use of VPN Tools (certificate
creation or communication speed measurement)] and execute the check command.
[root@machine vpnbridge]# ./vpncmd



Select 1, 2 or 3: 3
VPN Tools was launched. By inputting HELP, you can view a list of the commands t
hat can be used.
VPN Tools>check
Check command - Check if PacketiX VPN Operation is Possible
---------------------------------------------------
PacketiX VPN Operation Environment Check Tool
Copyright (C) 2004-2006 SoftEther Corporation.

All Rights Reserved.
If this operation environment check tool is run on a system and that system pass
es, it is highly likely that PacketiX VPN software can operate on that system. T
his check may take a while. Please wait...
Checking 'Kernel System'...

[Pass]
Checking 'Memory Operation System'...
[Pass]
Checking 'ANSI / Unicode string processing system'...
[Pass]
Checking 'File system'...
[Pass]
Checking 'Thread processing system'...
[Pass]
Checking 'Network system'...
[Pass]
All checks passed. It is highly likely that PacketiX VPN Server / Bridge can ope
rate normally on this system.

VPN Tools>exit
If, after executing the check command, the message "Passed all checks. It is likely that
VPN Server/Bridge will operate properly on this system." is displayed, as shown above, it
is likely that your system has satisfied the VPN Bridge operation requirements and VPN
Bridge can safely be used.
If, however, the system fails at any of the above check items, we recommend checking
「7.3.1 Recommended System」 and 「7.3.3 Checking the Required Software and
Libraries」 again.
After installing vpnbridge to the /usr/local/vpnbridge/ directory using the method

described above, you can configure your system to operate the vpnbridge program as a
service mode program by registering the /usr/local/vpnbridge/vpnbridge program
as a daemon process that continues to run in the background while Linux is starting.
To register vpnbridge to Linux as a daemon process, create a startup script, as shown

below, with the name /etc/init.d/vpnbridge. (The following startup script is a
description example, and you may have to rewrite part of the script for it to work
properly on your system.)
#!/bin/sh
# chkconfig: 2345 99 01
DAEMON=/usr/local/vpnbridge/vpnbridge
LOCK=/var/lock/subsys/vpnbridge
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
exit 1
esac
exit 0
You can use a text editor or the cat command to write the above script
to /etc/init.d/vpnbridge as a text file. To use the cat command to create the script, press
Ctrl + D after the line break in the final line, as shown below.
[root@machine vpnserver]# cat > /etc/init.d/vpnbridge

#!/bin/sh
# chkconfig: 2345 99 01
# description: PacketiX VPN Bridge 2.0
DAEMON=/usr/local/vpnbridge/vpnbridge
LOCK=/var/lock/subsys/vpnbridge
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
exit 1
esac
exit 0
After creating the /etc/init.d/vpnbridge startup script, change the permissions for this
script so that the script cannot be rewritten by a user without permissions.
[root@machine vpnbridge]# chmod 755 /etc/init.d/vpnbridge
Lastly, use the chkconfig command to allow the above startup script to start
automatically in the background when the Linux kernel starts.
[root@machine vpnbridge]# /sbin/chkconfig --add vpnbridge
VPN Bridge is now prepared to run as a service mode program.
VPN Bridge registered as a service mode program automatically starts when Linux starts
and automatically stops when Linux shuts down. You can manually stop or restart the
VPN Bridge service if you need to do so for management reasons.
To start or stop VPN Bridge registered as a service mode program, type the command
below.
Starting the VPN Bridge Service
With the VPN Bridge service not running and with root permissions, type the following to
start the VPN Bridge service.
[root@machine vpnbridge]# /etc/init.d/vpnbridge start
Stopping the VPN Bridge Service
With the VPN Bridge service running and with root permissions, type the following to
stop the VPN Bridge service.
[root@machine vpnbridge]# /etc/init.d/vpnbridge stop
Cases in Which You Must Stop the VPN Bridge Service
The VPN Bridge service must be manually stopped in the following cases.
When manually editing or replacing the configuration file
When updating the vpnbridge program and other files after the release of a new
version of VPN vpnbridge (To replace the vpnbridge, vpncmd and hamcore.se2 files,
be sure to stop the service in advance.)
When you want to restart the service due to erratic behavior of the operating VPN
Bridge
Forcibly Terminating the vpnbridge Process
It is unlikely that VPN Bridge would malfunction due to a problem with the physical
memory of the computer or a software bug. If this should occur and the VPN Bridge
service does not respond when you try to stop the service using the method above, you
can stop the service by forcibly terminating the vpnbridge process. For the detailed
method for forcibly terminating the vpnbridge process, please refer to the method of
using the kill command described in 「3.2.2 User Mode」 .
The Linux version of VPN Bridge can also be started with general user rights. When
starting VPN Bridge as a user mode program with general user rights, the program
cannot be registered as a system service, but when a general user starts the VPN Bridge
program in the background by typing [./vpnbridge start], unlike the Windows version,
the Linux version of the vpnbridge process can continue to run even after that user logs
out. SoftEther Corporation does not recommend actually operating VPN Bridge in user
mode for the following reasons.
Bridges」 .)
After starting the system, the user must log on and manually start the vpnbridge
process, decreasing operability.
Default Settings
< 9.3 Installing to Linux and Configuring the Default 9.5 Uninstalling PacketiX VPN Bridge 2.0>
Settings
After VPN Bridge is installed, there are several settings that first must be configured.
This section describes how to configure these settings with examples of the settings
when using PacketiX VPN Server Manager. The same settings can also be configured
using vpncmd, so as a basic rule, the corresponding vpncmd command names are also
provided. For information about detailed vpncmd operations, please refer to 「Chapter 6
At the time VPN Bridge is installed, the manager password for the entire VPN Bridge is
not set. We recommend setting the manager password as soon as you install VPN
Bridge .
The following alert is displayed if the VPN Server manager password is not set when
connecting to VPN Bridge with VPN Server Manager.
Figure 9-4-1 Alert Regarding the Manager Password
Click [Yes] to set the manager password.
Figure 9-4-2 Manager Password Setup Window
In vpncmd, use the ServerPasswordSet command.
VPN Bridge serves no purpose as a stand-alone program. To properly use VPN Bridge,
you must configure a local bridge connection between the physical network adapter on
the computer to which VPN Bridge is installed and the "BRIDGE" Virtual HUB, and then
cascade-connect that Virtual HUB to the destination VPN Server.
For information about configuring these settings, please refer to 「Chapter 3 PacketiX
VPN Server 2.0 Manual」 , 「Chapter 5 PacketiX VPN Bridge 2.0 Manual」 , and
「Chapter 6 Command Line Management Utility Manual」 . For detailed information
about connecting bases using VPN Bridge, please refer to 「10.5 Setting Up a LAN-to-
LAN VPN (Using Bridge Connections)」 and 「10.6 Setting Up a LAN-to-LAN VPN (Using
IP Routing)」 .
For examples of using the user mode of VPN Bridge with the SecureNAT function, please
refer to 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No Administrator
Rights」 .
< 9.3 Installing to Linux and Configuring the Default 9.5 Uninstalling PacketiX VPN Bridge 2.0>
Settings
< 9.4 Default Settings Chapter 10 Instructions and Examples For

Configuring a VPN>

This section describes how to uninstall PacketiX VPN Bridge from your system if you
should no longer need this program.
You can uninstall the Windows version of VPN Bridge in the same way as uninstalling
other application software, by clicking [Control Panel] > [Add or Remove Programs] and
then removing the program.
To prevent the loss of configuration data created after VPN Bridge is installed and
written log files, this data is not automatically deleted. These files remain in the VPN
Bridge installation directory. If VPN Bridge is installed to the same directory thereafter,
the system uses the configuration file (vpn_bridge.config) remaining after the previous
uninstallation, so caution must be exercised.
You can use Explorer to delete these remaining data files.
To uninstall the Linux version of VPN Bridge when vpnbridge is registered as a service,
you must perform the following operation.
Execute the /etc/init.d/vpnbridge stop command to stop VPN Bridge.
Execute the /sbin/chkconfig --del vpnbridge command to delete registration of

vpnbridge as a service.
Delete the /etc/init.d/vpnbridge file.
After performing the above operation, delete the directory where vpnbridge is installed.
< 9.4 Default Settings Chapter 10 Instructions and Examples For
Configuring a VPN>
< 9.5 Uninstalling PacketiX VPN Bridge 2.0 10.1 Types of VPNs>

VPN
Chapters 1 through 9 gave a general outline of PacketiX VPN 2.0 and how to use it. This
chapter will thoroughly explain how to actually take that information and apply it to build
several different types of VPNs with PacketiX VPN 2.0.
10.1 Types of VPNs

10.1.1 PC-to-PC VPN

10.2.8 Virtual NAT
10.2.9 Advice about Protocol Conflicts when Making a LAN-to-LAN Connection
10.5.10 Connecting to the LAN-to-LAN VPN/Performing a Communication Test

10.8.9 Making a Local Bridge between the Existing LAN and the Virtual HUBs
10.9.11 Automating the Creation and Management of a Large Quantity of Virtual
HUBs or Users
10.9.13 Limiting Administrator Rights by Configuring the Virtual HUB Management
Options
10.10.4 Adjusting Settings For Broadband Routers or Other Networking Hardware
10.10.7 Using Electronic Devices that can only Communicate over the same
Network
10.11.2 Using SecureNAT For Amazingly Simple, Secure Remote Access With No
< 9.5 Uninstalling PacketiX VPN Bridge 2.0 10.1 Types of VPNs>
< Chapter 10 Instructions and Examples For 10.2 Common Elements>
Configuring a VPN
10.1 Types of VPNs
The VPN topologies you can set up with PacketiX VPN can be divided into three types: a
PC-to-PC VPN, a Remote Access VPN, and a LAN-to-LAN VPN. In this section you will
learn about each of these types. Most VPNs will utilize one or a combination of these
three types. However, these three are not the only possible network configurations you
can build with PacketiX VPN.
First of all, let's look at some more details about these three major topologies.
10.1.1 PC-to-PC VPN
This is the simplest network topology to construct using PacketiX VPN. A PC-to-PC VPN is
most useful under the following conditions:
Only one to a few dozen computers will connect to the VPN.
VPN Client can be installed on each of the client computers.
The VPN network does not need to be able to connect to a physical LAN. (When you
want the entire network to be the VPN only.)
In order to connect to the VPN using this method you must install VPN Client on each
client computer. VPN Client will then directly connect to the layer 2 network created by
the Virtual HUB on a VPN Server connected to the Internet.
Using this method you can set up a VPN which will allow only those computers connected
to the Virtual HUB via a physical network such as the Internet to communicate with each
other. Therefore, as long as functions such as local bridging or routing on a client
computer are not used the physical network will not affect the VPN and vice-versa.
Fig. 10-1-1 PC-to-PC VPN
Furthermore, once you have VPN Client installed you can use the startup connection
feature explained in 「4.4.19 Startup Connection」 to stay connected to a specified VPN
server's Virtual HUB whenever the computer is on. By installing VPN Client on a server
computer and having it stay connected to a specified VPN at all times, you can set up a
server which can only be accessed by computers connected to that VPN.
Please refer to section 「10.3 Setting Up a PC-to-PC VPN」 for more detailed
information on how to build a PC-to-PC VPN.
Fig. 10-1-2 Setting up a server which can only be accessed via the VPN
A remote access VPN is used to allow remote access from an external location to a
physical layer 2 network.
Using this type of VPN it is possible to connect to a company LAN from outside the office
(for example, from an employee's house or from a hotel on a business trip) just as if
they were connected by an extremely long Ethernet cable.
To use a remote access VPN you will make a connection between the network adapter
connected to the LAN and the VPN Server's Virtual HUB. This is achieved via a local
bridge, which is explained in section 「3.6 Local Bridges」 . As a result, a VPN Client
connected to the proper Virtual HUB will automatically be connected to the LAN
connected by the local bridge, and will be able to operate through the VPN as if it was
right there inside the office.
Please refer to section 「10.4 Setting Up a Generic Remote Access VPN」 for more
detailed information on how to build a remote access VPN.
Fig. 10-1-3 Remote Access VPN
A LAN-to-LAN VPN links existing physical layer 2 networks at different sites together into
a single network.
By using PacketiX VPN you can create a faster, more flexible, and more stable LAN-to-
LAN network compared to current layer 3 based LAN-to-LAN connections such as private
network services, frame relay services, or older VPN protocols such as L2TP/IPSec and
layer 2 based connections such as wide area Ethernet.
To connect more than 2 LANs together you must install VPN Server on one LAN (such as
at your company's main office) and VPN Bridge on all the others. Now you have two
options. On each LAN, connect the Virtual HUB to the physical network adapter via a
local bridge connection or create a cascade connection to the VPN Server from VPN
Bridge. This will allow layer 2 segments at different sites to function as a single segment.
You can also use layer 3 routing instead of layer 2 bridging. To do this, use the Virtual
Layer 3 Switching function described in section 「3.8 Virtual Layer 3 Switches」 .
Please refer to sections 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge

Connections)」 and 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」 for more
detailed information on how to build a LAN-to-LAN VPN.
Fig. 10-1-4 LAN-to-LAN VPN
< Chapter 10 Instructions and Examples For 10.2 Common Elements>
Configuring a VPN
< 10.1 Types of VPNs 10.3 Setting Up a PC-to-PC VPN>
This section will look at topics that you need to know about when setting up any type of
VPN.
VPN Server Reachability at The TCP/IP Level
A VPN Server must deal with connection requests from VPN Clients, VPN Bridges, and, in
some situations, from other VPN Servers. Therefore, a VPN Server must be installed to a
location that meets the following requirement:
TCP/IP communication must be possible between the VPN Server and any VPN clients
that wish to connect to it. (If you can go through a proxy server or change your NAT
settings to allow traffic through certain TCP/IP ports to your private IP addresses then
that is sufficient.)
When setting up a VPN network with older VPN protocols such as PPTP or L2TP/IPSec,
the VPN server must be a computer with a public IP address to the Internet.
However with PacketiX VPN you don't have to install VPN Server on a computer with a
public IP address. VPN Server will work just fine on a computer behind NAT or a firewall
in your private IP address space. Please refer to section 「10.2.3 Changing Existing
NAT/Firewall Configurations」 for more details on setting up a server under these
circumstances.
Fig. 10-2-1 VPN Server Reachability At The TCP/IP Level
VPN Server Administrator
When you install VPN Server you must first decide who will be the VPN Server
administrator.
When the administrator of the server you are about to install VPN Server on
will be the same as the VPN Server administrator
In this case you can install VPN Server yourself. Once the VPN Server install is
completed you will be able to set all administrator passwords.
When the administrator of the server you are about to install VPN Server on
is not going to be the VPN Server administrator
In this case you must request that the server's administrator (root or Administrator)
install VPN Server for you. Once the installation has been completed log in locally or
remotely to the VPN Server service by using the VPN server administration tool and
set all administrator passwords.
If you are going to operate VPN Server in User Mode (see section 「3.2.2 User
Mode」 for more information) and you can log into the server machine as a general
user then you can use VPN Server under your own user privileges without asking the
system administrator. However, this method is not recommended.
Virtual HUB Administrator
Once you have installed VPN Server you must decide how many Virtual HUBs to create,
their names, and what purpose each will serve. If you wish to give Virtual HUB
administrator rights to another user then set the Virtual HUB administrator password
and give your administrator rights to that user. (See section 「3.3.4 Administration
Authority」 for more information.)
In most cases the VPN Server administrator will also be administrating the Virtual HUB,
so there is no need to give administrator rights to another user.
Installing VPN Server Behind NAT or a Firewall
If you install VPN Server on a computer in your private network space behind NAT or a
firewall, you will have to configure NAT or the firewall to forward data to specific TCP/IP
ports on the VPN Server computer. Please refer to your NAT/firewall's manual, or ask
your NAT/firewall administrator, to properly set up this configuration.
You must allow TCP/IP traffic to pass through at least 2 of the VPN Server TCP/IP listen
ports described in section 「3.3.6 Listener Ports」 . Under most situations we
recommend you to open traffic to port 443. The reason for this is that using this port
VPN Clients can easily send VPN packets through firewalls or proxy servers masked as
HTTPS data.
Fig. 10-2-2 Installing VPN Server Behind NAT or a Firewall
Using a Reverse Proxy
Another method of installing VPN Server on a computer in your private network space is
by utilizing a proxy server. If your network uses a HTTP proxy server to transmit data
out to public IP addresses from your private IP addresses then it can also be configured
to route data from the Internet through itself to the listen port on the VPN Server sitting
in your private network space.
Things To Consider when Installing VPN Server in Your Private Network

Space
When using the above methods to install VPN Server in your private network space,
always make sure that equipment such as your NAT, firewall, proxy server, etc. will be
able to handle the extra load. The NAT and/or firewalls built into inexpensive hardware
such as generic broadband routers are usually very slow, so be careful when using
these.
If the performance of this hardware is insufficient, your VPN network speed will also
suffer a significant speed reduction.
Configuring Hardware that Restricts TCP/IP Traffic
With conventional firewall or NAT hardware you can configure them to allow TCP/IP
traffic to pass through at least port 443 (HTTPS). However a few extremely secure
networks will filter data addressed to port 443 from the Internet. In that case, if there is
another port which you can route TCP/IP traffic through you can use that port to allow
VPN Server to be seen from the Internet. (See section 「3.3.6 Listener Ports」 for more
information on how to change port numbers.)
If there is no way to open access to your VPN service under your network configuration
you must either request for the firewall to be re-configured or set up a VPN Server
computer outside the private network space.
You must decide on a user authentication method for the VPN Server's Virtual HUB.
Because the user authentication settings used when establishing a LAN-to-LAN cascade
connection will usually be completely configured by the system administrator, password
verification is a sufficient authentication procedure as long as the password is long
enough.
However, if there will be many users logging in to the VPN Server with each entering
their own authentication data (such as for a PC-to-PC VPN or a remote access VPN) you
must choose your user authentication method wisely. Please refer to section 「10.4.3
Examining User Authentication Methods」 for more information on selecting an
authentication method for remote access VPNs.
For more information on all the user authentication methods utilized by VPN Server,
please refer to section 「2.2 User Authentication」 .
As was explained in Chapter 「Chapter 3 PacketiX VPN Server 2.0 Manual」 , VPN Server
contains a lot of functionality. However, there rarely comes a time when you need to use
all of these features at once.
In most cases you can build a sufficient VPN with only the local bridging functionality to
connect the Virtual HUB to a physical LAN (see section 「3.6 Local Bridges」 ) and the
cascade connection functionality to connect Virtual HUBs together (see section 「3.4.11
Cascade Connection Functions」 ).
However, you may need to use some of the functions listed below depending on the type
of VPN you wish to set up. Before configuring the Virtual HUB, you will want to
determine exactly what functionality you will need to use for your VPN.
You can use Virtual Layer 3 Switching when performing IP routing between multiple
layer 2 segments. By placing multiple logical layer 2 segments (Virtual HUBs) within the
VPN Server and by separating the IP subnets between Virtual HUBs to a layer 3 level,
you can perform layer 3 switching between each network to further partition segments
and achieve layer 3 transmission between them. Virtual Layer 3 Switching is especially
useful for LAN-to-LAN VPNs when you have a high number of LANs to deal with, or when
you want to separate each individual LAN's network.
For more information on Virtual Layer 3 Switching please refer to section 「3.8 Virtual
Layer 3 Switches」 .
The Virtual DHCP Server functionality is used when there is no DHCP server in a layer 2
segment under a Virtual HUB and you want to assign IP addresses via DHCP to clients
connected to that segment. In order to use Virtual DHCP Server you must enable
SecureNAT and configure a few other settings. If you only want to use Virtual DHCP
Server you do not need to enable Virtual NAT.
Please refer to section 「3.7.5 Virtual DHCP Server」 for more information about the
Virtual DHCP Server functionality.
10.2.8 Virtual NAT
In most enterprise situations you will not need Virtual NAT when setting up your VPN.
The only time you may need Virtual NAT would be in the following situations:
When you wish to communicate with an existing physical LAN via the Virtual HUB but
you can not use local bridging. This situation is most commonly encountered when
you do not have administrator rights on the target system to install VPN Server / VPN
Bridge, or the target system's OS is something other than Windows, Linux, or Solaris.
When you want to use VPN Server / VPN Bridge for some special situation. (See
section 「10.11 Using SecureNAT to Set Up a Remote Access VPN With No
Administrator Rights」 )
Normally you will just use local bridging to connect a Virtual HUB to a physical LAN to
form a layer 2 segment without the use of Virtual NAT.
Please refer to section 「3.7.3 Virtual NAT」 for more information about Virtual NAT.
10.2.9 Advice about Protocol Conflicts when Making a LAN-to-LAN

Connection
Be careful when setting up a LAN-to-LAN VPN that uses both local bridging and cascade
connections. If there are DHCP servers running on the previously separated segments
then there will be conflicting data sent from those DHCP servers resulting in erroneous
data. The solution to this is to use the cascade connection's security policy to filter DHCP
packets.
There are also other network services which can not be running more than once on the
same network segment.
These types of problems occur when making a layer 2 LAN-to-LAN connection so make
sure you find out what kind of services are running on all networks before setting up the
VPN.
< 10.1 Types of VPNs 10.3 Setting Up a PC-to-PC VPN>
< 10.2 Common Elements 10.4 Setting Up a Generic Remote Access VPN>
This section will explain how to set up a PC-to-PC VPN.
You need one properly configured VPN Server machine to build a PC-to-PC VPN. A PC-to-
PC VPN is the simplest type of VPN and allows client computers equipped with VPN Client
to communicate with each other over the VPN. While there are no notably difficult tasks
in building this type of network, you should be aware of the following things.
Using Static IP Addresses
You will configure the VPN Client's Virtual Network Adapter to connect to the Virtual HUB
just as you would a normal physical network adapter. The easiest connection method is
to manually assign static private IP addresses to each of the connected VPN Client's so
that they do not overlap.
For example, if 10 machines will be connecting to the Virtual HUB you can assign each of
them an IP address in the range of 192.168.1.1 to 192.168.1.10 so that they will be able
to communicate with each other.
About APIPA (Automatic Private IP Addressing)
All Windows versions since Windows 98 and the latest Mac OS come packaged with
APIPA (Automatic Private IP Addressing) capabilities. APIPA automatically assigns an IP
address at random from the IP range 169.254.0.1 to 169.254.255.254 to a network
adapter if it does not receive an IP from DHCP in a certain amount of time (around 1
minute). This assignment occurs even if the network adapter is configured to receive an
IP via DHCP.
The APIPA functionality built in to Windows or Mac OS will assign IP addresses to Virtual
Network Adapters on the Virtual LAN even if no DHCP server exists on the network.
Computers that have been temporarily automatically assigned IP addresses via APIPA
will be able to communicate with each other. However, there are stability issues when
using APIPA assigned IP addresses. Therefore, we recommend that you either manually
assign static IP addresses or use the following method to establish a DHCP server to
officially assign IP addresses to the computers on your VPN.
Using a DHCP Server to Dynamically Assign IP Addresses

You can configure VPN Server to automatically assign IP addresses to VPN Clients when
they connect to a Virtual HUB. The Virtual HUB is the same as an ordinary LAN in that it
is an independent Ethernet segment. Therefore, if there is a DHCP server in that
Ethernet segment it can be configured to automatically assign IP addresses to the
connecting client's Virtual Network Adapter.
If you already have a DHCP server software package (such as the DHCP server service
included with Windows 2000 Server/Windows Server 2003 or some other
commercial/freeware DHCP server) you can use the following method. Enable the DHCP
server and install VPN Client and a Virtual Network Adapter to that computer. By then
connecting that machine to the Virtual HUB all computers on that Virtual HUB will
automatically be assigned IP addresses via your DHCP server software.
If you can't use your DHCP server software for this purpose or you want a simpler DHCP
server solution you can use the Virtual DHCP Server capability included with VPN Server.
The Virtual DHCP Server will automatically assign IP addresses via DHCP to computers
connected to a Virtual Layer 2 Segment created by a Virtual HUB. To do this, enable
SecureNAT on the Virtual HUB and under the SecureNAT configuration use only Virtual
DHCP Server. Do not use Virtual NAT. Please refer to section 「3.7 Virtual NAT & Virtual
DHCP Servers」 for more detailed information about configuring SecureNAT.
This section will explain the following type of network layout as an example.
Fig. 10-3-1 Network Layout
In the example network above the VPN Server has a public IP address with 1 Virtual
HUB. The 5 clients are remotely connected to the Virtual HUB and can freely, safely, and
securely communicate with each other. Each VPN Client's Virtual Network Adapter has
been assigned a static IP address of 192.168.1.1, 192.168.1.2, 192.168.1.3,
192.168.1.4, and 192.168.1.5 respectively.
Let's calculate how many licenses will be needed to set up the example network above.
You will definitely need a VPN Server product license to receive incoming connections
from VPN Clients. This example is a small-scale VPN system that does not require
clustering capabilities. Thus, the Standard Edition license will provide all the functionality
you need for this type of setup.
Finally, you have 5 VPN Clients connecting to the VPN Server at the same time, so you
will need a 5 client connection license.
Thus, the required product licenses and connection licenses are as shown below. Please
refer to section 「1.3 PacketiX VPN 2.0 Product Configuration and License」 for more
information about the licensing system.
VPN Server 2.0 Standard Edition License x 1
VPN Server 2.0 Client Connect License (5 Clients) x 1
10.3.4 Connecting to the VPN Remotely/Performing a Communication

Test
Using the ping Command to Perform a Communication Test
So you've installed a Virtual HUB to your VPN Server, configured your user
authentication method, and installed VPN Client to each client computer. Now you should
try to connect to the Virtual HUB from each of those client computers.
Once all of the clients are connected to the Virtual HUB you should use the ping
command to ping another computer at its IP address on the Virtual Network to test if the
VPN is properly working.
C:¥>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time=2ms TTL=128

