07-06-2006 09:08 AM - edited 02-21-2020 01:02 AM
Hi Hope you can help me out here.
We have home workers that connect via BT IP Stream (adsl) to our IT Department. On power up of the Draytek router(at the house) they are authenticated by our radius server and are given a 10.180.*.* address, this works fine. Then we open a cisco client on the pc put in the passwords and are given a Pool address from our 255 range from our cisco pix 525 the address is 192.168.168.14, this works fine and the user can use our network. The problem is when we connect 2 users at the same site( house) connecting to the same 4 port router.On the second pc I open the VPN Client which cuts off the first user and gives the second user the same address as the first pc 192.168.168.14. I dont understand because we have a pool to give out 255 addresses! to give out any ideas
Thanks Jim.
07-06-2006 10:27 AM
Jim
Could you please post your ip local pool range from your PIX.
It should be something like:
ip local pool
Jay
07-06-2006 10:45 AM
Problem sounds like the issue is with the IP on the outside interface of your user's router. More than likely they are being PAT translated out to the net. By default the VPN is going to use UDP 500 or UDP 4500 for IPSEC over nat. As soon as your second user connects this is causing the problem. You cannot have two sessions with the same IP and port. The internal IP address piece of the equation is irrelevant if you are dropping the first tunnel. So that is the first thing you need to check.
To fix this you need to use a non-standard port for your 2nd client. On the VPN 3000 you can specify multiple ports for VPN termination and in the client software you specify the TCP port you would like to use. Check to see if the PIX has this option as well.
Please rate any helpful posts
Thanks
Fred
07-06-2006 10:59 AM
Here is the doc for Pix 7.1. This section is for configuring IPSEC over TCP. Setup a handfull of TCP ports that you can use for situations like this.
example.
client 1 connects to PIX IP on port TCP 14500
client 2 connects to PIX IP on port TCP 14501
You then would have to unique flows.
Please rate any helpful posts
Thanks
Fred
07-06-2006 12:40 PM
Thanks for the advice guys
im in work in the morning i'll take another look and let you know how I go on watch this space.
Jim
07-06-2006 01:51 PM
Jim,
I just thought of one more thing. I'm not sure if when you enable IPSEC over TCP if it uses the same port for source and destination like default UDP 500 does. I'm assuming it will but if it doesn't then you might be able to get away with the single port, though a unique one. It won't hurt to setup multiple ports but you might not have to manually change the VPN Client settings on the 2nd pc to be the second port. If you get around to implementing this let me know if the 2nd port was required.
Thanks
Fred
07-07-2006 01:44 AM
Hi Fred
Youve been spot on all the way our pix is software 6.3 so I put in the command isakmp-net-traversal
All works great now with no change to the client at all.Is there any problems doing this rather than the IPSEC over tcp.
Cheers Jim
07-07-2006 01:58 AM
Hi Fred
Youve been spot on all the way our pix is software 6.3 so I put in the command isakmp-net-traversal
All works great now with no change to the client at all.Is there any problems doing this rather than the IPSEC over tcp.
Cheers Jim
07-07-2006 06:35 AM
Nope if that works for you then run with it. I mainly would use the IPSEC over TCP to pass through firewalls that Administrators would block UDP 500 and UDP 4500. The advantage is you can use a well known port so you can still get your tunnel through.
Glad that your issue is resolved.
Thanks
Fred
07-26-2006 02:31 AM
Just a quick follow up question please. When one of the above people connect via the VPN Client we have no problem. When the second person connects also we have no problem with either connection. But when the first person disconnects and tries to reconnect they cannot without rebooting the Draytek router, any ideas?
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide