Competencia

routes. They use connection servers to establish communication. Clients receive information about other hosts, their access parameters, and status from their IP addresses servers (see IP address server on page 382). By default, the IP addresses server and connection server features are performed by one

coordinator. If necessary, you can set another coordinator as the IP addresses server for your client. Clients detect connection parameters automatically by using connection servers.

Each coordinator receives information about other hosts from other coordinators it is linked with. Coordinators may connect to an external network in one of the following ways:

 Connecting to an external network directly (see Connecting without a Firewall on page 89). In this case, you need to disable firewall.

 Connecting a coordinator through another coordinator (see About Connecting via a Coordinator

on page 91).

 Connecting via a firewall with dynamic NAT (see About Connecting via a Firewall with Dynamic Address Translation on page 93).

 Connecting via a firewall with static NAT (see About Connecting via a Firewall with Static NAT on page 96).

Tip: We recommend you to specify connection parameters for coordinators centrally in the ViPNet Administrator Network Control Center or ViPNet Network Manager program.

Client-to-client connections are established in the following way:

 Before a client initiates connection to another host, it should detect the access channel to its connection server. If the client communicates through a NAT device, it maintains the channel with the connection server by periodically sending IP packets to it. By default, IP packets are sent each 25 seconds. With most NAT devices, it is usually sufficient to stay connected to the connection server. If necessary, you can modify the frequency.

 After connection between the client and its connection server is established, the client initiates connection to another host. It starts transferring test IP packets to a remote host via the connection server. At the same time, the client sends test IP packets to the connection server of the remote host and directly to the remote host.

 If the test IP packets are received on the remote host, the remote host registers the connection and begins to transfer response IP traffic directly. The client receives the response IP traffic from the remote host and begins to transfer its IP traffic to the remote host directly, too.

If the test IP packets pass only till the remote host's connection server, the connection server registers this connection and sends the response IP packets of the remote host to the client directly. In other words, the client establishes either direct connection with the remote host, or via the remote host's connection server. If the client receives no response IP packets from the remote host or its connection server, communication goes on through the client's connection server.

Figure 33. Comminication between ViPNet hosts

Thus, the ability to communicate over the shortest routes without coordinators' participation increases encrypted IP traffic exchange rate and reduces the load on coordinators.

Note: The described workflow is applicable only if ViPNet software version not earlier than 4.2.x is installed on all hosts communicating with each other.

Moreover, ViPNet connections have the following peculiarities:

 If routing is configured for hosts, then connection between clients will be established in compliance with the routes through the gateways, but not coordinators.

 If the remote host does not use a NAT device, the client's connection server remembers that the connection can be established directly. So, next time, if the remote host's location has not changed, test IP packets will not be sent, and the IP traffic exchange is performed directly at once.

 If clients are located behind devices with dynamic NAT, they can communicate directly. This is possible due to the ability of connection servers to inform clients about IP addresses and ports, by which they can access other hosts via NAT devices. The servers detect this data by the IP packets received from clients.

Taking this information into account clients send test IP packets to each other using registered IP addresses and ports. If at least one side receives the test IP packets, the clients begin to exchange all their traffic directly. In other words, direct connection will be established if at least one NAT device allocates one port for a host each time this hosts sends IP packets to different IP addresses. Direct communication between clients is impossible if their NAT devices allocate ports randomly each time IP packets are sent from new IP addresses. That is how the so-called symmetric NAT works. In this case, connection between such clients will be established through one of their

 Direct connection to the remote client located behind a device with dynamic NAT is possible within 75 seconds (three timeouts or periods of IP packets sending) since the last connection was broken.

 If a client is behind a static NAT device, you need to fix the required UDP packets encapsulation port in the program options. Otherwise, the port will be changed preventing the client from connecting to other hosts.

Connecting without a Firewall