Ping statistics for 192.168.1.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:¥>
However, note that if the client computer has a personal firewall or other such software
installed then the ICMP packets will not be handled properly and the ping command will
not be a feasible method to check IP communication across the Virtual Network.
Windows File Sharing Test
You can use Windows File Sharing within the VPN to safely share files across the
network.
To test if Windows File Sharing is working properly create a shared folder and try to
access that folder on another computer through the VPN.
If the Windows machines are in the same layer 2 segment name resolving will be
handled by a NetBIOS over TCP/IP broadcast. (DNS or WINS is not required.) Therefore,
to test if the VPN is working properly you can attempt to open a shared folder by
inputting the command \\COMPUTER_NAME in the Windows [Run] dialog. If name
resolving is not functioning properly you can also open a shared computer by entering
the command \\IP_ADDRESS instead of using the computer's name.
Fig. 10-3-2 Specifying a Computer in the [Run] Dialog
Fig. 10-3-3 Shared Folder Accessed Via the VPN
However, note that if the client computer has a personal firewall or other such software
installed then the Windows File Sharing protocol (SMB, ICFS, etc.) will not be handled
properly and this will not be a feasible method to check IP communication across the
Virtual Network. In this case you should disable your personal firewall to the VPN
network.
< 10.2 Common Elements 10.4 Setting Up a Generic Remote Access VPN>
< 10.3 Setting Up a PC-to-PC VPN 10.5 Setting Up a LAN-to-LAN VPN (Using Bridge
Connections)>
This section will explain how to set up a generic remote access VPN.
In enterprise situations the most widely used type of VPN is the remote access VPN. By
using a remote access VPN you can utilize an extremely inexpensive network such as the
Internet to connect to your company's LAN from a remote location. Also, unlike with
older protocols like L2TP/IPSec or PPTP, PacketiX does not use IP routing and allows you
to directly connect to a layer 2 segment.
Using this type of VPN it is possible to connect to a company LAN from outside the office
(for example, from an employee's house or from a hotel on a business trip) just as if
they were connected by an extremely long Ethernet cable.
To build a remote access network you must create a Virtual HUB in your VPN Server and
connect it to the target LAN already in place via a local bridge connection. Please refer to
section 「3.6 Local Bridges」 for more information about local bridging.
When installing a VPN Server for a remote access VPN keep the following standard
guidelines in mind when deciding on a user authentication method.
If your company already has a UNIX server or a Windows domain controller (including
Active Directory) with a large number of registered users and you want to give those
users access to the VPN, then you should use RADIUS authentication or Active
Directory authentication. For more information on these authentication methods
please refer to sections 「2.2.3 RADIUS Authentication」 and 「2.2.4 NT Domain
and Active Directory Authentication」 .
If your company already has a CA (certificate authority) that issues a X.509

certificate/private key file or smart card that supports PacketiX VPN 2.0 then you
should use certificate authentication as your user authentication scheme. For more
information please refer to section 「2.2.5 Individual Certificate Authentication」 and
「2.2.6 Signed Certificate Authentication」 .
If you have no existing authentication infrastructure then you can also register
individual user names and passwords for users to connect to the Virtual HUB. For
more information on password authentication please refer to section 「2.2.2
Password Authentication」 . Even if no authentication infrastructure is in place you
can still use certificate authentication in order to improve your network's security.
The network example above assumes that there is an existing company LAN to which
the VPN Clients make a remote VPN connection to. Basic equipment to access the
Internet such as a DHCP server or router is also already in place inside the company.
When introducing a remote access VPN to this type of setup you need to install VPN
Server to a computer which can be reached from both inside and outside the company
(somewhere that can be seen from a public IP address on the Internet). Next you have
to use local bridging to connect the VPN Server's Virtual HUB to the network you want to
be able to connect to remotely.
Now the Virtual Network Adapter connected to the VPN Server's Virtual HUB will have a
layer 2 connection to the target network via the Internet.
Let's calculate how many licenses will be needed for this network layout. You will
definitely need a VPN Server product license to receive incoming connections from VPN
Clients. This example only deals with a small number of connections and does not
require clustering capabilities. Thus, the Standard Edition license will provide all the
functionality you need for this type of setup.
Finally, you have 5 VPN Clients connecting to the VPN Server at the same time, so you
will need a 5 client connection license.
The bridge connection required to connect the VPN Server's Virtual HUB to the existing
LAN will be handled by VPN Server so a bridge connection license is not required.
This section will go over what you need to be aware of when installing VPN Server.
The computer you install VPN Server on must make a local bridge connection to the
company LAN you wish to remotely connect to. Therefore, it must be installed physically
close enough to the LAN to connect to the layer 2 segment via a network cable.
Because the VPN Server must receive incoming VPN connections from the Internet it
must have a public IP address or be able to receive TCP/IP communication through NAT,
a firewall, or a reverse proxy system as described in section 「10.2.1 VPN Server
Location」 . Please consult with your network administrator if you are unsure about any
of these issues.
Once you have VPN Server installed, create a Virtual HUB and connect it to the layer 2
segment you wish to remotely connect to via local bridging. For a detailed explanation of
this process please refer to section 「3.6 Local Bridges」 .
You should be aware of the following things when making connections via a local bridge.
As explained in detail in section 「3.6.3 Preparing the Local Bridge network

adapter」 , if possible, try to set aside network adapters strictly for local bridging
when making your local bridge connection. We recommend that you do not use a
protocol stack for your local bridge network adapters, and do not assign TCP/IP IP
addresses to them.
We also recommend that you use a high quality network adapter from a trusted
maker for your local bridge connections. For more information please refer to 「3.6.5
Supported Network Adapter Types」 and 「3.6.6 Use of network adapters not
supporting Promiscuous Mode 」 .
10.4.8 Connecting to the VPN Remotely/Performing a Communication

Test
Once your remote access VPN Server has been installed and configured properly it's time
to test it. Try connecting to the VPN Server's Virtual HUB from a remote VPN Client. If
the remote LAN already has a DHCP server then it should automatically assign an IP
address to the VPN Client's Virtual Network Adapter. If the remote LAN operates with
statically assigned IP addresses then you must assign a static IP address to your Virtual
Network Adapter as well.
Now that you are connected, try to ping a computer on the remote LAN's network to test
if the VPN is communicating properly. You should also try to ping the VPN Client from a
computer on the remote LAN as well. Next, you should try to access a server (fileserver,
database server, etc.) on the remote LAN.
< 10.3 Setting Up a PC-to-PC VPN 10.5 Setting Up a LAN-to-LAN VPN (Using Bridge
Connections)>
< 10.4 Setting Up a Generic Remote Access VPN 10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)
>
10.5 Setting Up a LAN-to-LAN VPN (Using Bridge

Connections)
This section will explain how to create a layer 2 connection between two or more remote
networks with a bridge connection.
By using VPN Server and VPN Bridge you can create a layer 2 connection between a
layer 2 segment (such as an Ethernet LAN) and another point on a public IP network
such as the Internet.
In the past, it proved physically difficult to connect two points together into a single
segment via a layer 2 connection. Then, services such as Wide Area Ethernet appeared
and it became possible to extend an Ethernet segment out to another location via
common carrier networks.
By using VPN Server and VPN Bridge together you can achieve what Wide Area Ethernet
offers through an inexpensive broadband connection to the Internet. Furthermore,
through the use of SSL, data transmitted between LANs can be encrypted. This means
improved security compared to currently available Wide Area Ethernet or frame relay
services.
To build a LAN-to-LAN VPN you will need to utilize both local bridges (see section 「3.6
Local Bridges」 ) and cascade connections ( 「3.4.11 Cascade Connection Functions」 ).
Local bridging, which appeared in section 「10.4 Setting Up a Generic Remote Access
VPN」 , is a feature that allows you to make an Ethernet connection between a Virtual
HUB and a physical network adapter. A cascade connection is a feature that allows you
to connect Virtual HUBs running on different computers together at the Ethernet level.
These two features allow you to use PacketiX VPN to build an extremely flexible VPN.
This section will explain the pros and cons of using only bridge connections between
multiple networks to create a VPN connection.
Bridging - Pros
Using PacketiX VPN to make a layer 2 (Ethernet) bridge connection between two or more
LANs is an extremely convenient, yet simple way to construct a LAN-to-LAN VPN. The
pros of connecting two LANs via a layer 2 bridge connection are as follows:
All LANs will have a direct layer 2 connection to each other. Logically, it is the same
as if multiple LANs' switching hubs were connected to each other in a cascade
connection with an extremely long Ethernet cable.
TCP/IP and even older protocols such as NetBEUI and IPX/SPX can be used. All
protocols that run over Ethernet are supported.
The devices you can communicate with over the VPN are not limited to only
computers. Any device that can be connected to via Ethernet is compatible. Even
devices that use a special or proprietary protocol such as security cameras, digital
video recorders, home electronics, VoIP telephones, etc. can be connected to via a
bridge connection and used across networks.
Because you do not have to deal with IP routing, the process of communicating
between multiple networks has been simplified. Utilizing bridging allows you to
effectively expand the area of use of a network, rather than simply connect networks
together.
Bridging - Cons
At the same time, the cons of connecting two LANs via a layer 2 bridge connection are
as follows:
Because the LANs will be linked via a layer 2 connection, when TCP/IP is used within
the VPN all LANs will, as a rule, belong to the same IP network. When you want to
add a new LAN to a remote site, you can simply bridge the new LAN with the old LAN
effectively expanding the original LAN. However, if you want to connect two existing
LANs together with a local bridge you will have to re-design the network topology and
come up with new IP address assignment rules. This could be a costly operation
especially in the case of networks where IP addresses are static or assigned by hand.
When bridging multiple LANs together there could be an increase in broadcast packet
traffic due to the increased number of computers on the network.
If you believe the cons listed above would result in problems for your network, we
recommend connecting your LANs via layer 3 routing. This method is introduced in
section 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」 .
In the above example, two physically separated LANs, one in Tokyo and one in Osaka,
are formed into a single segment via a layer 2 (Ethernet) bridge connection.
Tokyo is the main LAN, and Osaka is the sub-LAN. In Tokyo, a Virtual HUB is created on
the VPN Server computer and a local bridge connection is made to the network adapter
on the LAN we wish to connect to. In Osaka, a Virtual HUB with the name "BRIDGE" is
created on a computer with VPN Bridge installed and a local bridge connection is made
to the network adapter on the LAN we wish to connect to. A cascade connection is also
made to Tokyo from Osaka. Now, the once separated network segments are formed into
a single segment which can communicate between each other.
Once the segments have been combined the computers on both segments can
communicate as if they were on the same segment. Thus, they can be configured and
used as if they were all on the same LAN.
When connecting 3 or more LANs together you must install a VPN Server on the
designated "main" LAN and VPN Bridge on the remaining LANs. Then, you will make a
cascade connection from each VPN Bridge to the VPN Server to connect the LANs
together. This allows the computers on all the LANs to communicate with each other
through the VPN Server at a layer 2 level.
Let's calculate how many licenses will be needed to set up this example network. You
will definitely need a VPN Server product license to receive incoming connections from
VPN Bridges. This example only deals with a small number of connections and does not
require clustering capabilities. Thus, the Standard Edition license will provide all the
Finally, you only have 1 VPN Bridge connecting to the VPN Server, so you will need a 1
bridge connection license.
A single bridge license is sufficient regardless of the number of computers on the two
networks.
VPN Server 2.0 Bridge Connect License (1 Site) x 1
First, VPN Server will be installed on the main LAN in Tokyo.
The computer you install VPN Server on must make a local bridge connection the
company LAN in Tokyo. Therefore, it must be installed physically close enough to the
LAN to connect to the layer 2 segment via a network cable.
Because the VPN Server must receive incoming VPN connections from the VPN Bridges
over the Internet, it must have a public IP address or be able to receive TCP/IP
communication through NAT, a firewall, or a reverse proxy system as described in
section 「10.2.1 VPN Server Location」 . Please consult with your network administrator
if you are unsure about any of these issues.
Now create a Virtual HUB in the VPN Server on the main LAN and name it whatever you
like. You may use the default name of "DEFAULT" or name it something like "TOKYO" for
easier management. The functionality will not be affected either way.
Next, a VPN Bridge will be configured on the sub-LAN in Osaka.
The computer you install VPN Bridge on must make a local bridge connection the
company LAN in Osaka. Therefore, it must be installed physically close enough to the
The VPN Bridge must also make a VPN connection to the VPN Server on the Tokyo LAN
via the Internet, and thus must also be connected to the Internet. However, unlike the
VPN Server the Osaka VPN Bridge will be making the VPN connection (cascade
connection) to the VPN Server which is sitting on the Internet. Therefore, even if it is
behind NAT, a firewall, or a proxy server and has a private IP address it will still be able
to make the connection. (However, be sure to take note of your NAT, firewall, or proxy
server's load handling capabilities. The devices you send data through may become a
bottleneck, lowering the overall communication speed of your VPN.)
Local bridges will be configured at both the VPN Server in Tokyo, and the VPN Bridge in
Osaka. Refer to section 「3.6 Local Bridges」 and create a local bridge connection from
the Virtual HUB to the LAN.
You should be aware of the following things when making connections via a local bridge.
As explained in detail in section 「3.6.3 Preparing the Local Bridge network

adapter」 , if possible, try to set aside network adapters strictly for local bridging
when making your local bridge connection. We recommend that you do not use a
protocol stack for your local bridge network adapters, and do not assign TCP/IP IP
addresses to them.
We also recommend that you use a high quality network adapter from a trusted
maker for your local bridge connections. For more information please refer to 「3.6.5
Supported Network Adapter Types」 and 「3.6.6 Use of network adapters not
supporting Promiscuous Mode 」 .
Setting up the Osaka VPN Bridge's Virtual HUB to make a continuous cascade connection
to the Tokyo LAN's VPN Server is the last step in configuring this LAN-to-LAN network.
First we'll make a new user for the cascade connection on the Virtual HUB on the Virtual
Server in Tokyo. The username could be "osaka" or any other appropriate name.
Password authentication (with a long enough password) should be a secure enough
authentication method since the cascade connection configuration will most likely be
done by the system administrator and not the end user. (For a more secure solution we
recommend using X.509 certificate authentication for both the client and server.)
Next we'll make a cascade connection from the Osaka VPN Bridge's Virtual HUB to the
Virtual HUB on the Tokyo LAN. For user authentication, we'll enter the username and
password we registered to the Virtual HUB on the Tokyo LAN. (Or provide the X.509
authentication certificate and private key if using client certificate authentication.) Now
we'll set our created cascade connection to "online" status. At this point, confirm that
the cascade connection's connection status is set to "Online (Connection Established)".
10.5.10 Connecting to the LAN-to-LAN VPN/Performing a

Communication Test
Once you have established a connection to a LAN-to-LAN VPN, both LANs should logically
function as a single layer 2 (Ethernet) segment. To test if this is true, try some type of
communication between both LANs that would be impossible unless they were both
connected as a single LAN.
Take note of the following things when using a layer 2 bridge to make a bridged
connection (by combining a cascade connection and a local bridge) between remote
LANs.
The multiple LANs that make up the LAN-to-LAN VPN will be logically connected as a
single Ethernet network (broadcast domain segment) once they are connected via
bridge connections. Thus, they will be able to communicate with each other as such.
Therefore, computers will use the VPN to communicate between these networks
exactly as if they were connected together as one big physical LAN.
If there are DHCP servers running on the original LANs then once they are logically
connected as a single segment it will be as if multiple DHCP servers are running on
the same Ethernet network. As explained in section 「10.2.9 Advice about Protocol
Conflicts when Making a LAN-to-LAN Connection」 , this causes protocol conflicts and
overall network instability.
When dealing with LANs that already have a fairly large amount of computers on
them, you may have to make some changes to the network layout when building
them into a LAN-to-LAN VPN using only bridge connections. (Especially when each
computer is being assigned a static IP address.) If you are dealing with multiple LANs
made up of multiple IP networks, we recommend also using IP routing (explained in
section 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」 ) when setting up
your LAN-to-LAN VPN.
< 10.4 Setting Up a Generic Remote Access VPN 10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)
>
< 10.5 Setting Up a LAN-to-LAN VPN (Using Bridge 10.7 Combining a LAN-to-LAN VPN and a Remote
Connections) Access VPN>
This section will explain how to create a layer 3 connection between two or more remote
networks by utilizing bridge connections together with IP routing.
After reading section 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」
you know how to connect multiple LANs together into a single layer 2 (Ethernet)
segment, forming a LAN-to-LAN VPN.
By combining that method and the Virtual Layer 3 Switching capability built into VPN
Server you can construct a LAN-to-LAN VPN that utilizes layer 3 IP routing.
VPN Server has Virtual Layer 3 Switching capabilities which allow it to perform IP routing
between multiple Virtual HUBs under the same VPN Server. By using this capability you
can construct a large scale LAN-to-LAN VPN which works even if each individual LAN has
multiple IP networks of its own.
Please refer to section 「3.8 Virtual Layer 3 Switches」 for a summary of Virtual Layer 3
Switching and how to use it.
This section will give the pros and cons of setting up a LAN-to-LAN VPN that performs IP
routing between LANs through Virtual Layer 3 Switching as opposed to setting up one
using only bridge connections as explained previously in section 「10.5 Setting Up a
LAN-to-LAN VPN (Using Bridge Connections)」 .
IP Routing - Pros
Using only bridge connections to make a VPN connection to multiple LANs results in
those LANs being joined together as a single layer 2 (Ethernet) segment. By also
utilizing Virtual Layer 3 Switching you can perform layer 3 (IP) communication
between LANs even if they are separated at a layer 2 level.
This means that you will be able to communicate between LANs that already have
their own stable IP networks without making any changes to the computers/devices
on those networks.
It's also a good idea to use IP routing when dealing with large LANs that contain more
than 100 computers each. When simply bridging multiple LANs together there could
be an increase in broadcast packet traffic due to the increased number of computers
on the network. In this case it's best to use IP routing to perform routing between the
LANs and create a smaller broadcast domain.
IP Routing - Cons
A good knowledge of TCP/IP and VPNs is required to configure Virtual Layer 3
Switching and design/build a LAN-to-LAN VPN that utilizes IP routing.
You may also notice a slight performance decrease in layer 3 compared to a simple
layer 2 LAN-to-LAN VPN due to the routing processing (such as re-writing IP headers,
etc.) which must transfer large numbers of packets in bursts.
Because each LAN's layer 2 segments are separated, they can only communicate to
each other via IP.
In the above network example there are 3 LANs connected together through a VPN
connection. Computers on all LANs are able to communicate with each other through the
IP routing enabled VPN. For this example, assume that the three LANs are located in
Tokyo, Osaka, and Tsukuba, Japan.
The Tokyo LAN is the main LAN and therefore VPN Server is installed there. This leaves
the LANs in Osaka and Tsukuba as the sub-LANs. VPN Bridge will be installed to both of
these locations.
The private IP networks in Tokyo, Osaka, and Tsukuba are separated as 192.168.1.0/24,
192.168.2.0/24, and 192.168.3.0/24 respectively. When a computer from one LAN
attempts to communicate with a host on another LAN it will automatically do so through
the VPN.
Virtual HUBs on the VPN Server
In the above network the layer 3 switch operates on the VPN Server in Tokyo. When
creating this network the following three Virtual HUBs should be made on the Tokyo LAN
VPN Server.
TOKYO
"TOKYO" will be the Virtual HUB that makes a local bridge connection to the network
that the VPN Server is physically connected to. In this case, the Tokyo LAN. On a
layer 3 level, this Virtual HUB is part of the 192.168.1.0/24 IP network.
OSAKA
"OSAKA" will be the Virtual HUB that handles the cascade connection from the VPN
Bridge on the Osaka LAN. Therefore, this Virtual HUB is on the same layer 2 segment
as the Osaka LAN. On a layer 3 level, this Virtual HUB is part of the 192.168.2.0/24
IP network.
TSUKUBA
"TSUKUBA" will be the Virtual HUB that handles the cascade connection from the VPN
Bridge on the Tsukuba LAN. Therefore, this Virtual HUB is on the same layer 2
segment as the Tsukuba LAN. On a layer 3 level, this Virtual HUB is part of the
192.168.3.0/24 IP network.
Layer 3 Switches on the VPN Server
After the three Virtual HUBs above have been created on the VPN Server in Tokyo, you
need to create a single Virtual Layer 3 Switch while looking to section 「3.8 Virtual Layer
3 Switches」 for reference. Once this is done you have to define a virtual interface to
the three Virtual HUBs.
The Virtual Layer 3 Switch will look like a single IP router to computers on the network.
Therefore, you will need to assign a single IP address that belongs to the private
network receiving Virtual HUB connections to each virtual interface. The IP address must
be one that does not exist on any of the IP networks directly or indirectly connected to
by each of the Virtual HUBs. For example, you could set up something like the table
below.
Virtual HUB Name Virtual Interface IP Address

TOKYO 192.168.1.254 / 255.255.255.0
OSAKA 192.168.2.254 / 255.255.255.0
TSUKUBA 192.168.3.254 / 255.255.255.0
In this example network the layer 3 switch will connect to each network on the VPN
directly through the virtual interface. Therefore, there is no need to set up a routing
table for the Virtual Layer 3 Switch.
Configuring the VPN Bridge on the Osaka and Tsukuba Networks

For the VPN Bridges installed on the Osaka and Tsukuba networks, first make a local
bridge connection between all "BRIDGE" Virtual HUBs and each physical LAN.
Next, make a cascade connection from the VPN Bridge on the Osaka network to the
"OSAKA" Virtual HUB on the Tokyo VPN Server. You must also make a cascade
connection from the VPN Bridge on the Tsukuba network to the "TSUKUBA" Virtual HUB
on the Tokyo VPN Server.
This will allow computers on different IP networks in three different locations to

communicate with the other LANs connected to the VPN by routing through the Virtual
Layer 3 Switch.
Let's calculate how many licenses will be needed to set up the example network above.
You will definitely need a VPN Server product license to receive incoming connections
from VPN Bridges. This example only deals with a small number of connections and does
not require clustering capabilities. Thus, the Standard Edition license will provide all the
Finally, you have 2 VPN Bridges connecting to the VPN Server, so you will need 2 bridge
connection licenses.
Only one bridge license is required for all VPN sessions connected through bridge/routing
mode regardless of the number of computers on all the networks.
Using the Virtual Layer 3 Switching capability does not affect the number of product or
bridge licenses required.
Thus, the required product licenses and connection licenses are as shown below.
Please refer to section 「1.3 PacketiX VPN 2.0 Product Configuration and License」 for
more information about the licensing system.
First, VPN Server will be installed on the main LAN in Tokyo.
The computer you install VPN Server on must make a local bridge connection the
company LAN in Tokyo. Therefore, it must be installed physically close enough to the
Because the VPN Server must receive incoming VPN connections from the VPN Bridge(s)
over the Internet, it must have a public IP address or be able to receive TCP/IP
communication through NAT, a firewall, or a reverse proxy system. (See section
「10.2.1 VPN Server Location」 .) Please consult with your network administrator if you
are unsure about any of these issues.
Once VPN Server is installed create the three Virtual HUBs "TOKYO", "OSAKA", and
"TSUKUBA" as described in section 「10.6.4 Network Layout」 . Next, create a local
bridge connection between the "TOKYO" Virtual HUB and the Tokyo LAN and configure
the Virtual Layer 3 Switch.
Install one VPN Bridge at the Osaka and Tsukuba sub-LANs. After you have made local
bridge connections to the LANs you want to connect to make cascade connections to the
"OSAKA" and "TSUKUBA" Virtual HUBs on the VPN Server in Tokyo.
Unlike the layer 2 bridge connection configuration described in section 「10.5 Setting Up
a LAN-to-LAN VPN (Using Bridge Connections)」 , using IP routing to create a VPN
connection between each LAN does not mean that the computers on each LAN will be
able to automatically communicate with each other without any extra configuration.
For a network like the one in this example, you will need to set up a routing table for
devices on each network so that the IP routing will properly communicate the data to the
destination LAN via the Virtual Layer 3 Switch.
If you just think of the Virtual Layer 3 Switch or Virtual HUB as no different from a
physical layer 3 switch, router, or switching hub then configuring such a routing table
should be a breeze. One possible configuration for this example network is given below.
On the router used as the default gateway on the Tokyo LAN add two entries to the
static routing table so that 192.168.2.0/24 (Osaka) bound packets and
192.168.3.0/24 (Tsukuba) bound packets use the gateway 192.168.1.254.
On the router used as the default gateway on the Osaka LAN add two entries to the
static routing table so that 192.168.1.0/24 (Tokyo) bound packets and
192.168.3.0/24 (Tsukuba) bound packets use the gateway 192.168.2.254.
On the router used as the default gateway on the Tsukuba LAN add two entries to the
static routing table so that 192.168.1.0/24 (Tokyo) bound packets and
192.168.2.0/24 (Osaka) bound packets use the gateway 192.168.3.254.
Let's look at an example of how things will work after the above configuration is
performed. If a computer on the Osaka LAN (Ex. 192.168.2.3) tries to send a packet to
a computer on the Tsukuba LAN (Ex. 192.168.3.5) the computer at 192.168.1.3 will
send the packet to that network's default gateway which will follow the routing table and
forward the packet to 192.168.2.254 (the Virtual Layer 3 Switch's virtual interface
operating on the VPN Server in Tokyo). The Virtual Layer 3 Switch will use the virtual
interface at 192.168.3.254 and send the packet to the TSUKUBA Virtual HUB where it
will finally reach it's destination, the computer on the Tsukuba LAN at 192.168.3.5. This
type of process is what will occur under a VPN connection that utilizes IP routing.
If for some reason you are unable to add entries to the default gateway router's static
routing table you can also use the route command on each computer to add to the
static routing table. However, you would have to modify the routing table for every
computer that will communicate over the VPN which would be a lengthy and costly
operation. Therefore, this method is not recommended.
The Virtual Layer 3 Switch can also forward packets to a network beyond the IP network
the Virtual HUB connected to directly by the virtual interface is on. Please refer to
section 「3.8.5 Editing the Routing Table」 for more information on this topic.
< 10.5 Setting Up a LAN-to-LAN VPN (Using Bridge 10.7 Combining a LAN-to-LAN VPN and a Remote
Connections) Access VPN>
< 10.6 Setting Up a LAN-to-LAN VPN (Using IP 10.8 Setting Up a Large Scale Remote Access VPN
Routing) Service>
10.7 Combining a LAN-to-LAN VPN and a Remote Access

VPN
This section will explain how to take the network configurations looked at in sections
「10.4 Setting Up a Generic Remote Access VPN」 and 「10.5 Setting Up a LAN-to-LAN
VPN (Using Bridge Connections)」 and use them together.
In section 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」 you read
about a LAN-to-LAN VPN which was set up with VPN Server installed on the main LAN
and VPN Bridge installed on the sub-LANs. The VPN Server installed on the main LAN for
this type of network configuration can also receive VPN connection requests from VPN
Clients. This means that it can be the VPN Server for the LAN-to-LAN VPN and the VPN
Server for a remote access VPN at the same time.
The figure below illustrates what it would look like if a user at a remote location (such as
from a hotel on a business trip) made a remote access VPN connection to the VPN
Server on the main LAN (Tokyo).
Fig. 10-7-1 An Example of How to Use a LAN-to-LAN Network and Remote

Access Together
In this example, two VPN Client equipped laptop computers are making a direct
connection to the Virtual HUB on the VPN Server in Tokyo via the Internet. In this
configuration the Tokyo LAN and the Osaka LAN are connected as a layer 2 segment.
Computers on both networks can freely communicate with each other. Also, the VPN
Clients logged in to the VPN Server will join that same layer 2 segment and will be able
to freely communicate with computers on both networks as well.
By using this method you can utilize a single VPN Server to provide both remote access
and LAN-to-LAN VPN services.
To calculate the number of licenses required for this VPN configuration, we simply add
two client connection licenses to the licenses required to build the simple LAN-to-LAN
VPN from section 「10.5 Setting Up a LAN-to-LAN VPN (Using Bridge Connections)」 .
VPN Server 2.0 Client Connect License (1 Client) x 2
Of course, it is also possible to use remote access in conjunction with a LAN-to-LAN VPN
that utilizes IP routing such as the one described in section 「10.6 Setting Up a LAN-to-
LAN VPN (Using IP Routing)」 . In this situation you can decide which layer 2 segment to
join depending on which Virtual HUB you connect to.
Also, if you install VPN Server on both networks of the VPN, the VPN Client can make a
direct connection to the VPN through the Internet by connecting to either one of the VPN
Servers. This is useful if, for example, a user wants to connect to the fileserver on the
Osaka LAN. By using this method the user can connect directly to the Osaka LAN without
going through the Tokyo LAN, which means faster transfer speeds. In this situation you
would need an additional VPN Server product license in order to install another VPN
Server on the LAN in Osaka.
< 10.6 Setting Up a LAN-to-LAN VPN (Using IP 10.8 Setting Up a Large Scale Remote Access VPN
Routing) Service>
< 10.7 Combining a LAN-to-LAN VPN and a Remote 10.9 Setting Up a Large Scale Virtual HUB Hosting
Access VPN Service>
10.8 Setting Up a Large Scale Remote Access VPN

Service
If you expect a large number of simultaneous connections to your VPN Server based
remote access VPN system like the one described in section 「10.4 Setting Up a Generic
Remote Access VPN」 , you can use the clustering capability of PacketiX VPN Server 2.0
Enterprise Edition to perform load balancing across multiple VPN Servers. This allows
you to decrease the load on each VPN Server and increase overall throughput. It also
allows you to automatically introduce fault-tolerance into your network design.
A single VPN Server can theoretically handle up to 4,096 sessions at once. So, a VPN
Server being used for a remote access VPN could handle approximately 4,000 VPN Client
connections simultaneously.
However, the problem in reality is not software limitations but hardware limitations such
as limited memory capacity or CPU processing speed. That being said, if 4,000 VPN
sessions were handled by a single VPN Server there would be issues such as significant
transmission speed loss or insufficient memory on the VPN Server resulting in memory
swap access that would drastically limit the usability of the VPN as a whole.
In the future it is predicted that hardware will advance to a point where it will be able to
handle such a load. Unfortunately, that technology is not yet available to us. So, in order
to handle these high number of connections we have to design software in such a way so
that it can decrease the load on the hardware.
When a large corporation's IT department wants to provide a remote access VPN service
to all of its employees, they have to try and predict how many connections might
possibly be made to the server at the same time. For example, if your VPN server
machine is a Pentium 4 2.8 GHz with 1 GB of RAM we recommend having one server for
every 200 to 500 sessions. (Keep in mind that the actual number of VPN Servers
required can vary greatly according to network traffic and other factors.)
By using the clustering capability built in to PacketiX VPN Server 2.0 Enterprise Edition
you create a cluster of servers to handle a large number of remote access VPN
connections.
By increasing the number of computers in the cluster you can achieve a system that can
handle even more than 4,096 simultaneous sessions at once.
This section will give an example layout of this type of remote access VPN service and
inform you of important points to keep in mind when designing a cluster network. Please
refer to section 「3.9 Clustering」 for more detailed information about the clustering
capability.
You can create one or more Virtual HUBs within the cluster. When dealing with clusters,
there are two types of Virtual HUBs: static Virtual HUBs and dynamic Virtual HUBs.
The best one to use for a remote access VPN is the static Virtual HUB. (See section
「3.9.7 Static Virtual HUBs」 .)
The network example above assumes that there is an existing company LAN to which
the VPN Clients make a remote VPN connection to.
In this case there are many VPN Clients that need to connect to the VPN Server. To
handle the load, you can install multiple VPN Servers and initiate clustering between
them.
In the example above, three VPN Servers are being operated as a cluster. When VPN
Clients connect to the cluster they will be re-directed to the VPN Server with the lowest
load as calculated by the cluster controller. VPN Clients will not know which static Virtual
HUB instance they are connected to. However, all Virtual HUBs are connected via a local
bridge to the remote access VPN's destination network segment, so the user will be able
to communicate over the remote network without having to know which VPN Server they
were assigned to via the load balancing algorithm.
In this example there are three VPN Servers installed for a predicted total of 300 VPN
Clients. However, determining how many VPN Servers to install is not only based on the
number of VPN Clients, but can change dramatically based on the VPN Server
computer's hardware, or the bandwidth available from the backbone it is connected to.
The method we recommend of finding the optimal number of VPN Servers is to first set
up a small test VPN of two VPN Servers using clustering. Test to see how many sessions
can be active at once before performance starts being affected. From there you can tell
about how many sessions a single VPN Server can handle in your network environment,
and you can add more VPN Servers as needed. By using this method you can eliminate
any wasted costs and build the smallest, most efficient VPN to suit your needs.
This network example assumes that the remote LAN is made up of a single layer 2
segment. However, in most situations where clustering is needed such as in a large
corporation, the internal network is most likely separated into multiple segments with
IP routing taking place between them. Therefore, when setting up a remote access
VPN for this type of network you will need to install a static Virtual HUB on each of the
remote networks. Then, you must also connect each VPN Server with each Ethernet
segment containing a Virtual HUB with a local bridge connection.
Let's calculate how many licenses will be needed for this network layout. You will need
three VPN Server product licenses to receive incoming connections from VPN Clients.
This time you are using clustering so you will need the Enterprise Edition.
Finally, you have 300 VPN Clients connecting to the VPN Server at the same time, so
you will need connection licenses for 300 clients. Connection licenses will be managed by
the entire cluster, therefore you only need to register them to the cluster controller.
The bridge connection required to connect each VPN Server's Virtual HUB to the existing
LAN will be handled by the VPN Servers so a bridge connection license is not required.
VPN Server 2.0 Enterprise Edition License x 3
When installing multiple VPN Servers as a cluster you must first install the first VPN
Server as the cluster controller. If the VPN Server machines you have prepared have
different hardware specifications, you should pick the one with the most memory and
the most powerful hardware to be the cluster controller.
Please refer to section 「3.9.2 Cluster Controllers」 for more information on setting up
a VPN Server as a cluster controller.
Each VPN Server installed after the first will connect to the cluster controller as a cluster
member server. Please refer to section 「3.9.3 Cluster Member Servers」 for more
information on setting up a VPN Server as a cluster member server.
Once you have all your VPN Servers installed connect to the cluster controller and create
a single Virtual HUB. Set the type of the Virtual HUB to static. As explained previously, if
the network you wish to connect to remotely has multiple segments, create a Virtual
HUB for each segment.
Note that the Virtual HUB that exists on a fresh install of VPN Server named "DEFAULT"
is a dynamic Virtual HUB. (You can change it to a static Virtual HUB and use it if you
would like.)
10.8.9 Making a Local Bridge between the Existing LAN and the Virtual
HUBs
When a static Virtual HUB is created on the cluster controller an instance of that static
Virtual HUB will automatically be made on all VPN Servers in the cluster. (See section
「3.9.7 Static Virtual HUBs」 .)
Next, make a direct administrative connection to each VPN Server and set up a local
bridge connection between that Virtual HUB and the physical LAN you wish to connect to
remotely. (For more information on creating local bridge connections, see section 「3.6
Local Bridges」 .) As explained previously, if the network you wish to connect to
remotely has multiple segments, you must make local bridge connections between each
static Virtual HUB and their respective physical LAN. (You will need multiple network
adapters for this.)
Refer to section 「10.4.7 Configuring the Local Bridge」 for things to note when making
local bridge connections.
Once the local bridges are configured that cluster is ready to go as a remote access VPN
system. VPN Clients can make a VPN connection to the cluster controller via the
Internet, at which point the controller will automatically redirect the connection to the
VPN Server with the lowest current load. That VPN Server will then process that client's
connection. The user never has to know about this process, and can connect just as they
always would.
In addition, if an operating cluster member has a hardware failure or is taken down for
maintenance, any VPN sessions being handled by the VPN Server on that member will
automatically be assigned to a different VPN Server with no interruption of service. Even
if something like this happens, the VPN Server administrator does not have to lift a
finger.
Once you have finished setting up your clustered environment, there is usually no need
to make an administrative connection to the cluster member servers. Administrative
operations such as downloading log files, changing logging preferences,
adding/removing/editing currently connected users, configuring external authentication
servers, or configuring trusted authentication certificates can all be done on the cluster
controller. The controller will then update all VPN Servers on the cluster to maintain
consistency automatically.
< 10.7 Combining a LAN-to-LAN VPN and a Remote 10.9 Setting Up a Large Scale Virtual HUB Hosting
Access VPN Service>
< 10.8 Setting Up a Large Scale Remote Access VPN 10.10 Using Remote Access as a Single User>
Service
10.9 Setting Up a Large Scale Virtual HUB Hosting

Service
Corporations or Internet service providers (ISPs) can use their high speed backbone
network and their large number of servers to create a large scale Virtual HUB hosting
service for their employees or clients with PacketiX VPN Server 2.0. This section will give
more information about this type of Virtual HUB hosting service, and how to set one up.
What is a Virtual HUB Hosting Service?
By installing VPN Server on a powerful server computer on a very high speed connection
and creating multiple Virtual HUBs on that VPN Server you can provide usage rights to
these Virtual HUBs to your clients or employees. This is the type of Virtual HUB hosting
service described here.
This type of Virtual HUB hosting service is also called a hosting VPN or an ASP VPN.
The idea behind a Virtual HUB hosting service is to set up a clustered VPN Server
system, and then create a large number of Virtual HUBs on those VPN Servers. Then you
would give administrative rights to whoever will be using or managing that Virtual HUB.
This takes care of administration as well as allowing the users of that Virtual HUB to
make a VPN connection to that VPN Server and communicate with each other.
Fig. 10-9-1 Concept of a Virtual HUB Hosting Service
Usefulness of a Virtual HUB Hosting Service in the Corporate

Environment
By utilizing a Virtual HUB hosting service it is possible for the IT department of a large
corporation to set up many different types of VPNs using only the Virtual HUBs it
provides. For example, if a Virtual HUB hosting service was not used, the IT department
would manage a VPN Server system in the company's server room or data center, and
create as many Virtual HUBs as necessary for their network. They would then have to
give administrator privileges to a person in charge of each department in the company
for those Virtual HUBs. Those in charge would next have to install VPN Server and
manage a VPN server computer. As you can imagine, this can be a very difficult process.
Fig. 10-9-2 Virtual HUB Hosting Service in the Corporate Environment
Usefulness of a Virtual HUB Hosting Service for an ISP
Internet service providers (ISPs) can utilize their high speed backbone connection to the
Internet and provide a VPN hosting service to their clients. An ISP could set up a VPN
Server system in their data center and create a special Virtual HUB for each client who
signs up for the Virtual HUB hosting service. By then giving administrator rights to the
client for that Virtual HUB they will be able to freely add users and manage sessions.
They can then connect to that Virtual HUB via the Internet from multiple locations and
be able to use all the functionality of PacketiX VPN 2.0.
This type of service is extremely useful for users at companies or homes that do not
have a global IP address, or do not have a static global IP address and would like to rent
a Virtual HUB on a stable VPN Server.
For example, if a small business wants to set up a remote access VPN system, but has a
dynamic global IP address (an IP address that changes every time a connection to the
Internet is made), they are unable to install a stable VPN Server within the company. (It
is possible to install a VPN Server on this type of network using the DDNS service as
explained in section 「10.10.4 Adjusting Settings For Broadband Routers or Other
Networking Hardware」 , but this method is not recommended when stability is crucial.)
There are also cases of small companies that have a static global IP address, but do not
have the technical knowledge required for the daily management of a VPN Server. For
these types of companies, a Virtual HUB hosting services provided by their ISP is a
viable option. By making a permanent cascade connection from a VPN Bridge installed
within the company to the Virtual HUB provided by the ISP, a company can provide a
remote access VPN service as described in section 「10.4 Setting Up a Generic Remote
Access VPN」 to their employees without running their own VPN Server. An illustration
of this type of network is shown in the figure below. Employees wanting to use the
remote access VPN connect to the Virtual HUB on the VPN Server provided by the ISP.
Data is then routed through this Virtual HUB and to the VPN Bridge connected to the
company network by a local bridge, granting remote access to the network.
Fig. 10-9-3 Virtual HUB Hosting Service Provided by an ISP
Also, using this type of service allows you to join two LANs without a static global IP
address through the Virtual HUB hosting service provided by the ISP. Basically, you will
be able to create a LAN-to-LAN VPN as described in section 「10.5 Setting Up a LAN-to-
LAN VPN (Using Bridge Connections)」 without having to install a VPN Server on your
company network.
Fig. 10-9-4 A LAN-to-LAN VPN Utilizing an ISP

Provided Virtual HUB Hosting Service
How to Provide a Virtual HUB Hosting Service
A corporation or ISP does not need any special certification or permission from SoftEther
to provide a large scale Virtual HUB hosting service to their clients. By purchasing
however many VPN Server 2.0 product licenses and connection licenses you need, you
can set up a Virtual HUB hosting services in a short time very easily.
Naturally, when running a large scale Virtual HUB hosting service the number of Virtual
HUBs on your VPN Servers will likely be very large, as well as the number of VPN
sessions connected to those hubs via VPN Client or VPN Bridge.
Therefore, you will need to use the clustering capabilities of PacketiX VPN Server 2.0
Enterprise Edition or PacketiX VPN Server 2.0 Carrier Edition as explained in section
「10.8 Setting Up a Large Scale Remote Access VPN Service」 . Using clustering will
enable you to create a large number of dynamic Virtual HUBs without taking a
performance hit. It will also allow you to handle a high number of VPN sessions at once
by balancing the load across multiple VPN Servers. Furthermore, if one of your VPN
Servers malfunctions or needs to be taken down for maintenance, the fault-tolerance
capability of the cluster controller will automatically move any VPN sessions connected to
that VPN server to another, properly working VPN Server. With this in mind, it is possible
to set up a large scale Virtual HUB hosting service that runs 24 hours a day, 365 days a
year with no downtime.
However, keep in mind that the suggestions written here are for a large scale Virtual
HUB hosting service. If you are planning to set up a small scale Virtual HUB hosting
service (approximately 100 Virtual HUBs or less and no more than 200 simultaneous
sessions active) then you may not need to use clustering. In this case you can use
PacketiX VPN Server 2.0 Standard Edition instead of the E or Carrier Edition. If you
decide not to use clustering at first, but later decide that a single VPN Server is not
enough to handle any more Virtual HUBs or simultaneous sessions, you can easily
upgrade to the Enterprise Edition or the Carrier Edition and use clustering by adding
more VPN Servers to your network.
You can create one or more Virtual HUBs within the cluster. When dealing with clusters,
there are two types of Virtual HUBs: static Virtual HUBs and dynamic Virtual HUBs.
The best one to use for a Virtual HUB hosting service is the dynamic Virtual HUB. (See
section 「3.9.8 Dynamic Virtual HUBs」 .)
This section will explain the network layout as shown in the figure below.
In this example there are five server computers installed in a data center which make up
the VPN Server cluster. For this example, assume that all server machines have a static
global IP address.
If you were to set up a five server cluster such as one in the example above only to find
that the load on each VPN Server is too high, you can simply add more VPN Servers to
increase the throughput of the cluster and to decrease the overall load on each machine.
Required Product Licenses
You will have to estimate the number of incoming VPN connections to our VPN Server
cluster when setting up a Virtual HUB hosting service.
First you will need to acquire enough product licenses to install your servers.
This network layout example would require VPN Server 2.0 Enterprise Edition
License x 5.
A service provider or other communications company could also use the VPN Server 2.0
Carrier Edition License. See section 「1.3.7 PacketiX VPN Server 2.0 Academic Edition 」
for more details.
Required Connection Licenses
The number of client and bridge connection licenses required by your VPN Server cluster
will be determined by the number of client mode VPN sessions and bridge/routing mode
VPN sessions that will be connected to the cluster at the same time. You should always
prepare enough connection licenses to handle a slightly higher number of connections
than you expect will actually be connected to your cluster, just to be safe.
If you are using the VPN Server 2.0 Carrier Edition License then there is no need to
purchase or register connection licenses beforehand. See section 「1.3.7 PacketiX VPN
Server 2.0 Academic Edition 」 for more details.
When installing multiple VPN Servers as a cluster you must first install the first VPN
Server as the cluster controller. If the VPN Server machines you have prepared have
different hardware specifications, you should pick the one with the most memory and
the most powerful hardware to be the cluster controller.
Please refer to section 「3.9.2 Cluster Controllers」 for more information on setting up
a VPN Server as a cluster controller.
Each VPN Server installed after the first will connect to the cluster controller as a cluster
member server. Please refer to section 「3.9.3 Cluster Member Servers」 for more
information on setting up a VPN Server as a cluster member server.
When you make Virtual HUBs for a Virtual HUB hosting service you should always make
them as dynamic Virtual HUBs. For example, you may need to make new Virtual HUBs
for your company or, as an ISP, when new clients sign up for your Virtual HUB hosting
service.
When you make a new Virtual HUB you will have to give administrator rights to the user
that will actually be managing that Virtual HUB. In a corporation, administrator rights
would be given to the person who requested the Virtual HUB from the IT department.
For an ISP, they would be given to the client who has requested the Virtual HUB hosting
service.
Handing off administrator rights is as easy as telling the user the administrator password
for the Virtual HUB, or registering a password the user requests when you first create
the Virtual HUB. Please refer to section 「3.3.4 Administration Authority」 for more
information on giving out administrator rights.
Once the user has their password they can use it to log in to the cluster controller via
their own VPN server management tool or vpncmd and freely manage their Virtual HUB.
They will have access to all the features a Virtual HUB administrator has such as adding
new users/groups, configuring access lists, log file settings, and more. You can also
restrict access to these operations as you see fit. Please refer to section 「10.9.13
Limiting Administrator Rights by Configuring the Virtual HUB Management Options」 for
more details.
Once you have finished setting up your clustered environment, there is usually no need
to make an administrative connection directly to the cluster member servers.
Administrative operations such as downloading log files, changing logging preferences,
adding/removing/editing currently connected users, configuring external authentication
servers, or configuring trusted authentication certificates can all be done on the cluster
controller. The controller will then update all VPN Servers on the cluster to maintain
consistency automatically.
Each Virtual HUB's administrator is only able to make an administrative connection to

the cluster controller. Remember, you can only make a direct administrative connection
to the cluster controller, not the other cluster member servers.
10.9.11 Automating the Creation and Management of a Large Quantity

of Virtual HUBs or Users
Using vpncmd for Management Automation
You may need to automatically create a Virtual HUB for a user after they have signed up
for your Virtual HUB hosting service through a form on your website or another method.
This is especially true for ISPs. You can automate this process of creating new dynamic
Virtual HUBs for your clients.
By using an automatic managing system that could, for example, automatically delete a
Virtual HUB from the cluster if a user cancels their service, or automatically restrict
access to a Virtual HUB that a user has not made a payment on in time, you can make
managing your system very easy.
You can use the PacketiX VPN command line management interface (vpncmd) to develop
a system such as this. vpncmd can call scripts such as CGI or ASP/ASP.NET in the
background with parameters given through a command line. Error codes or output files
returned by those scripts can be retrieved by vpncmd.
Refer to section 「Chapter 6 Command Line Management Utility Manual」 for more
information about vpncmd. An ISP can use vpncmd to call its own internal automated
system to automate the control of its VPN Servers or Virtual HUBs when providing a
Virtual HUB hosting service.
Using a .NET Library for Automated Management
The type of VPN Server or Virtual HUB management possible with vpncmd can be
executed within a program via function calls. (See section #1.3.22# for more
information.) The first version of this library is provided as a DLL file which can be called
through the Microsoft .NET Framework.
By using this library an ISP can issue commands and see the results of those commands
faster and more reliably than by using vpncmd.
Using the Framework Kit for ISPs
In the future, SoftEther plans to release a framework kit for ISPs made up of scripts
(ASP.NET) and databases that will automate the configuration of a Virtual HUB hosting
service that can automatically handle online sign-up requests, cancellations, and
temporary stoppage of service due to payment issues. At the time of the writing of this
manual (December, 2005) the date that this service will become available is still yet to
be decided. ISPs will be able to use this framework kit and customize it to work with
their existing front-end or back-end systems. This framework kit will consist of
Microsoft .NET Framework 2.0 sample programs and databases and will likely come
packaged with PacketiX VPN Server 2.0 Carrier Edition. Please refer to section 「1.3.7
PacketiX VPN Server 2.0 Academic Edition 」 for more information about PacketiX VPN
Server 2.0 Carrier Edition.
When more detailed information about the framework kit for ISPs is available, it will
be available at http://www.softether.com/ .
By connecting to the VPN Server with overall administrator rights you can manage or
view the traffic volume of each Virtual HUB on the entire system. An ISP will need to use
this to bill each user (Virtual HUB) appropriately according to the traffic volume of that
individual user. You can get this information by retrieving the statistical data
automatically created and managed by the VPN Server and each Virtual HUB. Also, this
information is stored in the vpn_server.config configuration file generated by the cluster
controller. By retrieving the data stored in this file you can measure the traffic volume
for each user and bill them accordingly. Please refer to section 「3.3.10 Administration
of Statistical Information」 for more information on the statistical data generated by
VPN Server and the Virtual HUBs. You could also make a simple program that process
and records this information to automatically calculate billing for you.
10.9.13 Limiting Administrator Rights by Configuring the Virtual HUB

Management Options
The overall VPN Server administrator (the ISP or company IT department's

administrator) can limit the administrative functions available to each Virtual HUB's
administrator (a client or employee).
This feature is referred to as the Virtual HUB management options and is a standard
feature of VPN Server. Please refer to section 「3.5.12 Virtual HUB Administration
Options」 for a list of items you can configure.
By configuring the Virtual HUB management options you could, for example, limit the
maximum number of allowed simultaneous VPN sessions on a certain Virtual HUB
despite the number originally set by the Virtual HUB. You can also set the maximum
number of users or groups that can be created on a Virtual HUB. ISPs can use this
functionality to provide different pricing plans to their customers. By providing several
plans that differ in terms of maximum users, connection speed, and usable features you
can provide flexible options to meet the individual needs of each customer.
< 10.8 Setting Up a Large Scale Remote Access VPN 10.10 Using Remote Access as a Single User>
Service
< 10.9 Setting Up a Large Scale Virtual HUB Hosting 10.11 Using SecureNAT to Set Up a Remote Access
Service VPN With No Administrator Rights>
An individual user can install VPN Server at home to enable access to their home LAN
from a remote location. This section will focus on using VPN Server for use as a single
user.
The Internet is full of individuals and groups that will attempt to commit illegal acts such
as data theft or data manipulation. Many different groups manage the networks that
data travels through on the Internet. This means that data could be passed through un-
encrypted and leaked at any time.
By using PacketiX VPN even a single user can easily set up a VPN network. They can
then easily perform TCP/IP communications such as transferring files or using a remote
desktop application through the VPN directly to their home network safely and securely.
If you have a global IP address at home you can simply install VPN Server on your home
computer, then use VPN Client to connect to it through the Internet at a remote location.
When setting up VPN Server at your home some extra configuration will be required
depending on your home network environment (where you receive an IP address
assigned by an ISP).
If your home network is assigned a global static IP address then you can install VPN
Server under that IP address and set it to accept connections from the Internet.
If your home network is assigned a dynamic global IP address (one that changes
every time you connect to your ISP) then you will be unable to reliably connect to
your VPN remotely. In this case you can use the dynamic DNS service (DDNS service)
which will allow you to have a consistent domain name (hostname) that your dynamic
IP address will be registered to. You can then access your VPN remotely through VPN
Client by entering that hostname. This type of DDNS service is available on the
Internet for free, or for a nominal fee.
If your home network is assigned a private IP address (which is converted into a

global IP address by the ISP's NAT) then unfortunately you will not be able to access
your VPN Server at home from the Internet. The only solution in this situation is to
either change ISPs or consult with your ISP's system administrator.
10.10.4 Adjusting Settings For Broadband Routers or Other

Networking Hardware
If your home network has a broadband router with NAT enabled and the computer you
plan on installing VPN Server to is behind that NAT you will not be able to access it
directly from the Internet. In this case you will have to configure your NAT settings and
use static port mapping, port forwarding, or DMZ to map traffic to a port on your VPN
Server computer when a request is made to access it from the Internet. This will allow
you to successfully connect to your VPN Server from the Internet.
Please refer to your broadband router's instruction manual for details on how to
configure these settings.
Whether or not you will have to use local bridging on the computer you install VPN
Server to depends on the type of VPN you want to set up.
For example, what if you only want to access shared files on a single computer from a
remote location, or make a remote desktop connection? In this case there is no need to
enable local bridging to connect the Virtual HUB to the physical LAN. You can simply
install VPN Client to the computer you installed VPN Server to and have it stay
connected to itself (localhost). If you then make a connection to that VPN Server
remotely you will be able to communicate with it through its Virtual Network Adapter. If
you want to use this method to communicate with a single computer only, you just need
to install VPN Server to that computer. Local bridging is not necessary.
If you wish to access all computers on your home network remotely (like the remote
access VPN described in section 「10.4 Setting Up a Generic Remote Access VPN」 ) you
will need to utilize local bridging as described in detail in section 「10.4.2 Using Local
Bridging」 .
Once you have VPN Server installed and properly configured try and connect to through
VPN Client from a remote network such as a free wireless access point or a hotel's
Internet connection when on a business trip.
If the remote network you will be connecting from routes its traffic through a firewall or
proxy server we recommend you set the VPN Server's listener port to Port 443 (the
port used for HTTPS communication). Most HTTP proxy servers or firewalls will allow
TCP/IP traffic directed to port 443 pass through.
If you want to use VPN Client on your company's network to access your home network
but VPN usage is restricted, you should consult with your network's system
administrator beforehand.
10.10.7 Using Electronic Devices that can only Communicate over the
same Network
Some types of digital home electronics can only communicate over a local network (the
same layer 2 Ethernet segment). For example, a video capture board with a TV tuner
may contain software that allows you to watch TV over the network. However, both the
client and server must be connected to the same network for this to work. Other
examples include HD recorders or DVD recorders that allow the transfer of video only
over the same local network.
By using PacketiX VPN you can set up a remote access VPN or LAN-to-LAN VPN and
access these types of devices from a remote location over the Internet as if you were
directly connected to your network from home.
< 10.9 Setting Up a Large Scale Virtual HUB Hosting 10.11 Using SecureNAT to Set Up a Remote Access
Service VPN With No Administrator Rights>
< 10.10 Using Remote Access as a Single User 10.12 Using Public Networks Like Public Wireless
Access Safely>
10.11 Using SecureNAT to Set Up a Remote Access VPN

With No Administrator Rights
Before, administrator rights were a necessity when setting up a remote access VPN. But
by using the SecureNAT capability built in to PacketiX VPN Server 2.0 and PacketiX VPN
Bridge 2.0 you can build a remote access VPN that does not require administrator rights
but retains all of the same functionality. This section will explain how to use SecureNAT
to enable you to access your LAN from a remote location.
About SecureNAT
As explained in section 「3.7.1 What is SecureNAT?」 , SecureNAT consists of the TCP/IP
stack operated in user mode and Virtual NAT/Virtual DHCP Server. In particular, when IP
access via Virtual NAT is performed the data is automatically relayed to the host using
Socket API at the user level. This is a very advanced and intriguing technology.
Accessing an Extremely Secure LAN Via Remote Access That Was Not
Possible With Previous Technologies
As explained in section 「10.4 Setting Up a Generic Remote Access VPN」 , to set up a
VPN to allow remote access to an existing LAN from a remote location you must first
install VPN Server on the LAN you wish to connect to remotely. In addition, that VPN
Server must be able to be seen from the Internet. Finally, use local bridging to connect
the Virtual HUB to the physical LAN and your remote access VPN is complete. This type
of configuration will allow you to connect to an existing LAN remotely, but you will need
system administrator (or network administrator) rights to complete the set-up in the
following two locations:
1. When using the local bridge functionality to make a bridged connection between
the Virtual HUB and the existing LAN you will need system privileges or
administrator rights on the computer you install VPN Server to in order to execute
the vpnserver process in service mode or user mode.
2. To enable access to the VPN Server from the Internet you will need to have a
global IP address or configure your NAT or firewall to enable port forwarding to
your VPN Server. You will need network administrator privileges to perform this
configuration.
Therefore, if you want to enable secure and easy remote access to a device you have
installed or are managing on a LAN, you will not be able to use VPN Server to set up a
remote access VPN server as you would normally because you will need both system
administrator and network administrator privileges on that LAN.
10.11.2 Using SecureNAT For Amazingly Simple, Secure Remote Access

With No Administrator Rights
Your network environment must meet the following criteria to set up a remote access
VPN using SecureNAT. Please refer to section 「3.7 Virtual NAT & Virtual DHCP
Servers」 for more information about the SecureNAT functionality.
There must be a computer running Windows, Linux, FreeBSD, Solaris, or Mac OS X

that you can log on to as at least a general user on the LAN you wish to connect to
remotely.
Also, you should receive confirmation from your network or system administrator that
it is OK to access the LAN remotely before you begin setting up anything.
Normally, a LAN that meets the above conditions but consists of private IP addresses
behind a NAT, firewall, or proxy server can not be connected to from outside the
network. However, by utilizing the revolutionary new SecureNAT technology available
only with PacketiX VPN 2.0 you will be able to connect to even this type of network
freely and securely from a remote location.
Network Layout Example
In order to make the explanation in this section easier to understand, the method
described here is for the sample network layout shown in the image below.
First, there is a very secure network protected by a firewall or NAT that can not be
accessed from the Internet. For this example, the network's IP address is
192.168.1.0/24. However, web sites can be viewed on the network by routing traffic
through the firewall or NAT proxy server first. Also, the computer at IP address
192.168.1.1 is running Linux, although any other operating system that will run VPN
Bridge such as Windows or Solaris is also acceptable. Assume that you do not have root
access to this computer, but can log on to it as a general user. There is also a laser
printer connected to the network at 192.168.1.10 that needs to be maintained.
Next, assume that there is a single computer within the office or at home that has had
VPN Server installed and the proper license keys registered to it. For the sake of
example, also assume that this VPN Server can be accessed from the Internet at the IP
address 130.158.6.51.
Purpose
The reasons for using SecureNAT in the example network layout above are the following:
You will be able to perform remote maintenance on the laser printer at 192.168.1.10
on the network 192.168.1.0/24 which normally blocks all connections from the
Internet.
If you explain to the administrator of 192.168.1.0/24 the situation and receive

permission to set up such a VPN, but are worried about costs or the difficulty of
changing the network's firewall settings, you can still set up the VPN without
modifying the firewall.
Now we will explain in detail how to perform remote maintenance on the laser printer at
192.168.1.10 once you have reached this point in setting up the VPN.
Preliminary Preparation
The computer you set up with VPN Server beforehand at the IP address 130.158.6.51 is
the VPN Server computer. Create a Virtual HUB on this VPN Server (the default Virtual
HUB "DEFAULT" will do) and create a user so that you can connect to that Virtual HUB
later through VPN Bridge (assume you make the user "test" with password
authentication for this example). Please refer to section 「Chapter 3 PacketiX VPN
Server 2.0 Manual」 for more information about configuring VPN Server.
Configuring and Starting Up VPN Bridge
First, you will need to physically visit the remote LAN (in this case, the LAN that contains
the laser printer for remote maintenance at 192.168.1.10) at least once for the initial
configuration process.
What you will need to do here is to log in as a general user to the Linux computer with
the IP address 192.168.1.1 and install PacketiX VPN Bridge 2.0.
VPN Bridge is free to use if you just want to use it to connect to VPN Server. After
unpacking the VPN Bridge Linux install package's tar.gz file and installing VPN Bridge on
the computer at 192.168.1.1, the executable file vpnbridge will be created.
Assuming that you can only log on to 192.168.1.1 as a general user, you will have to
run VPN Bridge in user mode. As shown below, run vpnbridge with the start option.
Please refer to section 「5.2.2 User Mode」 for more detailed configuration information.
$ ./vpnbridge start
This will launch VPN Bridge on the computer at 192.168.1.1. To launch VPN Bridge under
Windows, use the /usermode option, not the start option.
Beginning the Initial Configuration of VPN Bridge
Next you will configure VPN Bridge using VPN Server Manager or the command line
management utility vpncmd. If there is a Windows machine elsewhere on the network
but an explanation is not given on how to configure something with VPN Server
Manager, you can perform the same methods as described for vpncmd on a UNIX
machine. Please refer to section 「Chapter 6 Command Line Management Utility
Manual」 for more information about vpncmd.
First, launch VPN Server Manager.
Fig. 10-11-2 VPN Server Manager
Next, when you click [Create New Setting], the [Create New Connection Setting] window
will appear. In the [Host Name] field of this window, input 192.168.1.1, the IP address
of the computer you ran VPN Bridge on earlier. Click [OK].
Fig. 10-11-3 Creating a VPN Bridge Connection Configuration
If you double-click the connection configuration you just made, an administrative

connection will be made to the VPN Bridge and the administration window will be
displayed. If this is the first time you have connected to the VPN Bridge, a message
asking you if you would like to set an administrator password will appear. Set a
password at this time.
Fig. 10-11-4 Connection to the VPN Bridge Completed
Enabling SecureNAT
Clicking the [Manage Virtual HUB] button on the administration window will display a
window labeled [Management of Virtual HUB - 'BRIDGE'].
Fig. 10-11-5 The Virtual HUB Administration Window
On this window, click the [Virtual NAT and Virtual DHCP Server (SecureNAT)] button.
This will display the [Virtual NAT and Virtual DHCP Function (SecureNAT) Setting]
window. After reading the notices on this window carefully, click the [Enable SecureNAT]
button.
Fig. 10-11-6 Enabling SecureNAT
Now click the [Exit] button. This will take you back to the [Management of Virtual HUB -
'BRIDGE'] window.
Configuring the Cascade Connection to the VPN Server On the Internet
Next click the [Manage Cascade Connections] button. Then click [Create]. A window
labeled [New VPN Connection Setting Properties] such as the one below will be
displayed.
Fig. 10-11-7 Configuring the Cascade Connection to

the VPN Server On the Internet
You will input the following items in the [New VPN Connection Setting Properties]
window:
[Setting Name]
Designate some arbitrary name such as "Bridge".
[Host Name]
Input the IP address of the computer that you installed VPN Server on beforehand.
(In this example, 130.158.6.51.)
[Port Number]
Input one of the listener ports of the computer that you installed VPN Server on
beforehand. We recommend using port number 443 if you have to go through any
firewalls or proxy servers.
[Virtual HUB Name]

Input the name of the Virtual HUB you created on the VPN Server beforehand.
Proxy Server Related Items

If you must go through a HTTP proxy server or SOCKS proxy server to access the
Internet on the 192.168.1.0/24 network, you would enter all the information about
that proxy server here. (See section 「4.4.1 Selecting the Proper Connection
Method」 .)
[Auth Type]
Input the authentication method used for the user registered to the Virtual HUB (in
this example, the user "test") on the computer that you installed VPN Server to
beforehand. "Standard Password Authentication" should be sufficient under any

normal circumstances.
[User Name]
Input the user name of the user registered to the Virtual HUB (in this example, the
user "test") on the computer that you installed VPN server to beforehand.
[Password]
Input the password of the user registered to the Virtual HUB (the one you registered
beforehand).
After you have entered all the necessary information, click [OK]. This will take you back
to the [Cascade connection on Bridge] window. The connection configuration you just
created should be shown in the cascade connection list.
Starting the Cascade Connection
Now, click the new connection configuration you just created and click the [Online]
button. If, after a few moments, the connection status changes to [Online (Connection
Established)] then a connection has successfully been made to the Virtual HUB on the
VPN Server you set up on the Internet. If an error message is displayed look up the
details of the error and solve the problem. (See section 「12.5 Error Codes」 .)
Once you have finished all the configuration and the cascade connection has successfully
established a connection, close VPN Server Manager.
Now you have completed all the necessary configuration on the remote LAN
(192.168.1.0/24).
Now that you have completed all the configuration, you will be able to access the
192.168.1.0/24 network anywhere on the Internet through the computer running VPN
Bridge.
Now you can make a connection from VPN Client on a computer that is connected to the
Internet to the VPN Server (in this example, 130.158.6.51). That computer will then be
connected as a single segment to the remote network via the SecureNAT Virtual NAT
and Virtual DHCP Server functionality of the VPN Bridge (192.168.1.1) you set up earlier
on the VPN Server's Virtual HUB.
Therefore, the VPN Client's Virtual Network Adapter will automatically receive a private
IP address to be able to communicate only with computers on the network at
192.168.30.0/24 from the Virtual DHCP Server. The default gateway will also
automatically be set to the SecureNAT's Virtual Host. This makes it possible to perform
TCP/IP packet communication on the network that VPN Bridge is running on via the
SecureNAT functionality enabled on that VPN Bridge.
Fig. 10-11-8 Remote Access Via SecureNAT
Once you have confirmed that you have received an IP address via SecureNAT running
on the VPN Bridge, you should now check to see if you can connect to and communicate
with the laser printer at 192.168.1.10 as if you were physically on the network. This
communication is entirely handled by the Virtual NAT functionality running on the VPN
Bridge. The user mode TCP/IP stack automatically performs all accesses using streamed
Socket API, communicates with the physical host with user mode privileges only, and
receives those results.
Keep in mind that the Virtual NAT provided by the VPN Bridge on the remote network
will be the default gateway to the VPN client computer in order to successfully allow
remote access to that network. Therefore, when connected to the VPN any access to the
Internet will not be directly performed by the client computer, but will instead be routed
through the remote network. (If the remote network is another company's network, you
should be especially careful as any Internet communication may be read or manipulated
by a third party due to the information being routed through the remote network.)
Fig. 10-11-9 Packet Flow When Accessing the

Internet Via SecureNAT
A remote access VPN that combines VPN Bridge and SecureNAT such as the one in this
example has the following security benefits:
SecureNAT utilizes many complicated techniques such as user mode TCP/IP stacks,
but all processes required by SecureNAT can be executed in user mode. Therefore, in
a network such as the example network given here where VPN Bridge is running
under general user privileges, only processes that can be executed under that user's
privileges can be performed, even if a buffer overflow or other such error occurs in
VPN Bridge's or SecureNAT's program code. This means that, compared to a setup
which requires VPN Bridge to be run under system privileges, one that runs under
general user privileges has increased overall system integrity.
Of course, even when setting up a remote access VPN such as the one in this
example that uses a combination of VPN Bridge with SecureNAT and VPN Server, all
data under the PacketiX VPN protocol is encrypted via SSL by default. Even if you are
sending data over the Internet, you will not have to worry about any third parties
stealing or modifying the data you are transferring. You can also use server certificate
authentication when making a cascade connection to the VPN Server (see section
「3.4.12 Server Authentication in Cascade Connections」 for more details) to
increase the security of your VPN even further.
This example shows how to set up a remote access VPN without having to change any
of the firewall or NAT settings on the remote network. Generally, making
modifications to a firewall or NAT to allow traffic to pass through certain ports can not
only be a costly procedure, but can introduce new security risks to your network as
well. Therefore, this method is not recommended unless you have absolutely no other
choice. If you have a similar situation where you have received permission from the
network or system administrator to set up a remote access VPN, but there is concern
over the cost, security risks, or firewall/NAT configuration, the method given in this
example of using SecureNAT and VPN Bridge together offers a simple, cost effective
solution for your remote access needs.
All traffic that passes through SecureNAT is accurately logged in the security log file
of the Virtual HUB on the VPN Bridge (or VPN Server) running SecureNAT.
As explained above, you now know that by using SecureNAT with VPN Bridge and VPN
Server and running the proper software ahead of time you can connect to any network
that has access to the Internet from the Internet remotely. Before the new technology
introduced in PacketiX VPN 2.0, it was very difficult to set up a Virtual HUB with
SecureNAT that could communicate with a physical network.
However, be aware that mistakes made when using or configuring SecureNAT can lead
to large security holes in your network. If you are thinking of setting up a network such
as the one in this example that allows for remote access via VPN technology, please
explain everything to your network or system administrator and get their permission
beforehand. If you do not understand the principles behind SecureNAT, or are not
familiar with TCP/IP or NAT in general, you should not use the SecureNAT functionality.
Due to potential security hazards do not use SecureNAT in the following

ways:
Do not make a network remotely accessible with general user privileges without
receiving permission from the network administrator beforehand.
Do not install VPN Bridge with SecureNAT enabled on a computer managed by

someone else (such as at a company, university, Internet cafe, government office,
airport, or other public place) and then access the Internet from home using that
computer as a stepping stone without obtaining permission to do so beforehand.
Do not install/configure VPN Bridge with SecureNAT enabled on an internal office

network with the intention of illegally accessing that network from outside the office
at a later time.
Do not use it on a network for any other reason without obtaining permission from
the network or system administrator or someone who has administrator privileges
on that network beforehand.
All of the methods of use described above are strictly forbidden under
PacketiX VPN 2.0's end user license agreement and could be illegal under
certain circumstances.
Fig. 10-11-10 Forbidden Usages of SecureNAT
< 10.10 Using Remote Access as a Single User 10.12 Using Public Networks Like Public Wireless
Access Safely>
< 10.11 Using SecureNAT to Set Up a Remote Access Chapter 11 Troubleshooting and Supplementary
VPN With No Administrator Rights Information>
10.12 Using Public Networks Like Public Wireless

Access Safely
When using publicly shared networks such as public wireless LAN hotspots there is
always the potential danger of packets over the network being monitored or modified by
a third party. This section will explain how to use these potentially dangerous public
networks more safely.
While public wireless Internet hotspots are very convenient, it is relatively easy for a
third party to monitor or sniff packets over the network as each user has the same WEP
key. Even those running such a public network (a restaurant, cafe, etc.) could be
monitoring packets traveling between the network and the Internet.
Of course, any communication over the Internet is done with a certain level of risk, but
important data transfer (such as receiving/sending mail) should never be done in plain
text over a public network like a wireless Internet hotspot.
Fig. 10-12-1 The Dangers of Public Network Services
By using a VPN you can safely use these types of shared public networks. For example,
by setting up a VPN Server at home as described in section 「10.10 Using Remote
Access as a Single User」 you can transfer files to and from that computer completely
within the VPN with Windows File Sharing. Without a VPN you would have to use
something like FTP which is not secure and potentially dangerous. However, with a VPN
you can safely perform any data transfer you need.
You can also set up a VPN so that instead of directly going through a public network's
router to access the Internet, data will instead go through the router at your home first.
Therefore, even if a user on the network attempts to view your network communication
they will only be able to see indecipherable SSL encrypted data. This greatly improves
the security when on a public network.
PacketiX VPN 2.0 is extremely useful for enabling safe communication over a public
network. Most older VPN protocols such as PPTP and L2TP/IPSec could not be used
effectively on a public network that uses a proxy server, NAT, or firewall. Under these
protocols there were many problems such as traffic to the Internet coming from the
private network getting filtered or network addresses not being resolved correctly.
However, the PacketiX VPN protocol allows you to transparently pass through a NAT,
firewall, or proxy server and access a VPN Server. Therefore, you can easily make a VPN
connection to your company or home VPN Server from a public network.
Before you can utilize VPN communication over a public network you will have to set up
a VPN Server that is available for access from the Internet at all times at home or at
your office. Please refer to section 「10.3 Setting Up a PC-to-PC VPN」 , 「10.4 Setting
Up a Generic Remote Access VPN」 , and 「10.10 Using Remote Access as a Single
User」 for more information about setting up a VPN Server.
If you connect your home or office LAN (preferably your LAN is behind a NAT and
assigns IP addresses to client computers automatically via a DHCP server) to a VPN
Server's Virtual HUB with a local bridge connection you can make a VPN connection to
that VPN Server on a computer from a remote location over a public network service.
The VPN Client's Virtual HUB will then automatically be assigned an IP address for use on
your home or office LAN and will use that LAN's router as the default gateway.
Therefore, you can connect to your home or office's VPN Server while on a public
network and all communication over the Internet (such as viewing websites, etc.)
between your computer and the host will be done entirely within the VPN. Thus, data
sent and received when accessing a server on the Internet will also be routed through
your home or office. If there is a third party on the public network who is capturing your
communication data, the only thing they will receive is the SSL encrypted data passed
between the VPN Client and one VPN Server. Therefore, they will be unable to decipher
any information such as what websites you were viewing or what data you were
transferring.
Compared to public networks, data traveling over the ADSL or fiber optic lines that most
companies and homes use for the Internet access is much less likely to be captured or
manipulated by a malicious third party. Therefore, by using these lines and performing
all TCP/IP communication over a VPN you can use public networks with fast transfer
rates and a much higher level of security than using the public network to access the
Internet directly.
Fig. 10-12-2 Accessing the Internet Via a VPN

Server's Local Bridge
In order to use a VPN in the method described above, you have to run a VPN Server at
home or at the office.
As of the writing of this chapter (December, 2005), SoftEther is planning to provide a

large VPN cluster called a Secure Access Server that will allow you to communicate with
hosts on the Internet via a VPN when on a potentially dangerous public network like the
ones described above. This Secure Access Service (tentative title) will allow you to
access hosts on the Internet securely when on public networks you can not trust by
routing traffic through an enormous NAT on the Secure Access Server. Furthermore, the
Secure Access Server will be configured in such a way that VPN Clients connected to it
will not be able to communicate with each other. The Secure Access Server will be built
and managed entirely with PacketiX VPN Server 2.0, and as such we plan to design in it
such a way that you can make a VPN connection to it with the standard VPN Client and
be able to access it from nearly any public network.
When more detailed information about the Secure Access Service (tentative title) is
available, it will be available at http://www.softether.com/ .
< 10.11 Using SecureNAT to Set Up a Remote Access Chapter 11 Troubleshooting and Supplementary
VPN With No Administrator Rights Information>
< 10.12 Using Public Networks Like Public Wireless 11.1 Troubleshooting>
Access Safely

Information
This chapter contains information about problems and common questions that arise as
an end user and when using PacketiX VPN 2.0 to design, build, and manage a VPN. Refer
to the information in this chapter if you encounter any problems when using PacketiX
VPN 2.0.
11.1.2 I am unable to communicate with the IP address of the Virtual Network
Adapter used for local bridging from within the VPN.
11.1.4 I am getting the message [The time on the server and the client does not
match.].
11.1.5 I am getting slow transfer speeds when using Windows file sharing on the
VPN.
11.1.6 There is a large number of broadcast packets constantly being sent over
the network. What should I check?
11.1.8 The CPU load increases after enabling Virtual NAT for SecureNAT.
11.1.9 Protocols that use many broadcast packets are not working properly.
11.1.11 Even though I have installed VPN Server and connected to it from outside
the network, I still can not connect to the local network.
11.1.14 RADIUS authentication is not functioning properly. What should I check?
11.1.15 NT Domain or Active Directory authentication is not functioning properly.
11.1.17 I added a local bridge but it is always offline or showing an error.
11.1.18 The local bridge to my wireless network adapter is not functioning
properly.
11.1.19 I created a Virtual Layer 3 Switch but it is always offline or showing an
error.
11.1.20 I have set up a cluster but I can not communicate between Virtual HUBs
on the cluster.
11.1.21 I am not performing any communication over the VPN, but packets are
being sent to the Internet periodically.
11.1.22 After I have created a Virtual Network Adapter I get the message, [No
network cable is connected.].
11.1.24 My Windows 98 Second Edition or Windows Millennium Edition system
becomes unstable when I use a Virtual Network Adapter.
11.1.25 I uninstalled VPN Client but my Virtual Network Adapter is still there.
11.1.27 I am unable to create a Virtual Network Adapter with VPN Client under
Linux.
11.1.28 My VPN connection is disconnected when I designate the Virtual Network

Adapter as the default gateway in VPN Client under Linux.
11.1.30 I have connected LANs together with bridge connections using VPN Server
and VPN Bridge, but I still can not communicate between computers on the LANs.
11.1.31 I am getting a warning message in syslog stating that ARP packets are
being received from the IP address "0.0.0.0" when using local bridging under
FreeBSD.
11.2.2 Making a VPN Connection to a LAN Consisting of Only Private IP Addresses
11.2.9 Accepting Connections from SoftEther 1.0 Virtual Network Adapter
Software
11.2.10 Performing Administration Via TELNET as Supported in SoftEther 1.0
11.2.19 Using SecureNAT to Provide Remote Access to an Otherwise Inaccessible
Network.
11.3.1 Using This Software Together With Anti-Virus Software or a Personal
Firewall
11.3.2 About the 1/1000th of a Second Delay Encountered When Communicating
Over a VPN
11.3.4 How Far Away Can You Establish a VPN Session Connection From?
11.3.5 I measured the throughput of traffic through my VPN with my usual
measurement utilities, and they are showing very low transfer speeds. What's
wrong?
11.3.6 The Difference Between VPN Bridge's SecureNAT and VPN Server's
SecureNAT
11.3.8 According to the Windows end user license agreement, is it OK to use a
client based operating system such as Windows XP as a VPN server?
11.3.9 Things to Consider When Using Windows 98. 98 SE, or ME as a VPN Server
11.3.10 I have more connections to my VPN than I have licenses for. What
happened?
11.3.14 Differences Between the Academic Edition and the Standard Production
Edition
11.3.15 VPN Server Computer Specifications and the Number of Possible
Simultaneous Connections
11.3.17 When Using a Special PPPoE Connection Tool to Connect to the Internet
11.3.18 Things to Consider When Using Your Operating System to Make a Bridged
Connection Between a Virtual Network Adapter and a Physical Network Adapter
11.3.19 What if the Virtual Network Adapter and the physical network adapter
both have the same network address?
11.3.22 Things to be aware of when using SSH port forwarding software to
connect to a VPN server
11.3.23 Concerning the priority of default gateways when one exists on both the
Virtual Network Adapter network and on the physical network
11.3.26 If you are unable to use local bridging in FreeBSD, Solaris, or Mac OS X...
11.4.3 Is there any danger of my VPN Client service being controlled remotely
immediately after installing VPN Client before I have configured it?
11.6.2 Relationship With Mitsubishi Materials Corporation's SoftEther CA

< 10.12 Using Public Networks Like Public Wireless 11.1 Troubleshooting>
Access Safely
< Chapter 11 Troubleshooting and Supplementary 11.2 Useful Information>

Information
This section will describe common problems encountered when using PacketiX VPN 2.0
and how to solve them. Please look over the information presented here and attempt to
fix any problems you can before contacting technical support.
Also, SoftEther's web site ( http://www.softether.com/ ) may contain more up to date

support information than that found in this manual. When you are troubleshooting a
problem, always remember to check there as well.
In some cases, a PacketiX VPN program's process will suddenly terminate without
warning. If this occurs, confirm the following:
Check to see if the program's executable file (an EXE file under Windows) is corrupted
or if it has been overwritten. If the contents of executable files such as vpnserver,
vpnclient, or vpnbridge have been modified, they may not function properly. If you
think a program's executable file may be corrupted, re-install PacketiX VPN 2.0.
Check to see if the files necessary to execute the program (such as hamcore.se2,
etc.) are corrupted. If you think a file may be corrupted, re-install PacketiX VPN 2.0.
Check to see if there is a problem with your computer's physical memory. If you are
using inexpensive, low quality memory in your computer, it may cause programs
currently running to crash. We recommend using a memory checking tool such as
memtest86 to test for any possible memory defects. For computers that are required
to be highly reliable such as a server machine, we recommend using ECC or
Registered ECC memory.
If you are running resident software such as a personal firewall or an anti-virus

program, try temporarily disabling that software. If, upon disabling this software, the
program in question stops crashing and begins behaving normally, that third party
software is likely the cause of the problem.
If you have tried all of the above suggestions but your problem has not been solved,
please contact technical support.
11.1.2 I am unable to communicate with the IP address of the Virtual

Network Adapter used for local bridging from within the VPN.
In some cases, communication can not be established from VPN Server or VPN Bridge to
the IP address assigned to the physical network adapter connected to by the bridge from
the Virtual HUB even when the Virtual HUB is connected to the physical network adapter
by a local bridge connection. Some possible causes of this are as follows:
From Windows 2000 on, this type of problem may occur right after defining a local
bridge that connects to a network adapter with hardware offloading capabilities. If
this is the case, try restarting your computer. Please refer to section 「3.6.10 Points
to Note when Local Bridging in Windows」 for more details.
If you are using Linux or Solaris, you can communicate within the Virtual HUB (VPN)
from the network adapter connected to by the local bridge to the LAN, but you can
not communicate to the network adapter itself. This is a restriction imposed by the
Linux kernel. For more information please refer to 「3.6.11 Points to Note when Local
Bridging in Linux」 and 「3.6.12 Points to Note when Local Bridging in Solaris」 .
If you are using local bridging to make a bridged connection between a Virtual HUB
and a physical LAN as described in section 「3.6.3 Preparing the Local Bridge network
adapter」 , we recommend you set aside a network adapter specifically for this
purpose. This will result in the best performance when using local bridging.
In some cases, a protocol error will occur when connecting to a VPN Server over the
Internet from a VPN Client or a cascade connection. If this happens, check the following:
Check to make sure that the host name or IP address of the VPN Server you are
trying to connect to is correct. Also, make sure the TCP/IP port number is the same
as the VPN Server's listener port. Furthermore, confirm that that listener port is not
being used by some other server software (such as a webserver like IIS or Apache).
Please refer to section 「3.3.6 Listener Ports」 for more information.
The global address of the connecting computer to be recognized by VPN Server may
not have reverse DNS lookup configured.
If there is a proxy server, transparent firewall, or some other special networking

devices between the connecting computer and the VPN Server, these devices may
misinterpret the PacketiX VPN protocol and write over it or block it completely. In this
case, check with the administrator of these networking devices.
If your network uses a HTTP proxy or SOCKS proxy, check with the proxy server's
administrator to confirm if the proxy can be used to forward the PacketiX VPN
protocol.
11.1.4 I am getting the message [The time on the server and the client
does not match.].
If the time set on the VPN Server and that of the connecting VPN client computer are
significantly different from each other, the message [The time on the server and the
client does not match.] may be displayed. If this occurs, check to see if the clocks on
both computers are set to the correct time, and correct them if they are not.
11.1.5 I am getting slow transfer speeds when using Windows file

sharing on the VPN.
You may experience slow transfer speeds when uploading or downloading files over a
VPN from a remote location in the following cases:
If there is a network delay of 10 milliseconds or higher on the physical

network between the two LANs.
The Windows file sharing protocol is based on the NetBIOS protocol used in LAN
Manager which is over 10 years old. When Windows file sharing is used between
computers on the same segment (with a network delay of 10 milliseconds or less) the
protocol allows for fast file transfer speeds. However, if it is used over the Internet
with a network delay of 10 milliseconds or higher, the file transfer throughput
decreases. This delay is not due to PacketiX VPN. No matter what VPN system is
used, the delay over the physical network's lines can not be reduced due to their
physical limitations.
If the transfer speed or throughput between the LANs is unstable and each
packet incurs some packet loss.
The Windows file sharing protocol is greatly affected if there is jitter in the network
delay between LANs and the throughput between them is often changing.
Your Windows domain controller is also a file server and downloads/uploads

to that file server are slow.
If Windows 2000 Server or Windows Server 2003 is your domain controller open the
[Control Panel] and go to [Administrative Tools]. Here, open [Local Security Policy] or
[Domain Controller Security Policy]. Under [Local Policy] find [Security Options] and
check to see if [Microsoft network server: Digitally sign communications
(always).] and [Microsoft network server: Digitally sign communications (if
client agrees).] are enabled. If they are, disable them and restart the file server.
You should notice a big improvement in file transfer speeds.
The above problems are almost all caused by problems such as not enough throughput
over the physical network or too high of a network delay. To solve these problems you
may need to contact your network administrator or increase your network's bandwidth in
order to decrease network delay.
When using the Windows file sharing protocol, making the following changes to the
registry on the computer acting as a file server and restarting it can significantly improve
communication throughput on a network with high delays. This configuration must be
done in a registry editor. Only a system administrator or someone knowledgeable about
computers should make these changes. Be sure to make a backup of the registry before
making any changes.
[HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥Services¥lanmanserver¥parameters]
"Size"=dword:00000003
"SizReqBuf"=dword:0000ffff
Making the above changes to the registry and restarting Windows may improve the
transfer speed of the file sharing server. If you do not understand the above information,
please do not modify the registry with any registry editor.
11.1.6 There is a large number of broadcast packets constantly being

sent over the network. What should I check?
In some cases, when setting up a PacketiX VPN there will be a large number of
broadcast Ethernet frames being sent within the Virtual HUB or within the physical LAN
connected to the Virtual HUB via a local bridge. If this occurs, check the following:
If there are Virtual HUBs making cascade connections to each other, make sure a
layer 2 loop is not occurring.
Check to make sure there is not a layer 2 loop occurring in your physical connections.
If a Virtual HUB is connected to two or more physical network adapters by a bridge

connection, make sure those network adapters are not connected to the same layer 2
segment.
If you are using PacketiX VPN's Virtual HUB with local bridging or SecureNAT, check
your overall network topology very carefully to make sure there are no layer 2 loops
occurring.
11.1.8 The CPU load increases after enabling Virtual NAT for
SecureNAT.
SecureNAT may not be configured properly. Check to make sure the following things are
not occurring on your network. Also check the items listed in section 「3.7.4 Points to
Note when using Virtual NAT Function 」 .
If your computer has SecureNAT enabled as well as local bridging, check to see if the
physical network adapter connected to via the local bridge is obtaining an IP address
from a DHCP server.
Check to see if the computer with SecureNAT enabled is not routing its
communication through SecureNAT itself, creating an infinite loop. (This often
happens when VPN Client is installed on the same computer and is connected to
localhost, creating a loop.)
The SecureNAT functionality is designed for creating a simple remote access VPN under
special circumstances (see section 「10.11 Using SecureNAT to Set Up a Remote Access
VPN With No Administrator Rights」 ), and therefore we do not recommend it for
continuous use in a corporate setting. Remember, SecureNAT is not required to set up a
normal LAN-to-LAN VPN or remote access VPN.
11.1.9 Protocols that use many broadcast packets are not working
properly.
In some cases, protocols that use many broadcast packets (broadcast Ethernet frames)
such as gaming systems, home digital appliances, etc. may not work properly when used
over a PacketiX VPN. If this occurs, check the following:
Check to make sure that you have not enabled a security policy that has a broadcast
limit in the security policies for VPN Client or for any cascade connections you need
for your VPN. Note that the default policy does have a broadcast limit enabled. Please
refer to section 「3.5.9 Security Policies」 for more details.
If you are using local bridge connections, the physical network adapter connected to
via the local bridge or that segment's layer 2 switching HUB may not be able to
handle the large number of broadcast frames and will fail to forward them properly.
In some cases, multicast packets sent through a PacketiX VPN may not function
properly. If this occurs, check the following:
Multicast packets will be treated the same as a broadcast packet by a VPN Server's
Virtual HUB. Check to make sure that you have not enabled a security policy that has
a broadcast limit in the security policies for VPN Client or for any cascade connections
you need for your VPN. Note that the default policy does have a broadcast limit
enabled. Please refer to section 「3.5.9 Security Policies」 for more details.
If you are using local bridge connections, the physical network adapter connected to
via the local bridge or that segment's layer 2 switching HUB may not be able to
handle the large number of broadcast frames and will fail to forward them properly.
Your layer 2 switching HUB/router, or layer 3 switch may not recognize multicast
packets and may be filtering them out.
All multicast packets at the layer 2 level will be broadcast to all VPN sessions by the
Virtual HUB. Even if a VPN Server on a remote access VPN wants to send a client
connected to it a multicast packet, the Virtual HUB will individually encapsulate that
packet for each session. Therefore, it is technologically impossible to reduce traffic by
using multicast technology. Also, be aware that the Virtual HUB and Virtual Layer 3
Switch does not process IGMP packets.
11.1.11 Even though I have installed VPN Server and connected to it

from outside the network, I still can not connect to the local network.
In most cases, if you have installed VPN Server, configured the Virtual HUB, and are
connected to the VPN Server remotely via VPN Client but you can still not use the VPN,
the problem is a forgotten local bridge connection between the Virtual HUB and the
physical network adapter.
Refer to section 「3.6 Local Bridges」 and configure a proper local bridge connection.
For a simple remote access server you can also use the Virtual NAT functionality as
described in section 「3.7 Virtual NAT & Virtual DHCP Servers」 .
If you have forgotten the administrator password for your VPN Server, refer to 「3.3.7
Configuration File」 and delete the following lines from the VPN Server configuration file
with a text editor:
{
byte HashedPassword ******* (hashed password data)
As written above, by deleting the [HashedPassword] field under the

[ServerConfiguration] node you can reset the VPN Server password to an empty
password.
If you have lost your license key please contact the licensed retailer that you purchased
your PacketiX VPN license from. Most importantly, try not to lose your license key under
any circumstances.
11.1.14 RADIUS authentication is not functioning properly. What

should I check?
If you are unable to use RADIUS authentication, refer to section 「3.5.3 External
Authentication Server Settings」 and confirm the following:
Make sure that your RADIUS server has your VPN Server's IP address (as seen from
the RADIUS server) registered as a RADIUS client and the shared secret is set
correctly.
Check that the RADIUS server can use the Password Authentication Protocol (PAP).
Look in the RADIUS server's log file to see if an authentication attempt from the
network device "PacketiX VPN Server 2.0" was recorded. If there is no such log entry,
the connection to the RADIUS server is failing. If there is a log entry use the details in
the log to troubleshoot the problem.
Try connecting to the RADIUS server from another RADIUS client to check if it is
functioning properly. If other RADIUS clients can not be authenticated through the
RADIUS server either, the problem is likely something on the RADIUS server.
11.1.15 NT Domain or Active Directory authentication is not

functioning properly. What should I check?
If NT Domain or Active Directory authentication is not functioning properly, check the
following:
Confirm that the OS running VPN Server is Windows NT 4.0, Windows 2000, Windows
XP, Windows Server 2003, or Windows Vista (excluding Windows XP Home Edition or
Windows Vista Home Basic/Home Premium) and that it belongs to the Windows
domain you want to use for Active Directory authentication.
Check to see if the VPN Server process is running in service mode.
If you have performed all of the above actions and NT Domain or Active Directory
authentication still is not functioning properly, try performing a clean install of the
operating system on the computer you want to run VPN Server. Join the domain again
and see if you still get the same error as before.
If you use VPN Server Manager or vpncmd to check the status of VPN Server or VPN
Bridge after you have started the service and port 443 as the listener port is always
showing an error, check the following:
Check to see if there is another resident process (such as a webserver using HTTPS
like Apache or IIS) currently active. If another process is already using port 443 you
will have to configure that program to use a different port or configure VPN Server to
use a port other than port 443.
If you are using the Linux or UNIX version of VPN Server or VPN Bridge, check to see
if it is running in general user mode. Due to the limitations set by these operating
systems, general users other than root can not use any port lower than port 1024.
11.1.17 I added a local bridge but it is always offline or showing an

error.
If you have defined a local bridge connection but it is always offline or showing an error,
check sections 「3.6.10 Points to Note when Local Bridging in Windows」 , 「3.6.11
Points to Note when Local Bridging in Linux」 , and the following:
Check if the Virtual HUB instance you have defined as a local bridge connection exists
in the VPN Server. If it does not exist, the status will stay as offline until it does.
Confirm that the device name of the physical network adapter you have designated
for the local bridge to connect to is correct. The local bridge status will stay offline if
the device name does not exist or if it has been disabled by the operating system.
You may have made a typo in the device name, especially when using a program like
vpncmd to add local bridge connections from the command line.
Also confirm that the physical network adapter you have designated for the local
bridge to connect to is being recognized by the operating system and functioning
properly.
11.1.18 The local bridge to my wireless network adapter is not
functioning properly.
If you have defined a local bridge connection between a Virtual HUB and a wireless
network adapter but the local bridge is not functioning properly, refer to section 「3.6.6
Use of network adapters not supporting Promiscuous Mode 」 .
11.1.19 I created a Virtual Layer 3 Switch but it is always offline or

showing an error.
If you have created a Virtual Layer 3 Switch, defined a Virtual Interface to a Virtual HUB,
and started it up but it remains offline or shows an error, refer to section 「3.8.6
Starting and Stopping Virtual Layer 3 Switches」 .
11.1.20 I have set up a cluster but I can not communicate between

Virtual HUBs on the cluster.
If you have set up a cluster but can not communicate between Virtual HUBs you have
made on the cluster, refer to section 「3.9.7 Static Virtual HUBs」 . Also verify that you
have correctly set up and configured the cluster as described in section 「10.8 Setting
Up a Large Scale Remote Access VPN Service」 .
If you have set up a cluster and only want to allow communication within each individual
Virtual HUB (such as for a Virtual HUB hosting service VPN Server as described in section
「10.9 Setting Up a Large Scale Virtual HUB Hosting Service」 ), make sure that you
have made your Virtual HUBs dynamic, not static.
11.1.21 I am not performing any communication over the VPN, but

packets are being sent to the Internet periodically.
Even if you have not established a VPN connection the VPN Client sometimes sends
some packets through the physical network interface. These packets are described in
section 「4.9.2 Internet Connection Maintenance Function」 . (You can modify some
settings to stop VPN Client from sending these packets.)
If you have established a VPN connection and a VPN session, but are not performing any
communication over the VPN, any communication you may see between VPN Client and
the VPN Server is most likely the following type(s) of packets:
Packets for ARP polling by the Virtual HUB as explained in section 「3.4.8 Confirming
the Existence of IP Addresses with Poll Packets」 .
(By setting the [NoArpPolling] option in the configuration file to 'true' you can stop
ARP polling from occurring.)
Packets sent by the PacketiX VPN protocol to confirm the existence of each TCP/IP
connection, or KeepAlive packets sent to prevent the TCP/IP connection from timing
out. The interval that KeepAlive packets are sent by the TCP/IP connections that
make up the PacketiX VPN protocol is approximately half of the timeout interval
defined in that VPN session's security policy.
11.1.22 After I have created a Virtual Network Adapter I get the

message, [No network cable is connected.].
If you create a Virtual Network Adapter with VPN Client, you must be connected to a
VPN Server its status will stay as [No network cable is connected.]. This is the same as if
an Ethernet cable is not connected between a physical network adapter and a switching
HUB. Please refer to section 「Chapter 4 PacketiX VPN Client 2.0 Manual」 for more
information on this topic.
If you have forgotten the administrator password for your VPN Client, delete the
following lines from the VPN Client configuration file vpn_client.config with a text editor:
declare root
{
bool DontSavePassword false
byte EncryptedPassword ******* (hashed password data)
bool PasswordRemoteOnly false
uint UseSecureDeviceId 1
As written above, by deleting the [EncryptedPassword] field you can reset the VPN
Client password to an empty password. Remember to stop the VPN Client service before
overwriting the vpn_client.config file.
11.1.24 My Windows 98 Second Edition or Windows Millennium Edition

system becomes unstable when I use a Virtual Network Adapter.
There are many problems with Windows 98 Second Edition and Windows Millennium
Edition as they are legacy operating systems. These operating systems differ from
Windows NT/2000 or later operating systems in that they are fundamentally extensions
of MS-DOS and consist internally of many 16-bit processes.
The kernel in these operating systems is old and unstable. Therefore, while it is possible
to install PacketiX VPN Client 2.0 and create a Virtual Network Adapter under these
systems, we do not recommend using them for prolonged use. If you plan on
maintaining a VPN connection on these systems for a long period of time, there is a
chance it will become unstable, unable to communicate over the network, and eventually
result in a blue window error. SoftEther does not support VPN Client if it is run on the
Win 9x kernel.
11.1.25 I uninstalled VPN Client but my Virtual Network Adapter is still

there.
Any user modified files, Virtual Network Adapters, and configuration data created after
VPN Client is installed are not automatically deleted and thus remain on the system even
after VPN Client is uninstalled. If you want to delete the configuration files
(vpn_client.config) or Virtual Network Adapters registered to your system, delete them
manually when you are sure that you do not need them anymore. Please refer to section
「8.3.2 Virtual Network Adapter」 for information on how to delete a Virtual Network
Adapter.
If you are having problems when using a smart card or hardware security device with
PacketiX VPN, check the following:
Check to see if the smart card or hardware security device you are using has been
confirmed for use by SoftEther by referring to section 「12.2.6 List of Supported
Smart Cards and Hardware Security Devices」 .
Make sure that the device driver(s) for your smart card reader, etc. and PKCS #11
drivers necessary to access the smart card are installed properly. After you have
installed new drivers for your smart card you must restart your computer in order to
use that device with PacketiX VPN.
Confirm that the correct smart card type is selected. Please refer to section 「4.6
Using and Managing Smart Cards」 for more information.
Some smart card drivers will not function properly if there are multiple smart card
readers on your system. Make sure you read the manual for your smart card to
determine if these limitations exist.
Some smart card drivers require you to use a separate utility to format the smart
card before it can be used. Refer to your smart card's manual for instructions on how
to do this.
11.1.27 I am unable to create a Virtual Network Adapter with VPN

Client under Linux.
If you are using VPN Client under Linux and are unable to create a Virtual Network
Adapter, check the following:
Confirm that the Universal TUN/TAP device is supported in your kernel, and that it
can be accessed as the file /dev/net/tun.
Confirm that you are running the vpnclient process with root access.
11.1.28 My VPN connection is disconnected when I designate the

Virtual Network Adapter as the default gateway in VPN Client under
Linux.
The Linux VPN Client does not support automatic adjustment of the routing table.
Therefore, when you make a VPN connection to VPN Server on a remote computer with
VPN Client in Linux and use the router on the network connected to by the Virtual
Network Adapter (tap device) as your default gateway, TCP/IP communication tries to
pass through that default gateway as well. To solve this problem, you have to use the
route command to add a static route to the VPN Server. Only use the Linux VPN Client if
you are comfortable with these types of operations dealing with TCP/IP and routing.
You can reset the administrator password for VPN Bridge by using the same method
used for VPN Server. Refer to section 「11.1.13 What do I do if I lost my license key?」 ,
changing vpn_server.config to vpn_bridge.config where appropriate.
11.1.30 I have connected LANs together with bridge connections using

VPN Server and VPN Bridge, but I still can not communicate between
computers on the LANs. What should I check?
If you have used the methods described in section 「10.5 Setting Up a LAN-to-LAN VPN
(Using Bridge Connections)」 to connect multiple network segments together with a
layer 2 connection by using VPN Server and VPN Bridge, but can still not communicate
between the computers on these networks, use the following method to determine if the
networks are properly connected at a layer 2 level.
1. If you are dealing with two LANs you can try this test. Set up one computer on
LAN A with an unused IP address (for example, 192.168.222.1) and a computer on
LAN B with an unused IP address on the same IP network as the computer you set
up on LAN A (such as 192.168.222.2). Now try the ping command on both
computers to see if they can ping each other. If they succeeded in communicating
with each other, both networks are properly connected at a layer 2 level and the
problem lies in the configuration of the rest of the computers. Remember that both
LANs are logically functioning as a single Ethernet segment, so check settings such
as TCP/IP, etc. very carefully.
2. If the computers failed to communicate with each other by using the method
above, you have probably made a mistake somewhere in the process of setting up
your LAN-to-LAN VPN. In this situation, refer to sections 「10.5 Setting Up a LAN-
to-LAN VPN (Using Bridge Connections)」 , 「Chapter 3 PacketiX VPN Server 2.0
Manual」 , or 「Chapter 5 PacketiX VPN Bridge 2.0 Manual」 and confirm your
VPN configuration.
3. If each LAN has a different IP network structure and you want to allow
communication between the computers on each LAN, refer to the method
described in section 「10.6 Setting Up a LAN-to-LAN VPN (Using IP Routing)」 .
11.1.31 I am getting a warning message in syslog stating that ARP

packets are being received from the IP address "0.0.0.0" when using
local bridging under FreeBSD.
This is caused by polling packets sent from a Virtual HUB to confirm the existence of an
IP address.
Some operating systems (such as FreeBSD) will not respond to an ARP request packet
from 0.0.0.0 and will instead report that an unauthorized ARP request packet from
0.0.0.0 was received in a log file such as syslog.
Normally you can just ignore this message with no problems, but if there are many
FreeBSD machines on the same segment this could cause problems for the administrator
of those machines. In this situation you can stop these polling packets from being sent.
For instructions on how to stop a Virtual HUB from sending polling packets to confirm the
existence of an IP address, please refer to section 「3.4.8 Confirming the Existence of IP
Addresses with Poll Packets」 .
< Chapter 11 Troubleshooting and Supplementary 11.2 Useful Information>
Information
< 11.1 Troubleshooting 11.3 General Supplementary Information>
This section will provide you with some useful tips and information when using the
PacketiX VPN 2.0 software.
SoftEther's web site ( http://www.softether.com/ ) may contain more up to date

If the computer you want to install VPN Server on has a variable global IP address (one
that changes each time you connect to your ISP) you can use a dynamic DNS service
(DDNS service) to assign a hostname that will always point to the global IP address of
that computer. There are a number of free DDNS services available for free on the
Internet.
If you plan to install VPN Server on a corporate network, we strongly recommend that
you use a static global IP address if at all possible.
11.2.2 Making a VPN Connection to a LAN Consisting of Only Private IP

Addresses
If you are installing VPN Server to a LAN that only has private IP addresses, you will
have to configure the NAT, proxy server, or firewall that converts the private IP address
into a global IP address to perform port mapping or static NAT to the VPN Server.
Also, if your VPN Server is on the Internet you can set up a VPN Bridge that stays
connected via a cascade connection to the VPN Server. This will allow remote access VPN
clients to access the layer 2 network within the LAN by going through the VPN Server on
the Internet. This method makes it possible to connect to a LAN that only has private IP
addresses from a remote location. For this configuration a VPN Bridge will be connected
to the LAN you want to connect to remotely via a local bridge connection, as well as to
the VPN Server on the Internet via a cascade connection.
Furthermore, if your LAN only has private IP addresses and VPN Bridge can only be
installed with system administrator rights, you can still set up a remote access VPN by
using SecureNAT. (See section 「10.11 Using SecureNAT to Set Up a Remote Access
VPN With No Administrator Rights」 for details.) In this case, you are dealing with a LAN
that has many limitations imposed upon it, but by utilizing SecureNAT you should be
able to enable remote access to the LAN without the need for any administrator rights.
However, you will still need to receive permission to do so from the network's
administrator beforehand.
You can create an IPv6 over IPv4 tunnel easily with PacketiX VPN. An IPv6 over IPv4
tunnel encapsulates IPv6 packets into IPv4 packets, allowing IPv6 packets to be sent
between LANs when traffic must pass through areas that only allow IPv4 packets to pass
through.
Many older IPv6 over IPv4 tunneling technologies could not pass through NATs or
firewalls. However, PacketiX VPN encapsulates all network traffic at the layer 2
(Ethernet) level. This allows even IPv6 packets to be processed as VPN traffic.
Therefore, you can use PacketiX VPN to provide IPv6 over IPv4 tunneling solutions for
nearly every type of network environment.
If you use PacketiX VPN to set up your remote access VPN or LAN-to-LAN VPN, you can
start a computer on the network remotely by sending a Wake On Lan (WOL) packet to
that computer's physical network adapter.
If you are installing VPN Server behind a consumer or small business targeted generic
broadband router or a router with a built-in firewall that contains NAT functionality, you
will have to configure it properly for VPN Server to work. You can enable static NAT or
port mapping on the router so that traffic from the Internet will be forwarded to a port
on the VPN Server, allowing it to be accessed from the Internet. Please refer to your
broadband router's instruction manual for more information on how to achieve this.
You can use the following two methods to view all of the Virtual Ethernet frames going
through a Virtual HUB with an IDS or virus scanning system in order to search for
unauthorized access attempts or viruses.
1. Connect to the Virtual HUB from VPN Client in monitoring mode. This will enable
the VPN Client's Virtual Network Adapter to capture all packets going through the
Virtual HUB. Now you can use snort or some other IDS software on the Virtual
Network Adapter to view the packets going through the Virtual HUB. For more
information please refer to 「1.6.10 Monitoring Mode Session」 and 「4.4.17
Selecting the Connection Mode」 . However, this method only allows for the use of
a software based IDS.
2. By using the method described in section 「3.6.8 Outputting all Communication
Data in the Virtual HUB to the Network Adapter」 , you can out all of the packets
going through the Virtual HUB from the LAN port of the physical network adapter
connected to the computer running VPN Server. This method will allow you to use
hardware based IDS to view all of the packets going through a Virtual HUB.
While it is possible to monitor all frames, if there is so much traffic that the Virtual HUB's
buffer is nearly full then the network adapter you output to may lose some of the data
due to the limitations of that network adapter.
VPN Server can achieve the same functionality as the VLAN functionality (which groups
multiple ports by a VLAN number, and communicates through these VLAN numbers only)
found on commercial layer 2 switching HUBs or layer 3 switches. By creating Virtual
HUBs for each section of a segment you want to separate, traffic will be separated
between these Virtual HUBs. By using this method you can recreate the same
functionality provided by a switch's port VLAN functionality. You can also maintain the
MAC address table database and other administrative settings for each Virtual HUB in
this way.
11.2.9 Accepting Connections from SoftEther 1.0 Virtual Network

Adapter Software
Having PacketiX VPN Server 2.0 Virtual HUB accept connections from SoftEther 1.0's
Virtual Network Adapter software is a simple procedure provided you have both
SoftEther 1.0 and PacketiX VPN 2.0. Your operating system will also need to be Windows
XP, Windows Server 2003, Windows Vista, or later.
Install SoftEther 1.0's Virtual HUB and Virtual Network Adapter along with PacketiX VPN
Client to the computer you installed PacketiX VPN Server 2.0 on. Next, make a
permanent connection from the SoftEther 1.0 Virtual Network Adapter to the SoftEther
1.0 Virtual HUB and from PacketiX VPN Client 2.0's Virtual Network Adapter to PacketiX
VPN Server 2.0's Virtual HUB. Now connect to the two Virtual Network Adapters with a
Windows bridge connection. You will also need to set the connection mode for PacketiX
VPN Client 2.0 to bridge/routing mode.
In this state, when the SoftEther 1.0 Virtual Network Adapter is connected to the
SoftEther 1.0 Virtual HUB, Virtual Ethernet frames going through that VPN connection
will automatically be sent to the PacketiX VPN Server 2.0 Virtual HUB as well, allowing
both versions of the software to operate together seamlessly.
Please note that SoftEther 1.0's Virtual HUB service and PacketiX VPN Server 2.0 both
use port 443 by default, so you will need to configure them so that they do not cause a
conflict with each other.
11.2.10 Performing Administration Via TELNET as Supported in

SoftEther 1.0
With SoftEther 1.0, you could perform Virtual HUB administration with TELNET. You can
use TELNET or SSH to perform administration on PacketiX VPN Server 2.0 as well. For
this, you will need a separate TELNET or SSH server. (Operating systems such as UNIX
or Windows 2000 and higher usually come with a TELNET or SSH server already.) From
the administrative console you can connect to the server you want to perform
administration on. Then, in that console session you can execute vpncmd which will
allow you to perform administrative tasks through TELNET or SSH. Please see section
「Chapter 6 Command Line Management Utility Manual」 for more information on how
to use vpncmd.
As described in section 「3.9 Clustering」 , VPN Server's clustering capabilities will

automatically introduce fault-tolerance between the cluster member servers. However,
the standard capabilities of VPN Server do not implement any fault-tolerance for the
cluster controller itself. Therefore, if the cluster controller has a power failure, hardware
failure (such as a memory error), or some other failure, the cluster controller's job can
not automatically be transferred to another computer. We strongly recommend that you
use Registered ECC memory, RAID, UPS, and other such features to increase the
stability of your cluster controller server if you are setting up a large scale cluster.
You can implement the following ideas in a shell script or other program, or seek a
commercial solution to increase redundancy for your cluster controller.
1. Set aside two machines for your cluster controller computer: one as your main
machine, and one as a backup.
2. Ensure that both computers have the same operating system, hardware
configuration (network adapter, etc.), and VPN server type installed.
3. While your main server is running, periodically backup the contents of the VPN
Server configuration file (vpn_server.config) to a backup device.
4. If your main server fails due to a power failure, hardware failure (such as a
memory error), or some other failure, you can detect this and begin operation of
your backup server. Set the backup server's global IP address to that of your main
server and use the latest backup of your VPN Server configuration file to start the
VPN Server service. You will need to be careful here to avoid conflicting with the
main server's IP address. With this method you can set up a temporary cluster
controller as a backup with the same configuration data as your main cluster
controller that can take over in the case of a hardware failure.
5. When you have finished repairing your main server you can copy the latest
configuration file back to it and put it back into operation as your main cluster
controller.
6. Implement the ideas written above in a shell script or other program, or use a
commercial solution to increase redundancy and test your system thoroughly.
You can create multiple Virtual Network Adapters and connection configurations with
VPN Client and designate each connection configuration to use a separate Virtual
Network Adapter. This allows a single VPN client computer to easily connect to multiple
VPN Servers or Virtual HUBs at the same time. This is the same concept as if you
installed multiple physical network adapters to your computer and connected each one
to a different LAN. Please refer to section 「Chapter 4 PacketiX VPN Client 2.0 Manual」
for more information.
11.2.19 Using SecureNAT to Provide Remote Access to an Otherwise

Inaccessible Network.
By using SecureNAT you can easily provide remote access to a network which normally
can not be connected to from the Internet. You can even do so without having
administrator rights on the computers on that network. However, you will still need
permission from that network's administrator beforehand. Please refer to section
「10.11 Using SecureNAT to Set Up a Remote Access VPN With No Administrator
Rights」 for more information.
< 11.1 Troubleshooting 11.3 General Supplementary Information>
< 11.2 Useful Information 11.4 Additional Security Information>
This section will give you some general supplementary information we think you should
know when using the PacketiX VPN software.

11.3.1 Using This Software Together With Anti-Virus Software or a

Personal Firewall
You need to be aware of the following things when using PacketiX VPN alongside third
party anti-virus software or a personal firewall.
Many personal firewalls will block any incoming TCP/IP connections to the computer
once it is installed. In this state you will not be able to install VPN Server. When you
install VPN Server make sure you configure your personal firewall to allow access to
the listener port used by VPN Server.
In some cases you will be unable to make a TCP/IP connection to localhost (your own
computer) after installing some personal firewalls. Therefore, you may be unable to
make a connection to VPN Client with VPN Client Manager. If this is the case, try
disabling your personal firewall.
If you ever feel that PacketiX VPN is not operating properly, try temporarily disabling
any third party anti-virus software or personal firewall or uninstalling them
completely to see if that fixes the problem. If that does solve your problem, your
third party anti-virus software or personal firewall is not compatible with PacketiX
VPN.
If this is the case, you may have to disable the third party software or uninstall it
completely in order to use PacketiX VPN.
11.3.2 About the 1/1000th of a Second Delay Encountered When

Communicating Over a VPN
When using PacketiX VPN to perform VPN communication, you may experience a
1/1000th of a second delay when compared to communicating directly over a physical
line. This delay is due to the time it takes to encrypt and encapsulate data (Virtual
Ethernet frame) sent over the VPN, and is processing time that is absolutely necessary
for the VPN system. However, it will not cause any problems during standard use.
At this time PacketiX VPN does not support NTLM authentication when routing through a
HTTP proxy server. Therefore, if your setup requires NTLM authentication on an old
version of Microsoft Proxy Server you will need to change this setting in order to access
the proxy server with basic authentication or no authentication at all.
11.3.4 How Far Away Can You Establish a VPN Session Connection
From?
PacketiX VPN encapsulates Ethernet frames when it performs any communication over a
VPN. Normal Ethernet standards do state a maximum distance for a single Ethernet
segment due to the electrical characteristics of the physical line. However, as PacketiX
VPN encapsulates all Ethernet frames and sends them over existing IP networks, there is
technically no limitation to the distance between LANs that you can perform a VPN
connection, given that you have access to the Internet. However, if you plan on sending
data to the other side of the earth there will be approximately a 140 millisecond delay or
more due to the physical limitations of the speed of light when making this type of
extremely distant connection.
11.3.5 I measured the throughput of traffic through my VPN with my

usual measurement utilities, and they are showing very low transfer
speeds. What's wrong?
If you are receiving low speed results from your current speed measurement software or
throughput measurement service, try the Communication Throughput Measurement Tool
that comes with PacketiX VPN or vpncmd's TrafficClient/TrafficServer functions to try
and obtain the correct throughput of your VPN. Please refer to section 「4.8 Measuring
Effective Throughput」 for more information. Be aware that older throughput

measurement software can especially give varying results based on the type of line it is
testing.
11.3.6 The Difference Between VPN Bridge's SecureNAT and VPN

Server's SecureNAT
The SecureNAT program in PacketiX VPN Bridge and the SecureNAT program in PacketiX
VPN Server are exactly the same. They have the same capabilities and are logically no
different at all.
A single user account can open multiple VPN sessions at the same time.
11.3.8 According to the Windows end user license agreement, is it OK

to use a client based operating system such as Windows XP as a VPN
server?
If you are planning to use Windows XP, Windows Vista, Windows 2000 Professional, or
other such operating system designed for clients to run PacketiX VPN Server as a VPN
server machine, the issue of whether or not the Windows EULA allows this is between
the consumer involved and the manufacturer, Microsoft. This issue does not involve
SoftEther in any way. For your reference, please refer to the following passage from the
Windows XP Professional SP1 EULA under "1.3 Device Connections": "You may permit a
maximum of ten (10) computers or other electronic devices (each a "Device") to connect
to the Workstation Computer to utilize one or more of the following services of the
Software: File Services, Print Services, Internet Information Services, Internet
Connection Sharing and telephony services. ... This ten connection maximum does not
apply to other uses of the Software, such as synchronizing data between a Device and
the Workstation Computer, provided only one user uses, accesses, displays or runs the
Software at any one time". This means that if you are using functionality other than that
provided by Windows XP (such as by installing and using PacketiX VPN Server) you may
allow more than 10 computers to connect without violating the terms of the EULA.
11.3.9 Things to Consider When Using Windows 98. 98 SE, or ME as a

VPN Server
PacketiX VPN Server will run on any Win 9x system higher than Windows 98. However,
due to the instability of these operating systems we do not recommend them for use as
a VPN server computer. If you want to run a VPN server, we recommend using an
operating system with a newer kernel such as Windows NT/Windows 2000 and higher or
Linux.
11.3.10 I have more connections to my VPN than I have licenses for.

What happened?
In some cases PacketiX VPN Server will allow more simultaneous connections than you
have registered simultaneous connection licenses for. This is especially true in a

clustered environment. The number of clients connected to the entire cluster is only
calculated every few seconds. Therefore, when the cluster controller must decide if it will
accept a new connection, it may be using a number (the total number of client
connections and bridge connections) that is a few seconds old and thus allow a
connection it would otherwise deny.
All Virtual HUBs have a MAC address that begins with "00:AE". This MAC address is used
as the origin of the ARP polling packets sent by Virtual HUBs as described in section
「3.4.8 Confirming the Existence of IP Addresses with Poll Packets」 .
The MAC address assigned to a Virtual HUB is determined by hashing some information
of the computer running VPN Server (such as the computer's hostname or physical IP
address) and attaching "00:AE" to the beginning of that value. Therefore, even if you
restart VPN Server the Virtual HUB's MAC address should stay the same.
When you set up a clustered VPN you must choose a different computer name or
hostname for each computer running VPN Server.
11.3.14 Differences Between the Academic Edition and the Standard

Production Edition
The Academic Edition of PacketiX VPN Server 2.0 does not differ from the Enterprise
Edition in terms of its ability to provide VPN services, nor does it have any speed or
connection limitations imposed upon it. However, the Academic Edition does differ from
the Enterprise Edition in the following ways:
Under the Academic Edition, client connection licenses and bridge connection licenses
are always counted as unlimited.
11.3.15 VPN Server Computer Specifications and the Number of

Possible Simultaneous Connections
The theoretical maximum number of simultaneous connections that can be handled by

VPN Server is 4,096. However, the problem is not limitations with the software, but
limitations with the hardware (such as CPU speed limitations or memory limitations).
Therefore, we always recommend limiting the number of simultaneous connections to
less than this theoretical maximum. If you expect a large number of simultaneous
connections, you should think about using clustering to handle the load.
SoftEther does not provide an exact number of simultaneous connections possible for
different hardware configurations. However, you can estimate that a computer with a
2.8 GHz Pentium 4 processor and 1 GB of RAM could handle anywhere from 200 to 1000
simultaneous sessions. However, the amount of load on the VPN Server can vary greatly
depending on the type of data and volume of traffic on the VPN, so these numbers are
only an estimation.
VPN Server's clustering functionality is always capable of adding a new node (cluster
member server) to the cluster without having to shut down the cluster. Therefore, if you
are unsure as to how many VPN Servers to put in place when you are designing your
network, start with just two. If you find that the load on one or both of the servers is too
high, you can simply add another VPN Server to the cluster to lower the load. You can
continue this process until you find out exactly how many VPN Server machines you
need.
11.3.17 When Using a Special PPPoE Connection Tool to Connect to the

Internet
If the VPN client computer you installed VPN Client to uses a special PPPoE connection
tool (the most common are those distributed by ISPs, but they are not the only kind) to
connect to the Internet, the routing table controlled by that software and the routing
table controlled by VPN Client may conflict with each other. In this case processes like
the one described in section 「4.4.18 Routing Table Rewrite Process」 may not function
properly. If this applies to you, try using a broadband router that supports PPPoE to
connect to the Internet instead of the PPPoE connection tool.
11.3.18 Things to Consider When Using Your Operating System to

Make a Bridged Connection Between a Virtual Network Adapter and a
Physical Network Adapter
As explained in section 「3.6 Local Bridges」 , using PacketiX VPN to make a local bridge
connection between a Virtual Network and a physical network is the quickest and easiest
way to set up a VPN. However, you can also use the bridging functionality built into
Windows or Linux to connect a Virtual Network and a physical network together into a
single segment. However you will need to be using an operating system that supports
bridged connections. For Windows, this would be Windows XP Professional or higher,
editions of Windows Vista that support bridged connections, or Windows Server 2003 or
higher. Even if you use this method you should still set aside a new network adapter for
the sole purpose of this bridged connection.
11.3.19 What if the Virtual Network Adapter and the physical network
adapter both have the same network address?
Try to avoid a network configuration where the Virtual Network Adapter on your VPN
Client computer is on the same IP network as the physical network adapter, or partially
overlapping. This would be the same mistake as a computer that has two physical
network adapters and connecting each one to the same IP network, then connecting
each one to a different layer 2 network segment.
The default MAC address for a Virtual Network Adapter will automatically be determined
when it is created. The user can change a Virtual Network Adapter's MAC address to
anything they want at any time. Please refer to section 「3.4.2 Online & Offline Status」
for more information on how to change the necessary settings to do so.
MAC addresses for Virtual Network Adapters begin with "00:AC". The address after this
consists of a random string created by hashing a combination of the time that the
adapter was created and unique parameters obtained from the other computer.
Therefore, the chance that two Virtual Network Adapters on the same layer 2 segment
will hold the same MAC address is without a doubt extremely low.
11.3.22 Things to be aware of when using SSH port forwarding

software to connect to a VPN server
Are you trying to use third party SSH port forwarding software to connect to a remote
VPN Server via a SSH server? Are you trying to connect to localhost via VPN Client, then
forward ports from localhost to the remote VPN Server? If you are attempting these
types of special connections, you should create a static route with the physical network
as the default gateway beforehand to the remote computer your computer will actually
directly connect to (for SSH port forwarding this would be the SSH server). Otherwise,
the Virtual Network Adapter would be the default gateway. If this is the case, once the
VPN Client establishes a connection, connection to the SSH server would also attempt to
pass through the Virtual Network Adapter. This, of course, will not allow you to
communicate with the SSH server and thus not allow for VPN communication either.
11.3.23 Concerning the priority of default gateways when one exists

on both the Virtual Network Adapter network and on the physical
network
When using Windows 2000 or higher and there are default gateways set up on both the
VPN Client side and the physical network, the network adapter with the lower interface
metric value will generally have the higher priority. Because there can be only one
default gateway active at once, any other routing tables pointing to 0.0.0.0/0 will
temporarily be deleted. (If that VPN connection is disconnected it will automatically be
restored.) The default interface metric for Virtual Network Adapters is 1. This gives them
higher priority over normal network adapters that usually have interface metrics of 1020
or 30.
VPN Bridge has a single Virtual HUB with the name of "BRIDGE" by default. This Virtual
HUB is for defining local bridge connections, configuring cascade connections to VPN
Servers, and other VPN bridge software functionality. Therefore, VPN Bridge does not
allow the creation of new Virtual HUBs. Please refer to section 「5.3.2 Virtual HUB on
VPN Bridge」 for more information.
11.3.26 If you are unable to use local bridging in FreeBSD, Solaris, or

Mac OS X...
Due to internal differences between FreeBSD, Solaris, and Mac OS X from Windows or
Linux, local bridging is not supported on these versions at the time of the writing of this
manual. Local bridging may become available for these operating systems in the future.
As explained in section 「Chapter 5 PacketiX VPN Bridge 2.0 Manual」 , VPN Bridge can
not accept connections from VPN Client like VPN Server can. If you do attempt this type
of connection you will receive the message "Not supported".
< 11.2 Useful Information 11.4 Additional Security Information>
< 11.3 General Supplementary Information 11.5 Additional Information Regarding

Communication Protocols>
This section contains additional information regarding security when using PacketiX VPN.

Refer to section 「11.2.8 Recreating a Switch's Port VLAN Functionality」 if you want to
monitor packets on your VPN for viruses, worms, or other attacks when using PacketiX
VPN.
Viruses or worms could also possibly enter the system through the Virtual Network
Adapter on the VPN Client side. To prevent this you can use your normal third party
anti-virus or firewall software. However, please note that some of these software
packages do not work well with PacketiX VPN.
11.4.3 Is there any danger of my VPN Client service being controlled

remotely immediately after installing VPN Client before I have
configured it?
As explained in section 「4.7.1 Remote Management of VPN Client」 , the VPN Client
service program can be controlled remotely from another computer via VPN Client
Manager or vpncmd, but this feature is disabled by default. Therefore, there is no danger
of the VPN Client service being controlled remotely immediately after installation unless
you specifically enable this feature.
< 11.3 General Supplementary Information 11.5 Additional Information Regarding

Communication Protocols>
< 11.4 Additional Security Information 11.6 Additional Compatibility Information>
11.5 Additional Information Regarding Communication

Protocols
This section contains additional information regarding communication protocols when

using PacketiX VPN.

PacketiX VPN is a protocol to create a VPN by encapsulating all Ethernet frames into
TCP/IP. Therefore, it is possible to use many different protocols as long as they are
Ethernet frames that can be handled by PacketiX VPN. For example, it is possible to use
certain home electronics or video conferencing systems that utilize special protocols
other than TCP/IP over a VPN with PacketiX VPN.
You can use protocols such as NetBEUI, IPX/SPX, and AppleTalk on a virtual layer 2
network created with PacketiX VPN.
PacketiX VPN Server's Virtual HUB has the same Ethernet frame conversion capabilities
as a physical layer 2 switching hub. Therefore, it is possible to send multicast IP packets
over a VPN.
as a physical layer 2 switching hub. Therefore, it is possible to use any IP phone
protocols that can normally be used over Ethernet. However, if you are using PacketiX
VPN to connect remote computers together, the throughput and latency of the network
is dependent on the throughput and latency of all the remote physical networks.
Depending on the IP phone and protocol being used, this may lead to a reduction in
sound quality, or the inability to use the service at all.
as a physical layer 2 switching hub. Therefore, it is possible to use NetMeeting or other
such video conferencing protocols that can normally be used over Ethernet. SoftEther is
currently investigating whether or not NetMeeting's video chat feature can be used over
a VPN. While chances are high that you can use other video conferencing protocols that
you would normally use over Ethernet over a VPN, the throughput and latency of the
network is dependent on the throughput and latency of all the remote physical networks.
Depending on the bandwidth and transfer speeds required by the protocol, this may lead
to a reduction in sound quality, or the inability to use the service at all.
As explained in section 「2.1 VPN Communications Protocol」 , PacketiX VPN sends all
data within a normal TCP/IP connection as streams. Therefore, PacketiX VPN protocol's
IP packets can be sent within another VPN tunneling protocol (L2TP/IPSec, PPTP, etc.). It
is also possible for other VPN tunneling protocols (L2TP/IPSec, PPTP, etc.) to send
packets within a PacketiX VPN session.
< 11.4 Additional Security Information 11.6 Additional Compatibility Information>
< 11.5 Additional Information Regarding 11.7 Future Plans for PacketiX VPN>
Communication Protocols
This section contains additional information regarding compatibility issues when using
PacketiX VPN.

PacketiX VPN Server 2.0 can coexist with SoftEther 1.0 Virtual HUBs. However, both
programs use port 443 as their listener port so you will need to configure one of them to
use a port other than port 443.
11.6.2 Relationship With Mitsubishi Materials Corporation's SoftEther

CA
PacketiX VPN 2.0 was developed from a completely different source tree than that of
SoftEther CA 1.x, which is an old version of SoftEther 1.0 that is sold by Mitsubishi
Materials Corporation. SoftEther CA 1.x is a completely separate piece of software and
as such is not compatible with PacketiX VPN 2.0 in any way.
SoftEther does not offer any support for SoftEther CA 1.x.
Refer to section 「11.2.10 Performing Administration Via TELNET as Supported in

SoftEther 1.0」 for instructions on how to set up PacketiX VPN 2.0 to be able to receive
connection requests from both types of SoftEther 1.0's VPN client software.
PacketiX VPN 2.0 has been designed so that it can be compatible with other VPN
products (software or hardware) using the PacketiX VPN protocol that may appear in the
future. Therefore, it is likely that if this type of VPN software or hardware does appear in
the future it will be able to operate together with PacketiX VPN 2.0.
< 11.5 Additional Information Regarding 11.7 Future Plans for PacketiX VPN>
Communication Protocols
< 11.6 Additional Compatibility Information Chapter 12 PacketiX VPN Software Specification>
This section will discuss the development plans and objectives for PacketiX VPN at the
time of the writing of this manual.

Unicode is supported throughout the PacketiX VPN software suite. Furthermore, user
interface strings and the internal data structure is designed so that it may easily be
localized into other languages. (See section 「1.8.1 Unicode Support」 ) Only the user
interface string table and manual needs to be translated in order for the software to be
localized. Starting with the English and Chinese language versions of the software we
plan to provide localized versions of the software for more languages as quickly as
possible after the development and release of the Japanese version is completed.
Due to the large number of users that have requested a Windows CE version of the VPN
Client, we are currently planning the development of a version of PacketiX VPN for the
Windows CE platform.
Currently VPN Client has only been released for Windows and Linux. We have succeeded
at getting VPN Client running on Mac OS X, but it is not ready for a public release at this
stage. At this time we have not received many requests for VPN Client to be released for
any other operating system besides Windows, and now that the Linux version can
connect to tap devices and provide local bridging functionality, we at SoftEther feel that
the software meets the needs for the majority of our users. However, we are always
ready to think about porting VPN Client's Virtual Network Adapter to other operating
systems should we receive enough requests to do so.
< 11.6 Additional Compatibility Information Chapter 12 PacketiX VPN Software Specification>
< 11.7 Future Plans for PacketiX VPN 12.1 PacketiX VPN Server 2.0 Specs>
This chapter contains the software specification for PacketiX VPN 2.0. Refer to this
chapter for information regarding PacketiX VPN 2.0's operating environment,
capabilities, etc.


