A virtual private network (VPN) is a way to use a public telecommunication infrastructure,
such as the Internet, to provide remote offices or individual users with secure access to
their organization's network. In the past, companies would have rented expensive systems of leased lines to build
their VPN only they could use. A VPN provides the same capabilities at a much lower cost.
A VPN works by using the Internet while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP) or IPSec. In effect, private data, being encrypted at the sending end and decrypted at the receiving end, is sent through a "tunnel" that cannot be "entered" by any other data.
Definition: IPSec (Internet Protocol Security) provides security services at the IP layer
by enabling a system to select required security protocols, determine the algorithm(s)
to use for the service(s), and put in place any cryptographic keys required to provide
the requested services. The IPsec architecture is described in the RFC-2401 (www.ietf.org RFC-2401).
IPSec has been selected to be embedded in IPv6. IPSec is strong because it was designed to be
strong and replace some older methods like PPTP.
Today IPSec is the most secure way to access the corporate network from the Internet, here are some elements why:
Definition: Network Address Translation (NAT) is designed to decrease IT manager frustration for
scarce public IP addresses. A NAT device takes a packet"s originating private IP address,
translates that address into a public IP address, before sending the packet across the Internet
to its destination. NAT devices use an internal table to keep track of translated addresses but
unfortunately manipulate the packet"s original IP header, impacting IPSec ability to function.
IETF (Internet Engineering Task Force) group worked out a solution called NAT Traversal
(NAT-T RFC-3193). NAT Traversal is now widely implemented in routers and appliances.
TheGreenBow VPN Client supports NAT-T drafts 1, 2 and 3 (include udp encapsulation).
The differences between Transport mode and Tunnel mode can be defined (www.ietf.org RFC-2401) thought the following network configurations:
TheGreenBow VPN Client supports both modes.
Computer authentication by IPSec is performed by using preshared keys or computer certificates.
A pre-shared key identifies one party during Authentication Phase. Per definition, "Pre-shared"
means you have to share it with another party before you can establish a secure VPN tunnel.
The strongest method of authentication is the use of a PKI and certificates. However, smaller organizations cannot afford the implementation of a PKI system and a well managed preshared key method can be easier and just as powerful.
TheGreenBow VPN Client supports both modes.
Please see our IPSec versus SSL page where we compare both technologies.
DPD or "Dead Peer Detection" is an Internet Key Exchange (IKE) extension (i.e. RFC3706)
for detecting a dead IKE peer. This mechanism is used by the Redundant Gateway feature.
Yes. A new checkbox appeared in VPN Client release 5.0 to disable DPD easily. Go to the
"Configuration Panel" > "Global Parameters" > then uncheck the 'Dead Peer Detection (DPD)' checkbox.
Releases which support old Windows versions:
|Windows XP /Server 2003||VPN Client 5.55|
|Windows 2000 Server||VPN Client 4.51|
|Windows 98||VPN Client 3.11|
Have also a look at the VPN Client for Android.
TheGreenBow VPN Client is now available in many languages (e.g. English, French, German, Portuguese, Spanish, ...). Check our supported languages list, increasing daily, to find your language.
The language can be selected during software installation of the VPN Client.
Do you want to have TheGreenBow VPN Client in your own language? Go to VPN Client localization,
download and translate in your own language the VPN Client strings file.
The localization process is very simple and the translation in your language will be available on our next release.
TheGreenBow VPN Client is compatible with all IPSec routers compliant to the existing standards (IKE & IPsec).
Check our Certified VPN Products list, increasing daily, to find your VPN gateway.
If the equipment you are looking for is not contained in this list, please contact our tech support and we will work with you to certify it. We will need configuration file, log file from "Console" window and a screenshot of the router configuration page.
We've made available for download VPN Configuration Guides for most of the gateways we support on our web site
support section, and there are some on Linksys. VPN Configuration Guides are either written by our partners
or by our engineering team.
We do support Linksys RV082 and Linksys BEFVP41. You might want to look at our answer about Linksys WRV54G.
We've made available for download VPN Configuration Guides for most of the
gateways we support on our web site, and there are some on Cisco. VPN Configuration Guides are either written
by our partners or by our engineering team.
We do support Cisco gateways like Cisco PIX501, Cisco ASA 5510, Cisco PIX 506-E, Cisco 871, Cisco 1721.
Yes. We do support NAT Traversal Draft 1 (enhanced), Draft 2 and 3 (full implementation). IP address emulation.
Yes, the VPN Client does support the "Mode-Config". "Mode-Config" is an Internet Key Exchange
(IKE) extension that enables the IPSec VPN gateway to provide LAN configuration such as DNS/WINS
server addresses to the remote user's machine (i.e. VPN Client). In case "Mode-Config" is
not supported by remote gateway, DNS and WINS server IP addresses of the remote LAN can be defined
into the VPN Client, to help users to resolve intranet addressing.
TheGreenBow VPN Client is fully compatible and qualified with Linksys WRV54G firmware 2.37 and later.
Please download Linksys WRV54G VPN Configuration Guide.
The Linksys WRV54G firmware 2.25.2 does not accept IPSec connexions from any VPN Clients with dynamic IP addresses. However, there is a workaround. You need to set up VPN Client's IP address in the Linksys configuration. Linksys has released a newer firmware since then. You might want to test it: click here
TheGreenBow VPN Client is fully compatible and qualified with Linksys RV082 and Linksys BEFVP41 (see also Compatible VPN Products list or download VPN Configuration Guides).
UDP port 500 and UDP port 4500 must be open and ESP protocol (protocol number 50) must be allowed.
See also other FAQs:
According from Microsoft support, in most cases, IPSec VPN traffic does not pass through ISA Server 2000.
For more details about ISA server 2004, read Q838379 in Microsoft Knowledge Base
This field is the virtual IP address that the VPN Client will have inside the remote subnet. With most of VPN gateways,
this address must not belong to the remote network subnet.
For example, if you use a VPN gateway with a subnet 192.168.0.0/255.255.255.0, you should use in "VPN Client address" a value like 192.168.100.1 or 10.10.10.1.
Take the case you choose an IP address non-used in the subnet like 192.168.0.200. When the VPN Client is sending a TCP or an UDP packet to a target remote computer 192.168.0.x, this target will send inside its subnet an ARP request in order to get VPN Client MAC address and reply directly to it. But, this request cannot receive any answer because the client is not physically present inside the subnet. So, initial packets from the client will not be answered.
If your VPN gateway can answer this ARP request for the VPN Client, you can fill "VPN Client address" field with an IP address belonging to remote subnet.
You might want to download our VPN Client User Guide.
It is possible to run the standard VPN Client setup in "silent" mode. You need to download
the whole procedure described is this document: VPN Deployment Guide
Yes, TheGreenBow VPN Client is fully compatible and qualified with Cisco Linksys WRVS4400N, Cisco Linksys WRV200 as well as Cisco Linksys RV082 and BEFVP41.
(see also Certified VPN Gateway list or download VPN Configuration Guides).
Yes. It is possible to define a Redundant Gateway in the VPN Client. Redundant Gateway can offer
to remote users a highly reliable secure connection to the corporate network. The Redundant Gateway
feature allows TheGreenBow VPN Client to open an IPSec tunnel with an alternate gateway in case
the primary gateway is down or not responding. Remote gateway failure is detected by "Dead Peer
Yes. A specific IKE Port can be set. To do so, go to global 'Parameters' in the Configuration Panel and enter
the right port into the 'IKE Port' field and 'NAT-T port' fields.
See also other FAQs:
TgbStarter.exe and TgbIke.exe are components of TheGreenBow VPN Client.
When I try to activate the software, it doesn't succeed (I got an error message).
You can find a complete help guide about the activation on our Online Software Activation Help Guide.
You can also get your software activated at anytime, by following the procedure described on our Manual Software activation.
A test (or demo) VPN Configuration is VPN configuration designed by TheGreenBow Techsupport team to connect
to our online IPSec VPN gateways and servers. Those are always live and you can use it to test your
network environement at any time. The test VPN Configuration is embedded into the VPN Client.
Check out online help or download the test VPN Configuration file below.
Yes, license can last several weeks. For further details, contact our sales team.
It is possible. Go to Configuration Panel>Phase2 and click on scripts. In the Script window,
you can select the application you want to start before or after a tunnel opens or closes.
Yes. TheGreenBow supports several two-factor and two-way authentication Tokens to store users, personal credentials,
such as private keys, passwords and digital certificates. Please see the Certified Token List.
To make it work, please proceed through the following steps:
For more information on the negotiation of NAT Traversal in IKE see IETF RFC 3948 (UDP Encapsulation of IPsec Packets),
IETF RFC 3947 (Negotiation of NAT-Traversal in the IKE) or draft "draft-ietf-ipsec-nat-t-ike-08".
Also see the TCP and UDP ports list.
Here are the negotiation Phases in VPN connection and their default VPN Ports when TheGreenBow VPN Client software is behind any router:
|Phase||Default Port||Where to modify the ports?|
|Phase1 negotiation||UDP Port 500||Go to 'Config Panel'
> 'IKE Port'
|Phase2 negotiation||UDP Port 4500||Go to 'Config Panel'
> 'NAT-T Port'
|Traffic after IPSec/IKE negotiation||Stays on last port defined|
In some hotels, hotspots or airports, the UDP port 500 and 4500 for outgoing traffic might be prohibited, preventing any outgoing VPN
Connections to your corporate network. So it is necessary to configure IKE and NAT-T ports accordingly.
Here is an example of alternative VPN Port in Configuration Panel (i.e. remember this only affects UDP protocol):
|IKE Port||NAT-T Port|
If you decide to use non default VPN Ports (i.e. UDP 500 & UDP 4500), the destination router (i.e. at the edge of your corporate network)
must be configured to reroute the incoming traffic associated with the new selected VPN ports onto the default UDP 500 & UDP 4500 so that they
properly routed to the IPSec service. Here is the diagram for example above, knowing that some router models do not provide the capability
to reroute ports within itself and two routers might be needed:
Here is a Linux Firewall configuration file when your VPN router does not provide the capability to reroute ports within itself and you want to add a front-end firewall:
Yes. When setting up a new VPN Tunnel,
You might want to download our VPN Client software User Guide.
Yes. SHA-1 and SHA-2 256-bit are supported. MD5 is also supported. See full list in the datasheet.
It is possible to force all internet traffic in VPN tunnel. Doing so, all internet traffic is routed from the remote gateway instead of the remote user network, the remote user network IP address is virtually hidden to visited websites as it is replaced with remote gateway IP address. Corporate network may apply some additional traffic scan to increase security.
The VPN Configuration is simple and requires 3 steps:
Note: Some VPN Gateway/Routers may not support this feature (i.e. hub&spoke: '0.0.0.0/0'). If supported, you'll need to create a rule to authorize wan to wan traffic.
Yes. WWAN stand for Wireless Wide Area Network or Wireless WAN, and now supported by several 3G/4G wireless modem/boards manufacturers.
It uses mobile telecommunication cellular network technologies such as WIMAX, UMTS, GPRS, CDMA2000, GSM, HSDPA or 3G/4G to transfer data.
WWAN connectivity allows a user with a laptop and a WWAN card to surf the web, check email, or connect to a virtual private network (VPN)
from anywhere within the regional boundaries of cellular service.
Microsoft has introduced the WWAN miniport adapter to support it. The WWAN miniport adapter is used to manage establishment, configuration, packet transmission, packet reception and disconnection of NDIS-based data connections.
All manufacturers must support "Mobile Broadband Driver Model Specification" for Windows 7 based on NDIS6.20 miniport driver model. See our list of 3G modem/adapters.
In Windows Vista or Windows 7, the VPN Client might become unstable when restarting from Sleep or Hibernate mode. If you meet this problem, disabling "Gina mode" will fix this issue.
Yes. You can add multiple IPsec VPN tunnel (IKEv1 or IKEv2) and multiple SSL VPN tunnel starting VPN Client 6.1 relase.
Yes. A test (or demo) VPN Configuration is VPN configuration designed by TheGreenBow Techsupport team to connect
to our online IPsec VPN gateways and servers.
Those are always live and you can use it to test your network environement at any time. This test VPN Configuration is specific to our IPv6 ready IPsec VPN Client 6.0 and further.
The VPN Client 6.0 and further doesn't support Windows XP.
Yes. This makes life of IT managers easier by managing a single IP address for each remote user on multiple network simultaneously.
You just need to create multiple VPN tunnels within the same Phase1 and multiple Phase2. Add also the following settings:
If the home network (user home) and corporate network have the same subnet, and the user at home wants to print on a local printer,
the VPN Client has to be configured to avoid sending traffic to corporate network when destination is local.
The feature to use is the restriction of traffic based on range of IP addresses.
In the use case above assuming LAN1 (192.168.133.x), LAN2 (192.168.133.y), we are going to limit the following ranges LAN1 (x->1-20), LAN2 (y->30-50). Doing so, all traffic outside the range defined is routed on local network (LAN1).
Here is the configuration of the VPN Client and the VPN Gateway:
1) VPN Client configuration:
2) VPN gateway configuration:
Note: Please contact our support if you want to configure your VPN Client this way.
To force all traffic in VPN tunnel except traffic to local network, the VPN Client has to be configured to force
sending traffic to corporate network when destination is not local.
The feature to use is the restriction of traffic based on range of IP addresses.Here is the configuration of the VPN Client:
1) VPN Client configuration:
2) VPN Client configuration:
Note: Please contact our support if you want to configure your VPN Client this way.
Yes. This feature allows managing a secure network with sensitive application within the corporate network.
Users need to open a VPN tunnel to the corporate network and then open another VPN tunnel to access the second network. They are also called 'nested' VPN tunnels.
In the use case above assuming LAN1 (192.168.133.x) is the corporate network with a Gateway1, and LAN2 (192.168.10.y) is the other secure network within the corporate network, with a Gateway2 (WAN:192.168.133.1, LAN: 192.168.10.1).
Here is the configuration of the VPN Client:
1) VPN tunnel#1:
2) VPN tunnel#2:
TheGreenBow VPN Client supports heterogeneous IPv4 and IPv6 networks on the LAN and WAN sides, either on corporate or user home networks.
The feature 'Auto' (for IPv4/IPv6) enables you to support those complex environments.
Depending on the mix of IPv4 and IPv6 networks you might use one of the following VPN configuration guide lines:
VPN Phase 1
VPN Phase 2
We do make available for download a complete guide of messages from TheGreenBow VPN Client console
with explanations and resolving hints. If this document does not help you, send us all the exchanges with RECV and SEND lines.
Keep log levels to "0" and click on "Save file".
Log file can be found in C:\Program Files\TheGreenBow\TheGreenBow VPN.
If you have the following logs, that means the remote VPN server does not answer to client's IKE requests.
Take a look at remote VPN server logs and check if requests from the client are received.
If you find no trace, IKE requests must have been dropped somewhere. Check any firewall (including computer Personal Firewall)
that can be found between the VPN Client and the VPN server.
When logs look like the ones below, the IPSec VPN tunnel is established. Now you should be able to ping any devices
onto your VPN server LAN. TheGreenBow VPN Client configuration is correct.
If you still cannot ping the remote LAN, here are a few guidelines:
For full trace with explanations and resolving hints, please see our Troubleshooting document.
TheGreenBow recommends customers using a Broadcom chipset integrated with some Dell or HP laptops to
update driver bcmwl5.sys to the most recent release. This driver causes blue screen intermittently even
if our VPN Client is not installed.
Intel Adapter Switching Utility causes blue screen when TheGreenBow VPN Client is installed.
If you have an Intel Pro/Wireless 2100 or 2200, follow these steps in the given order.
Upon reboot the laptop will re-detect the wireless card and install the drivers for it. It will not
install the Intel PROset drivers. The wireless card should still function, but the added functionality
of the adapter switching will not be available. Windows will then manage the wireless profiles instead
of the Intel PROset utilities.
For more details, see the Intel technical advisory
Problem: I cannot uninstall VPN Client software, it always asks to first uninstall the previous version.
Solution: You can use our tool to clean the remaining components of VPN Client software.
We strongly recommend users on Windows Vista to upgrade their network adapter drivers with Windows Update. This action can prevent
from driver crashes in some network configurations. Also, Windows Vista bug fix pack KB938194 should be installed. More details and
download are available on http://support.microsoft.com/?kbid=938194.
Once TheGreenBow VPN Client installed on Vista, it might be impossible to open a VPN tunnel. The opening of the VPN tunnel remains
blocked with the following IPSec messages (use the VPN Client console):
This can happen on Windows Vista because the Vista Firewall can forbid IPSec communications.
TheGreenBow VPN IPSec 4.2 (and further): The software automatically creates new rules into the Windows Vista Firewall during software installation so that IPSec VPN traffic is enabled (see "windows firewall" in the User Guide).
Note: In Windows Seven (Wind 7), your profile 'Private' and 'Domain' in existing Windows Firewall rules for TheGreenBow VPN Client is not set accordingly. Please check in Windows Firewall rules and make sure your profile 'Private' and 'Domain' are selected (see step 6 below).
Restriction lifted in TheGreenBow VPN IPSec 4.7 (and further).
TheGreenBow VPN IPSec 4.1: To allow IPSec communications (or verify that they are authorized or restricted), please proceed as follows:
(VPN Client 4.* and 5.0)
In some cases, TheGreenBow NDIS driver may not be updated with a new software installation. For achieving this, follow the next steps:
The driver should be entirely removed.
(VPN Client 4.* and 5.0)
Microsoft Windows driver installation module might not install 3rd party drivers properly (e.g. TheGreenBow VPN Client ndistgb.inf drivers), especially when Windows is loaded with multiple tasks. Sometimes, registry settings are not performed properly, sometimes, not at all.
There is a simple manual procedure to get you up and running. The required drivers are still in the system, so no additional download should be necessary. Here are the steps:
VPN tunnel might fail to open after upgrade to Windows 10. Check if VPN Client console log shows the following message:
If so, the Windows service IKEEXT should be disabled.
Solution #1: Please process thought the following steps:
Solution #2: Re-install the VPN Client software (same release number if you don't have 'Update Option', any release number otherwise).
This issue is also known as the "Windows 10 secureboot" issue: some windows 10 computers are configured with the BIOS secureboot function enabled. This function may cause 6.41 release VPN drivers dysfunction. We will soon provide a full setup fixing this issue. Meanwhile, we provide a VPN Driver upgrade, available for download below, which fixes this issue.
1/ What are the symptoms of the issue ?
2/ How to check whether the secureboot function is enabled or not on my computer ?
3/ How to fix the issue ?
When staring VPNConf, you get the following error:
then it's necessary to install KB3033929: