... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.dcom.vpn

VPN protocols, clients, awesomeness

2,348 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 1,420 of 2,348

Mike Drechsler - SPAM PROTECTED EMA to Leythos

Re: VPN users behind a firewall

06 Jan 05 19:53:23

   XPost: comp.security.firewalls   
   From: mike-newsgroup@-DELETETHISPART-.upcraft.com   

   Leythos wrote:   
   > In article , jcring@switch.com says...   
   >   
   >>In article , Leythos   
    wrote:   
   >>   
   >>>In article <1104960769.560560.54360@f14g2000cwb.googlegroups.com>,   
   >>>srp336@getcoactive.com says...   
   >>>   
   >>>>I've got two users trying to hit our VPN concentrator (Cisco 3005) from   
   >>>>behind some sort of firewall. I'm not sure yet of the details of the   
   >>>>firewall, but I'm trying to find that out.   
   >>>>   
   >>>>These two users cannot be connected at the same time.   
   >>>>   
   >>>>They're both making PPTP connnections to us with the built-in W2K   
   >>>>client.  [...]   
   >>>>   
   >>>>What's the simplest way to allow both these users to connect at the   
   >>>>same time?   
   >>>   
   >>>It would be about impossible for two users behind a router using the   
   >>>same public IP address to make a PPTP connection to the same server at   
   >>>the same time.   
   >>   
   >>Or stop using PPTP and change to IPsec and enable NAT-T.   
   >   
   >   
   > I bet that won't help when the same two users are behind the same   
   > router. Most of the SOHO units have a IPSec & PPTP pass-through option,   
   > but it can't handle more than one session at a time. Some of the newer   
   > (higher end) units can handle two sessions.   

   I believe that when he said NAT-T he is implying NAT Traversal mode.  If   
   the VPN server supports NAT Traversal then each connection gets assigned   
   a different port number so that NAT routers can easily do the address   
   translation for multiple users.  This means that the NAT router does not   
   need an application level gateway for IPSEC to function with multiple   
   users.  This mode is not part of standard IPSec so to use it you must   
   have a VPN server and client that can interoperate in this mode.   

   And it's not a function of only higher end units to handle two sessions.   
     There are cheap routers that can handle multiple PPTP sessions to the   
   same endpoint.  I have a Netopia R3386-ENT that can handle multiple   
   sessions to the same endpoint.  It cost only $100, and has it's own   
   built in IPSEC and PPTP VPN server capability built in.  Hardly a high   
   end device but it works well.  It all depends on the firmware and   
   support from the manufacturer.  I bet there are high end devices that   
   won't pass multiple PPTP sessions to the same endpoint.   

   --   
   WARNING!  Email address has been altered for spam resistance.   
   Please remove the -deletethispart-. section before replying directly.   
   Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)   

   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]