12.5 Error Codes
< 11.7 Future Plans for PacketiX VPN 12.1 PacketiX VPN Server 2.0 Specs>
< Chapter 12 PacketiX VPN Software Specification 12.2 PacketiX VPN Client 2.0 Specs>
This section contains specifications for the PacketiX VPN Server 2.0 software.
The operating systems and/or architectures recommended by SoftEther to run PacketiX

VPN Server 2.0 are listed below. If you purchased a product license that includes
technical support, only problems encountered when running PacketiX VPN Server 2.0 on
these operating systems and/or architectures will qualify for support.
Type List of Supported Operating Systems List of

Supported
Architectures
Windows Windows 2000 Professional x86
*1 *3 Windows 2000 Server x64
Windows 2000 Advanced Server (EM64T /
Windows XP Professional AMD64)
Windows XP Professional x64 Edition
Windows XP Home Edition ※2
Windows XP Tablet PC Edition
Windows XP Tablet PC Edition 2005
Windows XP Media Center Edition 2004
Windows Server 2003 Standard Edition
Windows Server 2003 Standard x64 Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Enterprise x64 Edition
Windows Server 2003 R2 Standard Edition
Windows Server 2003 R2 Standard x64 Edition

Windows Server 2003 R2 Enterprise Edition
Windows Server 2003 R2 Enterprise x64 Edition
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Business
Windows Vista Enterprise
Windows Vista Ultimate
Linux Red Hat Enterprise Linux AS 4 *6 x86
*4 *5 Red Hat Enterprise Linux ES 4 *6 x64
Turbolinux 10 Server *7 (EM64T /
Fedora Core 4 *8 AMD64)
Fedora Core 5 *8
CentOS 4 * 8
*1 Requires the latest Service Pack and Internet Explorer.
*2 Windows XP Home Edition is officially supported from Build 5280.
*3 Not supported if any third party firewall, anti-virus, or VPN software is being used.
*4 Not supported if any firewall, anti-virus, or VPN software, including that which is included with the OS, is
being used. Also not supported if the system has been vastly modified from that of a clean install of the
distribution.
*5 We recommended selecting all packages when installing the distribution. We only support systems with
the development libraries zlib, OpenSSL, readline, and ncurses and development tools such as gcc and
binutils installed.
*6 Only supported if the kernel has been updated to version 2.6.9-22 or higher from the Red Hat Network.
*7 Only supported if the kernel has been updated to version 2.6.8-5 or higher via the update service.
*8 If you have purchased a product license for PacketiX VPN Server we do not support its use on Fedora
Core or CentOS. We will provide support as if it was being used on Red Hat Enterprise Linux AS/ES.
In addition to the recommended operating systems above, PacketiX VPN Server 2.0 may
also possibly be run on the operating systems and/or architectures listed below. Using
PacketiX VPN Server 2.0 on operating systems and/or architectures not listed in the list
of recommendations above requires expert knowledge of computer networking and
VPNs. Furthermore, you may experience some limitations if you attempt to use PacketiX
VPN Server 2.0 on these systems.

Supported
Architectures
Windows Windows 98 x86
Windows 98 Second Edition x64
Windows Millennium Edition (EM64T /
Windows NT 4.0 Workstation AMD64)
Windows NT 4.0 Server
Windows NT 4.0 Server, Enterprise Edition
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server

Windows XP Professional
Windows XP Home Edition
Linux Systems containing version 2.4 or higher of the Linux x86
kernel with the development libraries zlib, OpenSSL, x64
readline, and ncurses and development tools such as (EM64T /
gcc installed. The kernel must support Packet Socket AMD64)
in order to use local bridging. The universal TUN/TAP PowerPC
device driver must be installed on the system to use SH4 32 bit
the tap functionality. MIPS 32 bit
FreeBSD FreeBSD 5.x or higher with the development libraries x86
zlib, OpenSSL, readline, and ncurses and x64
development tools such as gcc installed. (EM64T /
AMD64)
Solaris Solaris 8 or higher with the development libraries x86
AMD64)
SPARC 32 bit
SPARC 64 bit
Mac OS X Darwin 7.9.0 or higher with the development libraries PowerPC
zlib, OpenSSL, readline, and ncurses and
development tools such as gcc installed.
The following hardware is required in order to install and run PacketiX VPN Server 2.0
properly. We have listed both the minimum and recommended hardware requirements.
If you purchased a product license that includes technical support, only problems
encountered when running PacketiX VPN Server 2.0 on a system that meets the
recommended hardware requirements will be supported. Systems that fall below these
recommended requirements are not supported.
For standard editions of PacketiX VPN Server 2.0

Hardware Details
Monitor Monitors capable of displaying a window resolution of
800 x 600 with 16 bit color or higher (for Windows)
RAM (Minimum) At least 32 MB
+ (0.5 MB * maximum simultaneous connections)
of available RAM is required.
RAM (Recommended) At least 128 MB
+ (0.5 MB * maximum simultaneous connections)
of available RAM.
Hard Disk Space At least 100 MB of available hard disk space is
(Minimum) required.
Hard Disk Space At least 20 GB of available hard disk space should be
(Recommended) allocated for the software and log files.
For PacketiX VPN Server 2.0 Carrier Edition

Hardware Details
RAM (Recommended) At least (128 MB + 0.5 MB * (total number of VPN
(For a stand-alone server sessions across the cluster / number of VPN servers
or cluster controller) in the cluster) + 1.0 MB * number of Virtual HUBs in
use across the cluster) of available RAM.
RAM (Recommended) At least (128 MB + 0.5 MB * (total number of VPN
(For cluster member sessions across the cluster / number of VPN servers
servers) in the cluster) + 1.0 MB * number of Virtual HUBs in
use across the cluster) of available RAM.
Hard Disk Space At least 200 GB of available hard disk space should
(Recommended) be allocated for the software and log files. We
(For a stand-alone server recommend using RAID for redundancy. The actual
or cluster controller) amount of space required depends heavily on the
type of online services you use with Carrier Edition,
how often you use them, and your own log file
settings.
(Recommended) allocated for the software and log files. The actual
(For a stand-alone server amount of space required depends heavily on the
or cluster controller) type of online services you use with Carrier Edition,
how often you use them, and your own log file
settings.
The software may still operate on systems that do not meet the above requirements, but
may rely on swap file usage which can drastically reduce overall performance. If swap
space can not be allocated PacketiX VPN Server 2.0 will stop functioning.
Depending on how you configure it, PacketiX VPN Server 2.0 may save enormous log
files. Low amounts of free disk space leads to fragmentation and other problems, which
can cause drastic drops in performance. Furthermore, log files may not be able to be
written to the disk if there is not enough available space.
About the VPN Server Software
PacketiX VPN Server 2.0 has all the features, and limitations, that are written in this
manual. The following items are particularly important to look over.
The minimum and recommended system requirements shown here are merely an
estimate, and no guarantee is made that the software will always operate under that
environment.
Remember that there are certain logical and physical limitations in computing, and
those limitations can not be broken even if your system meets the above
requirements. For example, for most systems the user space for each process is 2 or
3 GB. If more than this amount is required, the software will not function properly.
Furthermore, the system capacity required can change depending on how you use the
software and the amount of traffic on your network.
The chart above does not list a recommended CPU speed. The amount of CPU speed
required depends on the throughput you need and the environment you will actually
perform VPN communication in. Of course, for the best performance we recommend
using the fastest CPU possible.
Some limitations may be encountered with PacketiX VPN 2.0 due to the
library/system calls it uses and/or other software/hardware on your system.
In some cases, you may encounter problems with special networking devices on the
existing network between the VPN server and the VPN client (VPN Client or VPN
Bridge) when using PacketiX VPN 2.0. If you are dealing with network devices that
perform some special operation other than basic networking tasks such as IP routing
or NAT, you may need to configure those devices or replace them entirely to get them
to work with PacketiX VPN 2.0.
VPN Server Functionality
PacketiX VPN Server 2.0 can handle many objects (data items). The maximum numbers
for each of these are listed below.
VPN Server Basic Specs

Maximum number of simultaneous 4,096 sessions
VPN sessions (does not include local bridge sessions,
(Standard Editions) SecureNAT sessions, Virtual Layer 3 Switch
sessions, server-side cascade connection
sessions, etc.)
Clustering theoretically allows for a maximum
of (4,096 * total number of servers)
simultaneous connections.
Maximum number of simultaneous 100,000 sessions
VPN sessions (does not include local bridge sessions,
(Carrier Edition) SecureNAT sessions, Virtual Layer 3 Switch
sessions, server-side cascade connection
sessions, etc.)
Clustering theoretically allows for a maximum
of (100,000 * total number of servers)
simultaneous connections.
Maximum number of Virtual HUBs 4,096
that can be created When using clustering, only 4,096 Virtual
(Standard Editions) HUBs may be defined across the entire
cluster.
Maximum number of Virtual HUBs 100,000
that can be created When using clustering, only 100,000 Virtual
(Carrier Edition) HUBs may be defined across the entire
cluster.
VPN Operation Mode
Layer 2 (Ethernet frame switching) Yes
Mode
Layer 3 (IP packet routing) Mode Yes
Traffic Management
VoIP / QoS Support Yes (with Option Pack)
Bandwidth limitations for each VPN Yes
user
Virtual HUB Specs
Number of registered users 10,000 users
Number of registered groups 10,000 groups
Number of access list entries 4,096 entries
Number of MAC address table entries 65,536 entries
Number of IP address table entries 65,536 entries
Number of dependable certificate 4,096
authorities (CA)
Number of disabled certificates 4,096 entries
Number of registered cascade 128
connections
Virtual HUBs' SecureNAT Capability Specs
Virtual NAT Functionality Yes
Number of Virtual NAT mapping table 4,096 entries
entries
Virtual DHCP Server Functionality Yes
Safe NAT operation in user mode Yes
Virtual Layer 3 Switch Specs
Number of Virtual Interfaces 4,096
Number of routing table entries 4,096 entries
Highly Available (HA) System/Clustering Specs
Number of VPN servers available to Maximum of approximately 64
join the cluster
Load Balancing Yes
Load given to each node via load Yes
balancing
Dynamic mode Virtual HUB support Yes
Static mode Virtual HUB support Yes
Automatic recovery from fatal errors Yes
Security Specs
External User Authentication RADIUS / NT Domain certification / Active
Directory certification
Advanced security policies for all Yes
users
Separate security logs for all Virtual Yes
HUBs
Full packet logs of all VPN traffic Yes
Separate logs for each packet type TCP / UDP / ICMP / ARP / IP / Ethernet
Operation under system privileges Yes
Operation under user privileges Yes
DoS attack (SYN flood) detection and Yes
protection
Manageability Specs
Management via Windows based Yes
server management software
Management via CUI Yes
Send logs with syslog Yes
Automatic configuration of the VPN Yes
listener port
Program File Structure - Windows Version
The absolute minimum required executable and data files required to run PacketiX VPN
Server 2.0 in Windows are listed below.
File name Details

vpnserver.exe PacketiX VPN Server 2.0's executable file.
For the x64 version, the filename is vpnserver_x64.exe.
vpnsmgr.exe PacketiX VPN Server Manager 2.0's executable file.
For the x64 version, the filename is vpnsmgr_x64.exe.
vpncmd.exe PacketiX VPN Command Line Management Utility 2.0's
executable file.
For the x64 version, the filename is vpncmd_x64.exe.
hamcore.se2 Shared data files used by all PacketiX VPN 2.0 programs.
Program File Structure - UNIX Version (Including Linux)
The absolute minimum required executable and data files required to run PacketiX VPN
Server 2.0 on UNIX (including Linux) are listed below
File name Details
vpnserver PacketiX VPN Server 2.0's executable file.
vpnserver PacketiX VPN Command Line Management Utility 2.0's
executable file.
< Chapter 12 PacketiX VPN Software Specification 12.2 PacketiX VPN Client 2.0 Specs>
< 12.1 PacketiX VPN Server 2.0 Specs 12.3 PacketiX VPN Bridge 2.0 Specs>
This section contains specifications for the PacketiX VPN Client 2.0 software.

Supported
Architectures

In addition to the recommended operating systems above, PacketiX VPN Client 2.0 may
PacketiX VPN Client 2.0 on operating systems and/or architectures not listed in the list of
recommendations above requires expert knowledge of computer networking and VPNs.
Furthermore, you may experience some limitations if you attempt to use PacketiX VPN
Client 2.0 on these systems.

Supported
Architectures
Windows Windows 98 Second Edition x86
Windows Millennium Edition x64
Windows 2000 Professional (EM64T /
Windows 2000 Server AMD64)

Hardware Details
RAM (Minimum) 16 MB RAM or higher
RAM (Recommended) 32 MB RAM or higher
(Minimum) required.
Hard Disk Space The amount required depends on the amount and
(Recommended) size of the log files saved by VPN Client 2.0, but at
least 300 MB of available hard disk space is
recommended.
The software may still operate on systems that do not meet the above requirements, but
may rely on swap file usage which can drastically reduce overall performance. If swap
space can not be allocated PacketiX VPN Client 2.0 will stop functioning.
PacketiX VPN Client 2.0 has all the features, and limitations, that are written in this
environment.
File name Details

vpnclient.exe PacketiX VPN Client 2.0's executable file.
For the x64 version, the filename is vpnClient_x64.exe.
vpncmgr.exe PacketiX VPN Client Manager 2.0's executable file.
For the x64 version, the filename is vpncmgr_x64.exe
executable file.
File name Details
vpnclient PacketiX VPN Client 2.0's executable file.
vpncmd PacketiX VPN Command Line Management Utility 2.0's
executable file.
The Windows version of PacketiX VPN 2.0 is compatible with the following list of smart
cards and hardware security token devices. If your device is not listed here but has
PKCS #11 device drivers, you may still be able to use it. (However, we do not guarantee
that it will certainly work with PacketiX VPN 2.0.) Furthermore, if your device is not
currently listed here but you can provide SoftEther with sample hardware, we will
develop support for the device and add it to this list. Please contact us through
www.softether.com .
Vendor Product Name Type

Dai Nippon Printing Co., Ltd Standard-9 IC Card IC Card
Dai Nippon Printing Co., Ltd DNP Felica IC Card

FUJITSU LIMITED Standard-9 IC Card IC Card
Athena smart card solution ASECard IC Card
Gemplus Japan Co.,Ltd. Gemplus IC Card IC Card
Maxim Integrated Products 1-Wire & iButton IC Card
Feitian Japan Co., Ltd. ePass 1000 USB Token
Feitian Japan Co., Ltd. ePass 2000 USB Token
Aladdin Knowledge eToken USB Token
Systems
Rainbow Technologies iKey 1000 USB Token
Pentio PKI USB token USB Token
Logicaltech LOCK STAR-PKI USB Token
< 12.1 PacketiX VPN Server 2.0 Specs 12.3 PacketiX VPN Bridge 2.0 Specs>
< 12.2 PacketiX VPN Client 2.0 Specs 12.4 PacketiX VPN Protocol Specification>
This section contains specifications for the PacketiX VPN Bridge 2.0 software.

Supported
Architectures
Windows XP Home Edition ※2

Linux Red Hat Enterprise Linux AS 4 *6 x86
*4 *5 Red Hat Enterprise Linux ES 4 *6 x64
Turbolinux 10 Server *7 (EM64T /
Fedora Core 4 *8 AMD64)
Fedora Core 5 *8
CentOS 4 * 8
*2 Windows XP HomEnterprise Edition is officially supported from Build 5280.
*4 Not supported if any firewall, anti-virus, or VPN software, including that which is included with the OS, is
being used. Also not supported if the system has been vastly modified from that of a clean install of the
distribution.
*5 We recommended selecting all packages when installing the distribution. We only support systems with
the development libraries zlib, OpenSSL, readline, and ncurses and development tools such as gcc and
binutils installed.
*6 Only supported if the kernel has been updated to version 2.6.9-22 or higher from the Red Hat Network.
*7 Only supported if the kernel has been updated to version 2.6.8-5 or higher via the update service.
*8 If you have purchased a product license for PacketiX VPN Server we do not support its use on Fedora
Core or CentOS. We will provide support as if it was being used on Red Hat Enterprise Linux AS/ES.
In addition to the recommended operating systems above, PacketiX VPN Bridge 2.0 may
PacketiX VPN Bridge 2.0 on operating systems and/or architectures not listed in the list
of recommendations above requires expert knowledge of computer networking and
VPNs. Furthermore, you may experience some limitations if you attempt to use PacketiX
VPN Bridge 2.0 on these systems.
Supported
Architectures
Windows Windows 98 x86
Windows 98 Second Edition x64
Windows Millennium Edition (EM64T /
Windows NT 4.0 Workstation AMD64)
Windows NT 4.0 Server
Windows NT 4.0 Server, Enterprise Edition
Windows 2000 Professional
Windows 2000 Server

FreeBSD FreeBSD 5.x or higher with the development libraries x86
AMD64)
Solaris Solaris 8 or higher with the development libraries x86
AMD64)
SPARC 32 bit
SPARC 64 bit
Mac OS X Darwin 7.9.0 or higher with the development libraries PowerPC
zlib, OpenSSL, readline, and ncurses and
development tools such as gcc installed.
The following hardware is required in order to install and run PacketiX VPN Bridge 2.0
properly. We have listed both the minimum and recommended hardware requirements.
If you purchased a product license that includes technical support, only problems
encountered when running PacketiX VPN Bridge 2.0 on a system that meets the
recommended hardware requirements will be supported. Systems that fall below these
recommended requirements are not supported.
Hardware Details
RAM (Minimum) 32 MB RAM or higher
RAM (Recommended) 128 MB RAM or higher
(Minimum) required.
(Recommended) allocated for the software and log files.
PacketiX VPN Bridge 2.0 has all the features, and limitations, that are written in this
environment.
File name Details

vpnbridge.exe PacketiX VPN Bridge 2.0's executable file.
For the x64 version, the filename is vpnClient_x64.exe.

vpnsmgr.exe PacketiX VPN Server Manager 2.0's executable file.
For the x64 version, the filename is vpncmgr_x64.exe
executable file.
File name Details
vpnbridge PacketiX VPN Bridge 2.0's executable file.
vpncmd PacketiX VPN Command Line Management Utility 2.0's
executable file.
< 12.2 PacketiX VPN Client 2.0 Specs 12.4 PacketiX VPN Protocol Specification>
< 12.3 PacketiX VPN Bridge 2.0 Specs 12.5 Error Codes>
This section contains information about the VPN communication protocol used by all
PacketiX VPN 2.0 software, the PacketiX VPN Protocol.
The specs for the PacketiX VPN Protocol are given below.
Item Value
Communication SSL version 3.0
Protocol (Upper (Secure Socket Layer)
Layer)
Communication TCP/IP
Protocol (Lower
Layer)
Port TCP/IP Default port: 443, 992 and 8888
(The user can change this freely.)
Supported RC4-MD5
encryption and RC4-SHA
digital signature AES128-SHA
algorithms AES256-SHA
DES-CBC-SHA
DES-CBC3-SHA
Data Compression Streamed data compression
Session Key Length 128 bits
Base Protocol SSL/HTTP over SSL (HTTPS) Extension

High Speed Between 1 and 32 TCP/IP connections can be established for
Communication efficient load balancing and/or timing control
Automatic Specified number of attempts or infinite retries
Reconnection
Connection 1. Direct TCP/IP Connection
Methods 2. Connect Via HTTP Proxy Server
3. Connect Via SOCKS Proxy Server
User 1. Anonymous Authentication
Authentication 2. Standard Password Authentication
(Client 3. Radius Server Authentication
Authentication) 4. NT Domain Controller or Active Directory Authentication
Methods 5. X.509 Certificate/RSA Private Key File Authentication
6. Smart Card (With Certificate) Authentication
Server X.509 Certificate/RSA Private Key File Authentication
Authentication (SSL Server Certificate Authentication)
Methods
Protocols for Ethernet (IEEE802.3) Frames
encapsulation and
packet
classifications
The packets that can be encapsulated and tunneled by the PacketiX VPN protocol are
standard Ethernet (IEEE802.3) frames with a MAC header and payload. Also, the MAC
header and payload together must not exceed more than 1,514 bytes in length.
Detecting the PacketiX VPN Protocol
At SoftEther we have taken into consideration network administrators of large corporate

networks and have designed our software in such a way that PacketiX VPN Client makes
a connection to PacketiX VPN Server it will send a TCP/IP packet to that server
containing the string "PX-VPN2-PROTOCOL". This makes it easy for network
administrators to quickly detect any usage of the PacketiX VPN protocol.
If you want to detect if employees on your corporate network are using the PacketiX VPN
software to connect to a PacketiX VPN Server on the Internet, or block this activity
entirely, you can check for this PacketiX VPN Protocol connection packet.
By detecting the ASCII string "PX-VPN2-PROTOCOL" (16 bytes) within a TCP/IP

protocol data stream, you can detect any usage of the PacketiX VPN Protocol.
If you are using snort, you could make the following type of signature:
alert tcp $HOME_NET any -> $EXTERNAL_NET any:

(msg:"PacketiX VPN 2.0 Connection"; content:"PX-VPN2-PROTOCOL"; )
Important Points
1. We do not guarantee that the signature given above will always function properly.
2. We do not guarantee that the "PX-VPN2-PROTOCOL" packet will always be sent for
all network environments.
3. It is possible to mistakenly detect usage of the PacketiX VPN Protocol by using the
method given above. For example, if a document or e-mail sent across the
network contains the phrase "PX-VPN2-PROTOCOL" it would mistakenly be picked
up as the PacketiX VPN Protocol connection packet.
4. The above information is only relative to the PacketiX VPN 2.0 build
number/version referred to in this manual. This information may not apply to other
versions of the software.
5. The snort signature given above can successfully detect PacketiX VPN 2.0
communication but can not block (filter) it. After you have used the above method
to detect packets containing the string "PX-VPN2-PROTOCOL" you can specify the
packet's source IP address, destination IP address, and destination TCP port and
filter packets to the Internet to successfully block (filter) VPN communication. This
type of filtering is generally not possible with intrusion detection systems (IDS)
such as snort. You may have to take the results given by snort (or some other
IDS) and write a script to automatically add that data into your firewalls packet
filtering rules. (Because each IDS and/or firewall system is different, please
consult with the Administrators in charge of these systems, or contact the vendor
for details on how to perform these operations.)
6. If the VPN client must go through a proxy server to perform a VPN connection (for
example, within a company that requires all traffic to the Internet be routed
through a proxy server), you should add the filtering rule as described above
between the client and the proxy server.
Other VPN Protocol Detection Methods

Using the above method you can easily detect any usage of the PacketiX VPN Protocol.
However, if you want to prevent employees on your corporate network from making any
type of VPN connection, not just with PacketiX VPN, you will need to detect and/or
intercept all types of VPN protocol connections.
Internal users can still connect to an external VPN server and send/receive information
through other VPN protocols such as PPTP, IPSec, SSH, SOCKS, SSL-VPN, and many
more. SSL-VPN products have notably been gaining popularity in recent years. Most of
these products use packets that are indistinguishable from HTTPS packets, so you have
to be very careful in order to detect them.
< 12.3 PacketiX VPN Bridge 2.0 Specs 12.5 Error Codes>
< 12.4 PacketiX VPN Protocol Specification Chapter 13 Support>
12.5 Error Codes
While you are using the PacketiX VPN 2.0 software you may see an error message, an
error code, or both at the same time. This section provides you with a list so that you
can easily determine error messages from error codes, and discusses the main causes of
these errors.
Error 1: Connection to server failed. Check network connection, and

address and port number of destination sever.
This error occurs when a connection attempt to the hostname/IP address and port
entered by the user fails. When this error occurs you should check to make sure your
computer is connected to the network and that the hostname/IP address and port
number you entered is correct.
Error 2: Protocol error occurred. Error was returned from destination

server.
This error is displayed when a VPN client computer attempts to establish a connection to
a VPN server, but the VPN server returns an error. When this error occurs you should
check to make sure that the VPN server software is functioning properly and that the
hostname/IP address and port number is correct. Also, you should update the VPN
server software and the VPN client software to the latest versions if they are out of date.
Error 3: Connection was disconnected.
This error occurs when you are making an administrative connection to the VPN server
software or to the VPN client software via VPN Client Manager and the network suddenly
fails, the remote software abnormally shuts down, the connection is dropped by the user
or the system, or the service is restarted. If you encounter this error, try reconnecting to
the server.
Error 4: Protocol error occurred.
This error occurs when a VPN client computer attempts to establish a connection to a
VPN server and an error occurs during the SSL initialization stage. When this error
occurs you should check to make sure that the VPN server software is functioning
properly and that the hostname/IP address and port number is correct. This error often
occurs when port 443 on the VPN server computer is being used by some other software
and you are attempting to connect to PacketiX VPN Server on that port. This error can
also be caused by a proxy server or transparent firewall.
Error 5: A client that is not PacketiX VPN software has connected to the
port.
This error occurs when software other than the VPN client software connects to an open
listener port on the VPN server computer. If this error is being reported constantly in
your log files then the listener port provided by the VPN server could be getting port
scanned.
Error 6: A user issued the cancel command.
This error occurs when a user (including the system administrator) cancels a process
while it is still running. This error is usually always caused by the user and is normally
nothing to worry about.
Error 7: The server denied the specified authentication method.

This error occurs when a VPN client computer requests an authentication method that is
not available on the VPN server computer.
Error 8: The specified Virtual HUB does not exist on the server.
This error occurs when a VPN client computer connects to a VPN server computer and
the specified Virtual HUB name does not exist on that VPN server.
Error 9: User authentication failed.
This error occurs when a VPN client computer attempts to connect to a VPN server
computer's Virtual HUB, but the user could not be authenticated. This is commonly due
to a user error such as specifying the wrong authentication method, inputting the wrong
username or password, providing the wrong certificate and private key, etc. Check over
all of your authentication information and try the connection again.
Error 10: The specified Virtual HUB is currently stopped. Wait for a while
and then reconnect.
This error means that the specified Virtual HUB was set to "Offline" status at the time
when the connection was made. If the Virtual HUB is not online then it can not receive
incoming connection requests from VPN client computers.
Error 11: The VPN session was deleted. It is possible that either the
administrator disconnected the session or the connection from the client
to the VPN Server was disconnected.
This can occur if an administrator forcibly closes the VPN session while a VPN connection
is established between a VPN client and VPN server, or the VPN server computer and/or
Virtual HUB were restarted and the session times out. In most cases this problem can be
solved by re-establishing the VPN session.
Error 12: Access was denied.
This error occurs when a VPN client makes some request to a VPN server, or a command
is given to the VPN server from an administration tool such as VPN Server Manager or
vpncmd that is not allowed under the client's access privileges. This error could also be
displayed when a user attempts to connect to a VPN but their account is disabled.
Error 13: Time-out occurred during VPN session communication. It is

possible the connection from the client to the VPN Server was
disconnected.
This error occurs if network conditions become unstable while a VPN session is
established between a VPN client and VPN server. In most cases this problem can be
solved by re-establishing the VPN session.
Error 14: Protocol number is invalid.
This error is generally never displayed.
Error 15: There are too many TCP/IP connections.
Error 16: There are too many sessions connected to either the
destination server or Virtual HUB.
This error occurs when a VPN client attempts to connect to a VPN server's Virtual HUB,
but the maximum number of simultaneous sessions allowed by that server or Virtual
HUB are already connected so a new session can not be created.
Error 17: Connection to proxy server failed.
This error occurs when a VPN client attempts to connect to a VPN server via a HTTP or
SOCKS proxy server, but a connection to the specified proxy server could not be
established. If you encounter this error, check your proxy server settings and try again.
Error 18: An error occurred on the proxy server.
SOCKS proxy server, but some error is encountered after the connection is established
to the designated proxy server. In most cases this error occurs when attempting to
make a VPN connection through a proxy server that can not be used in such a way. If
you encounter this error, check your proxy server settings and try again. Also, check
with your proxy server's administrator to find out exactly what type of error is occurring
on the proxy server.
Error 19: User authentication failed on the proxy server.
SOCKS proxy server, but the specified username and password failed to be authorized
by the proxy server.
Error 20: There are too many sessions by the same user.
Error 21: A license error occurred on the VPN Server. Contact the VPN
Server's administrator.
This error occurs when the VPN server software running on the remote VPN server
computer is a trial version, an expired version, or a beta version. Contact your VPN
Server administrator.
Error 22: Cannot access the Virtual Network Adapter device driver.
Check the Virtual Network Adapter is installed and make sure it isn't
disabled.
This error can occur if the Virtual Network Adapter's device driver is disabled by the
operating system or the device driver file(s) are corrupted, regardless of whether or not
the Virtual Network Adapter needs to be used.
Error 23: An internal error occurred.

This error does not occur very often, but when it does it is usually because an invalid
value was entered for some parameter by the user during the configuration process.
Error 24: Access to either the smart card or USB hardware token device
failed.
This error occurs when an attempt is made to use a smart card, but it can not be
accessed. If you encounter this error make sure that you have selected the proper smart
card type, the card is connected to the card reader, and that the card's drivers are
installed and recognized by the computer. Also, if the card reader needs to be initialized,
ensure that the initialization process has been completed.
Error 25: The PIN code is incorrect.
This error occurs when the PIN code you entered to use your smart card is incorrect. Be
careful, because if the PIN code is incorrectly entered too many times you will be unable
to use the card anymore for security reasons.
Error 26: The specified certificate is not stored on either the smart card
or the USB hardware token device.
This error occurs when the certificate object specified by the user does not exist on the
smart card.
Error 27: The specified private key is not stored on either the smart card
or the USB hardware token device.
This error occurs when the private key object specified by the user does not exist on the
smart card.
Error 28: Write operation targeting either the smart card or USB
hardware token device failed.
This error occurs when an object is to be written to a smart card, but the action fails.
Ensure that the smart card has enough available free space and has write access.
Error 29: Cannot find specified object.

This error occurs in many places. In most cases it is encountered when an object name
specified by the user is not registered on the system.
Error 30: A Virtual Network Adapter with the specified name already
exists. Specify a different name.
This error occurs when the name of the Virtual Network Adapter attempting to be
registered already exists.
Error 31: Installation of the Virtual Network Adapter device driver

failed.
This error occurs when the device drivers fail to install when creating a new Virtual
Network Adapter. If you encounter this error, try running the VPN client software
process (vpnclient) in service mode or with Administrator/root privileges.
Error 32: You cannot use the specified name for a Virtual Network
Adapter device name.
This error occurs when characters that can not be used when naming a Virtual Network
Adapter are contained in the name specified by the user. You may only use
alphanumeric characters and a few certain symbols when naming Virtual Network
Adapters.
Error 33: Not supported.
This error occurs when the function specified by the user is not supported by the system.
For example, this error would occur if a command is made to create a Virtual Layer 3
Switch to PacketiX VPN Bridge 2.0.
Error 34: A connection setting with the specified name already exists.
This error occurs when the name specified when creating a new connection configuration
is the same as an already existing one.
Error 35: The specified connection setting is currently connected.
This error occurs when the user attempts to connect a connection configuration that is
already in the process of connecting or has already successfully made a connection.
Error 36: The specified connection setting does not exist.
This error occurs when the specified connection configuration name does not match any
existing connection configurations.
Error 37: The specified connection setting is not connected.

This error occurs when the user attempts to close a VPN connection, but the connection
configuration is not connecting/connected.
Error 38: Invalid parameter.
This error can occur for many different reasons. In most cases it occurs because an
invalid value was entered for some parameter by the user during the configuration
process.
Error 39: Error occurred on smart card or USB hardware token.
This error occurs when an attempt is made to access the smart card, but the hardware
returns an error.
Error 40: Authentication of smart card or USB hardware token was

selected but the device to be used has not been selected. Select this
from the [Smart Card] menu of Connection Manager.
This error occurs when the smart card device to use for authentication has not been
selected.
Error 41: The specified Virtual Network Adapter is being used by at least
one connection setting. Either delete the connection setting that is using
this Virtual Network Adapter or change Virtual Network Adapter that
this connection setting is using.
This error occurs when an attempt is made to delete a Virtual Network Adapter, but it is
being used by a connection configuration. When deleting Virtual Network Adapters,
delete any connection configurations that use them first.
Error 42: Cannot find the Virtual Network Adapter that the specified
connection setting is using. Make sure this Virtual Network Adapter
exists. Also make sure the Virtual Network Adapter device has not been
disabled. If you cannot resolve the problem, either change the Virtual
Network Adapter being used by this connection setting or create a new

Virtual Network Adapter with the same name.
Error 43: The Virtual Network Adapter used by the specified connection
setting is already being used by a different connection setting. If there
is a different connection setting that is using the same Virtual Network
Adapter, disconnect that connection setting.
This error occurs when a Virtual Network Adapter is configured to be used by two or
more connection configurations and is trying to be used by another connection
configuration while already in use.
Error 44: The Virtual Network Adapter being used by the specified
connection setting has been disabled. Before using this connection
setting, enable the Virtual Network Adapter and change its status so
that use is possible.
Error 45: The specified value is invalid.
This error can occur for many different reasons. In most cases it occurs because an
invalid value was entered for some parameter by the user during the configuration
process.
Error 46: The connection destination is not a cluster controller.
This error occurs when a command normally given to a cluster controller is given to
some other type of VPN server software.
Error 47: Making connection attempt.

This error means that the connection to the cluster controller is currently attempting to
make a connection.
Error 48: Connection to cluster controller failed.
This error occurs when a cluster member server can not connect to the cluster
controller.
Error 49: The cluster controller was unable to assign a new session on a
cluster.
This error occurs when a cluster controller fails to assign a VPN session to a VPN Server
on the cluster.
Error 50: Unable to manage the Virtual HUB of the cluster member
server.
This error occurs when trying to configure the options on a cluster member server's
Virtual HUB. In a clustered environment all Virtual HUB administration and/or
configuration must be done via the cluster controller.
Error 51: The user password used to connect was blank and this
prevented connection from remote. If a blank password is used, it is
only possible to connect from the VPN Server's local computer localhost
(127.0.0.1).
This error occurs when no password is set on the server for the user attempting to make
a remote connection and therefore can not be authorized for remote access. If you
encounter this error first connect to localhost on the computer running the server
software and create a password.
Error 52: Authorization is insufficient.
This error occurs when a user attempts to execute a command when they do not have
the required privileges to do so.
Error 53: Cannot find specified listener.
This error occurs when the specified listener port does not exist.
Error 54: The listener of the specified port number already exists.
This error occurs when the user attempts to create a listener port that already exists.
Error 55: This is not a cluster member server.
This error occurs when a user attempts an operation intended for a cluster member
server on a machine other than a cluster member server.
Error 56: The specified encryption algorithm name is not supported.

This error occurs when the user specifies a SSL encryption algorithm not supported by
the VPN server.
Error 57: The Virtual HUB with the specified name already exists on the
server.
This error occurs when the user attempts to register a new Virtual HUB with the same
name as a Virtual HUB already existing on the server.
Error 58: There are too many registered Virtual HUBs. No more can be
registered. Delete the old Virtual HUBs.
This error occurs when the user attempts to register a new Virtual HUB on a VPN server
which already contains the maximum number of Virtual HUBs that it can handle.
Error 59: The cascade connection with the specified name already
exists.
This error occurs when the user attempts to register a new cascade connection with the
same name as a cascade connection already existing on the server.
Error 60: A cascade connection cannot be created on a server on a

cluster.
This error occurs when the user attempts to create a cascade connection on a VPN
server in a clustered environment.
Error 61: The specified cascade connection is offline.
This error occurs when the user specifies an offline cascade connection where an online
cascade connection is required.
Error 62: There are too many registered access lists.
This error occurs when there are a large number of access lists registered to a Virtual
HUB and no more can be created.
Error 63: There are too many registered users.
This error occurs when there are a large number of users registered on a Virtual HUB
and no more can be created.
Error 64: There are too many registered groups.
This error occurs when there are a large number of groups registered on a Virtual HUB
and no more can be created.
Error 65: The specified group does not exist.

This error occurs when the specified group name does not exist on the Virtual HUB.
Error 66: The user with the specified name already exists on the Virtual
HUB.
This error occurs when the user tries to create a user with the same name as one that
already exists on the Virtual HUB.
Error 67: The group with the specified name already exists on the
Virtual HUB.
This error occurs when the user tries to create a group with the same name as one that
already exists on the Virtual HUB.
Error 68: A user with the specified name exists on the server but the
type of authentication is not password authentication. Unable to change
password.
This error occurs when attempting to use the VPN client software to change the
password for a user on the VPN server that is not authenticated via standard password
authentication.
Error 69: The user name or old password you entered is incorrect. The
password is case-sensitive.
This error occurs when attempting to use the VPN client software to change the
password for a user on the VPN server but the specified username or password is
incorrect.
Error 73: Unable to disconnect the cascade connection's session. To

delete the session, stop the cascade connection.
This error occurs when the user tries to mistakenly disconnect a cascade connection
session.
Error 74: The connection setting for connection with the VPN Server is
incomplete. First complete the connection setting for connection with
the VPN Server.
This error occurs when a process is invoked that requires a connection configuration but
there are none registered yet.
Error 75: Connection to the VPN Server has already started.
This error occurs when the connection process to a VPN server computer has already
been started.
Error 76: Not connected to the VPN Server.
This error occurs when the connection process to a VPN server computer has not been
started.
Error 77: The specified X509 certificate file does not hold a RSA 1024 bit
or 2048 bit public key. PacketiX VPN software supports RSA 1024 bit or
2048 bit certificates.
This error occurs when the user specifies a X.509 certificate does not have a bit length of
1024 or 2048.
Error 78: Unable to disconnect the SecureNAT's session. To delete the

session, stop the SecureNAT function.
This error occurs when the user tries to mistakenly disconnect a SecureNAT session.
Error 79: Cannot enable the SecureNAT function in a clustering

environment.
This error occurs when the user attempts to enable SecureNAT on a VPN server in a
clustered environment.
Error 80: The SecureNAT function is not operating.

This error occurs when a process that requires SecureNAT is invoked when SecureNAT is
not active.
Error 81: This connection session to the VPN Server was disconnected
by the firewall device installed by the network administrator. Contact
the network administrator.
This error occurs when a VPN client attempts to connect to a VPN server, but the
connection is intercepted and blocked by a device installed on the network. If you
encounter this error, please consult with your network administrator.
Error 82: Unable to disconnect the local bridge session. To delete the
session, stop the local bridge function.
This error occurs when the user tries to mistakenly disconnect a local bridge session.
Error 83: The local bridge function is not operating.
This error occurs when a process that requires local bridging is invoked when the local
bridging functionality is not active.
Error 84: Local bridge cannot be used on the destination VPN Server.
Refer to online help or other documentation for the setting method
when using local bridge on the VPN Server you are using.
This error occurs when trying to use local bridging with the VPN server software on an
operating system that does not support local bridging.
Error 85: Unable to trust the certificate provided by the destination

server. The setting to always verify the server certificate is enabled in
the connection settings. Either register a root certificate that can be
trusted or register a individual certificate.
This error occurs when the X.509 certificate from the remote VPN server computer can
not be verified.
Error 86: The product code of the destination server is incorrect. It is

not possible to connect from this client.
This error generally never occurs.
Error 87: The client and server versions do not match. Update the
software.
This error occurs when there is a considerable version difference between the VPN server
software and the VPN client software resulting in protocol incompatibility. You should
update the VPN server software and the VPN client software to the latest versions if they
are out of date.
Error 88: Failed to add capture device. It is possible that the same
capture device is already registered.
Error 89: Unable to connect to the destination server from this client.
Special client software is required.
Error 90: The specified capture device is not registered.

Error 91: Unable to disconnect the virtual Layer 3 switch session. To

delete the session, stop the virtual Layer 3 switch.
This error occurs when the user tries to mistakenly disconnect a Virtual Layer 3 Switch
session.
Error 92: A virtual Layer 3 switch with the specified name already
exists. Specify a different name.
This error occurs when the name of the Virtual Layer 3 Switch attempting to be
registered already exists.
Error 93: Cannot find a virtual Layer 3 switch with the specified name.
This error occurs when the specified Virtual Layer 3 Switch has not been registered.
Error 94: The specified name is invalid. Check if the name contains
characters that cannot be used.
This error occurs when the specified name contains characters that cannot be used.
Error 95: Failed to add the virtual Layer 3 interface.
This error occurs when a Virtual Layer 3 Switch could not be added to a VPN server
computer.
Error 96: Failed to delete the virtual Layer 3 interface.
This error occurs when a Virtual Layer 3 Switch could not be deleted from a VPN server
computer.
Error 97: The virtual Layer 3 interface that is connecting to the

destination Virtual HUB of the specified virtual Layer 3 interface already
exists inside the virtual Layer 3 switch. No more than one virtual Layer
3 interface that connects to the same Virtual HUB can be defined in a
single virtual Layer 3 switch.
This error occurs when the specified Virtual Layer 3 Interface's remote Virtual HUB
already has a Virtual Layer 3 Interface pointing to it within the Virtual Layer 3 Switch.
Error 98: Failed to add routing table.
This error occurs when a new routing table fails to be added to a layer 3 switch.
Error 99: Failed to delete routing table.
This error occurs when the specified routing table fails to be deleted from a layer 3
switch.
Error 100: The specified routing table already exists.
This error occurs when the user attempts to add a new routing table to a layer 3 switch
which already contains the same exact routing table.
Error 101: The client clock and the server clock are not synchronized
with each other. Check the time settings.
This error occurs when the clocks on the VPN client computer and VPN server computer
are drastically different from each other.
Error 102: Unable to start this virtual Layer 3 switch. To start the virtual
Layer 3 switch, at least 1 virtual interface must be defined in the virtual
Layer 3 switch.
This error occurs when there are no Virtual Interfaces registered to a Virtual Layer 3
Switch.
Error 103: Not enough client connection licenses for the destination VPN
Server. Contact the server administrator.
This error occurs when the number of VPN sessions equals or exceeds the number of
client connection licenses registered to the VPN server computer and thus no more VPN
sessions (client mode connections) can be established.
Error 104: Not enough bridge connection licenses for the destination
VPN Server. Contact the server administrator.
This error occurs when the number of VPN sessions equals or exceeds the number of
bridge connection licenses registered to the VPN server computer and thus no more VPN
sessions (bridge or router mode connections) can be established.
Error 105: Due to current technical difficulties, the destination VPN

Server is not receiving the connection. Either wait a while, or contact
the VPN Server administrator requesting that the server log file be
checked.
This error generally never occurs. If you do happen to encounter this error, contact your
VPN server administrator.
Error 106: The destination VPN Server's certificate has expired. Contact
the VPN Server's administrator.
This error occurs when the X.509 certificate from the VPN server computer (server
certificate) has expired.
Error 107: A connection was requested in monitoring mode. The security

policy for the user who is using the connection does include permission
for monitoring mode.
This error occurs when the user attempts to connect to a VPN server's Virtual HUB from
a VPN client in monitoring mode, but the user's security policy does not allow them to
make monitoring mode connections.
Error 108: A connection was requested in bridge / router mode. The

security policy for the user who is using the connection forbids both
bridge mode and router mode.
a VPN client in bridge/router mode, but the user's security policy does not allow them to
make bridge/router mode connections.
Error 109: A connection from a client IP address was denied as a result

of the access control list setting of the VPN Server's Virtual HUB.
a VPN client but their IP address is refused by the Virtual HUB's access control list.
Error 110: There are too many items.

This error can occur in many different situations. Generally it occurs when the user tries
to add an object to a list that is already full and cannot hold any more of that object.
Error 111: Memory is insufficient.
This error occurs when the computer does not have enough memory and the required
amount cannot be allocated.
Error 112: The specified object already exists.
This error can occur in many different situations. Generally it occurs when the user
attempts to add a new object to a list that already contains the same exact object.
Error 113: A fatal error occurred. It is possible that the program

operation is unable to continue.
VPN server administrator.
Error 114: The destination VPN Server has detected a software license
violation. Connection is refused. Contact the VPN Server's administrator.
This error occurs when trying to connect to a VPN server that is using a single VPN
server software product license key on multiple computers, which is a violation of the
licensing contract.
Error 116: A software license violation was detected on the client side.
Connection is refused.
system administrator.
Error 117: The command or file name is incorrect.
This error occurs when the user specifies an invalid command in vpncmd.
Error 118: The license key is incorrect.
This error occurs when the user attempts to register an invalid license key to the VPN
server software. If you encounter this error, contact your system administrator.
Error 119: A valid product license is not registered on the VPN Server.
Contact the VPN Server's administrator.
This error occurs when the VPN server computer cannot function as a VPN server
because it does not have a single valid product license registered. If you encounter this
error, contact your system administrator.
Error 120: The product license required for the VPN Server to operate as
a cluster is not registered. Contact the VPN Server's administrator.
This error occurs when the VPN server computer cannot function as a VPN server with
clustering capabilities because it does not have a single valid product license registered
that allows clustering. If you encounter this error, contact your system administrator.
< 12.4 PacketiX VPN Protocol Specification Chapter 13 Support>
< 12.5 Error Codes 13.1 About Support>
Chapter 13 Support
This chapter provides you with support information about PacketiX VPN 2.0.
13.1 About Support

< 12.5 Error Codes 13.1 About Support>
< Chapter 13 Support 13.2 Technical Information and Updates From
softether.com>
13.1 About Support
This section contains information regarding the support for PacketiX VPN 2.0.
When you purchase a PacketiX VPN 2.0 license (product or connection license) you may
also receive a support (maintenance) contract with one of our partners that deals with
PacketiX VPN bundled with it.
Only customers with this contract can receive support for PacketiX VPN 2.0. The types
and coverage of these support contracts vary with each of our partners. For detailed
information please inquire directly when you purchase your PacketiX VPN 2.0 license.
For support requests or questions under the support contract, please contact the
PacketiX VPN partner from your contract.
< Chapter 13 Support 13.2 Technical Information and Updates From

softether.com>
< 13.1 About Support Change Log>
13.2 Technical Information and Updates From

softether.com
SoftEther Corporation always provides our customers with the latest information about
PacketiX VPN on our website at softether.com.
You can always get the latest technical information about PacketiX VPN and the latest
version of this manual from softether.com.
Access SoftEther Corporation's Website at
"www.softether.com"
The latest version updates for all PacketiX VPN 2.0 software (PacketiX VPN Server 2.0,
PacketiX VPN Client 2.0, and PacketiX VPN Bridge 2.0) can be downloaded and installed
for free provided you have a valid license.
For users with a support contract with one of our PacketiX VPN partners, you will receive
update modules directly from our partners. If you happen to install an update module
available on the website beforehand, please contact the person in charge of your support
beforehand.
< 13.1 About Support Change Log>
< 13.2 Technical Information and Updates From

softether.com
Change Log
This manual's change log appears below.
Version Release Date Changes From Previous Version

2.20.5280 2006/09/05 Changed information to be compatible with
Build 5280.
Fixed some mistakes and missing text.
2.20.5220.01 2006/09/05 Changed information to be compatible with
Build 5220.
Fixed some mistakes and missing text.
2.20.5210.01 2006/08/07 PacketiX VPN 2.0 Option Pack. Added
information regarding new features found in
PacketiX VPN Server 2.0 Carrier Edition, etc.
2.10.5080.02 2006/01/16 Fixed some inconsistencies in the text.
Corrected some mistakes/missing text and
problems.
2.10.5080.01 2005/12/25 Changed some information to be compatible
with PacketiX VPN 2.0 Version 2.10.5080
(Build 5080). Uploaded the manual to
SoftEther.com's website.
2.10.5070.02 2005/12/17 Corrected the sub-section numbers in section
「1.8 Multiple Language Support」 . Created
the Windows HTML Help version.
2.10.5070.01 2005/12/16 First release.
< 13.2 Technical Information and Updates From softether.com
PacketiX VPN 2.0 Online Manual 2.20.5320

Copyright © 2004-2007 SoftEther Corporation. All Rights Reserved.
www.softether.com | Support | Notes

Vpnmanual 5320

Uploaded by

Copyright:

Available Formats

Vpnmanual 5320

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vpnmanual 5320

Uploaded by

Copyright:

Available Formats

PacketiX VPN 2.

0 Online Manual 1/685 ページ

PacketiX VPN 2.0 Manual

PacketiX VPN 2.0 Wellcom to PacketiX VPN 2.0 Online

Chapter 2: PacketiX VPN 2.0 Overall Manual

Chapter 3 PacketiX VPN Server 2.0 Manual

3.5 Virtual HUB Security

Chapter 4 PacketiX VPN Client 2.0 Manual

Chapter 5 PacketiX VPN Bridge 2.0 Manual

Chapter 6 Command Line Management Utility Manual

Chapter 7 Installing PacketiX VPN Server 2.0

7.5 Installing to Other Unix Systems

Chapter 8 Installing PacketiX VPN Client 2.0

Chapter 9 Installing PacketiX VPN Bridge 2.0

Chapter 10 Instructions and Examples For Configuring a

Chapter 11 Troubleshooting and Supplementary

11.7 Future Plans for PacketiX VPN

Chapter 12 PacketiX VPN Software Specification

< PacketiX VPN 2.0 Manual Welcome to PacketiX VPN 2.0.>

Welcome to PacketiX VPN 2.0.

< PacketiX VPN 2.0 Manual Welcome to PacketiX VPN 2.0.>

< Introduction Before Reading the Manual>

Welcome to PacketiX VPN 2.0.

Welcome to PacketiX VPN 2.0.

< Introduction Before Reading the Manual>

< Welcome to PacketiX VPN 2.0. Content>

Before Reading the Manual

You should be aware of the following before reading the manual:

Targets of the Manual

Required Advance Knowledge

Ethernet, principle communication system features of communications devices

Internet Protocol (IP), principle communication system features of communications

Information concerning technologies frequently used in computers these days such as

Implementation and architecture of TCP/IP for ordinary operating systems.

Information concerning old VPN protocol (PPTP, IPSec, etc.)

Knowledge concerning communications protocol for commonly used applications.

Knowledge concerning computers and programming required for advanced IT

constructing and efficient system in fields not related to VPN as well.

Getting the Latest Information and Update Versions

Description of Icons in Illustrations

Icons that appear in illustrations in the manual

resemblance to actual companies, organizations, products, people, characters or data.

SoftEther Corporation may possess patents, patent pending, trademark, copyright or

Copyright (C) 2004-2007 SoftEther Corporation. All Rights Reserved.

PacketiX is a trademark of SoftEther Corporation for which application for registration

z This product includes software developed by OpenSSL.

z This product includes software developed by WinPcap.

z This product includes software developed by zlib.

Reporting Defects or Faults

z If software was purchased from PacketiX VPN partner (dealer):

z If software was purchased directly from SoftEther Corporation, or if the

< Welcome to PacketiX VPN 2.0. Content>

< Before Reading the Manual Chapter 1: Overview >

It is complete contents of PacketiX VPN 2.0 online manual.

1.1.5 NAT, Proxy Server and Firewall Pass

1.4.5 Bridge Connection of Virtual Network and Physical Network

1.9.3 If VoIP / QoS Support Function can be Used

Chapter 2: PacketiX VPN 2.0 Overall Manual