... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.dcom.vpn

VPN protocols, clients, awesomeness

2,348 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 1,202 of 2,348

Walter Roberson to Anubis

Re: multiple vpn connections from same I

16 Sep 04 21:53:42

   XPost: comp.security.firewalls, comp.dcom.sys.cisco, microsoft.p   
   blic.windowsxp.work_remotely   
   From: roberson@ibd.nrc-cnrc.gc.ca   
      
   In article <1b58b4f1.0409161317.21eb40b2@posting.google.com>,   
   Anubis  wrote:   
   :I got a rather specific question:   
   :Me and my colleague are connecting to a Cisco VPN server with our   
   :Cisco VPN clients from different computers in our office network. The   
   :VPN server, which resides in another country, "receives" our   
   :connections from the same IP (our xDSL internet connection dynamic IP   
   :address).   
   :This seems to work, but only for a few minutes (10 or so). After   
   :working for a few minutes our connection is "reset by peer".   
   :Ofcourse this delays our work and we would like to stay connected   
   :until we disconnect ourselves (like it does when we use different   
   :internet connections).   
      
   :Anyone has any idea how we can solve this?   
   :Maybe I didn't mention this clearly enough, but we're residing in the   
   :same network and connecting through a router to the xDSL modem.   
      
   Do the disconnects coincide with other people starting up sessions?   
   If so then your problem is that the protocols used for VPNs (AH, ESP, and   
   sometimes GRE) do not have 'ports' so it is not possible for your xDSL   
   router to figure out -which- internal client to send an incoming AH, ESP,   
   or GRE packet to.   
      
   If this is what is happening to you then the solution is to use VPN client   
   3.5 or later; use software on the VPN server that is no older than roughly   
   the beginning of 2003; configure any filters or firewalls on your xDSL   
   router to allow UDP port 4500 in both directions, and to configure the   
   VPN server to have "NAT Traversal" enabled. With that all done, the   
   VPN client and VPN server will negotiate UDP ports to communicate   
   over, and will encapsulate the IPSec packets within UDP. Note that   
   as the UDP is dynamically allocated, your filters or firewall must allow   
   the dynamic port range through. If your firewall happens to be a   
   Cisco PIX then you could have it do that automatically by using   
   6.3(2) or later and configuring  isakmp nat-traversal 20  -- that will   
   tell the PIX to monitor the nat traversal negotiations and automatically   
   open the proper ports.   
      
   --   
      Warhol's Law: every Usenet user is entitled to his or her very own   
      fifteen minutes of flame                  -- The Squoire   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]