Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
4
Replies

Connecting 2 users to a 3030 via a Linksys BEFSR41

zabbas
Level 1
Level 1

‎10-23-2002 06:52 AM - edited ‎03-09-2019 12:47 AM

Scenario: Husband/Wife work for same company. Company has a VPN 3030 box. They each have their own laptop with VPN Client code 3.6.1 for Windows (using Win2K). Each also have their own id.

Problem:

Husband connects first, using his laptop, successfully to 3030...wife tries next, connecting using her laptop to the same 3030. When she does, husband's connection drops and she can get on. This seems to occur most likely because linksys is doing NAT'ing and VPN 3030 see's same Linksys address come on and drops first one.

Question: How can I fix this ?? We have many 'happily' married couples in our company! What does work is if one points their client to one VPN 3030 and the other points their client to a backup 3030, then they both get on successfully.

Labels:
0 Helpful
4 Replies 4

darryl.lee
Level 1
Level 1

‎10-23-2002 09:02 AM

Just got this working last night on a Linksys BEFW11S4 -- the wireless equivalent to your router.

You need to enable Transparent Tunneling, but over TCP, not UDP:

http://www.cisco.com/warp/public/471/vpn3k_ipsec_tcp.html#second

This solved our problem not only with the Linksys, Belkin and SMC router/firewalls as well.

--Darryl

0 Helpful

zabbas
Level 1
Level 1
In response to darryl.lee

‎10-23-2002 09:27 AM

Thanks for your response...things look good now.

0 Helpful

morriss
Level 1
Level 1
In response to darryl.lee

‎10-23-2002 10:57 AM

I attempted this, and ran into something interesting. The PC trying to connect used to kick the 1st one right off its VPN connection. Now, the 1st stays connected, but the second PC, the user cannot authenticate. It keeps asking for the user password.

Scott

0 Helpful

Nelson Rodrigues
Cisco Employee
Cisco Employee
In response to morriss

‎10-23-2002 01:17 PM

Scott,

1) Linksys has a problem/limitation of allowing only 1 tunnel on UDP port

500 (straight-IPSec). Here is Linksys's link describing this:

http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=268504&QuestionText=can%20we%20support%20multiple%20IPsec%20connections&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20can%20we%20support%20multiple%20IPsec%20connections%5d%5bMerge%3a%2...={311}&softpage=IKW_ENU_JDocView

This is the case if on the VPN client under Properties|General tab Enable Transparent Tunneling is not checked.

If you want multiple clients behind the Linksys check on Enable Transparent

Tunneling and also either check UDP or TCP.

With NAT-T over UDP the Linksys will use source port 4500 for the 1st client,

then choose another source port for the 2nd client and so on....

You can verify which source ports the Linksys used by checking the connection detail on the VPN 3000 Administration Sessions and drilling down on the tunnel, for the IPSec session.

Fot NAT over TCP it's basically the same thing. The clients generates a random source port, the Linksys will use this port or genrates a new source port to connenct to the VPN 3000 destinatination(ie. 1000 by defautl).

In either case, firewalls in between will need to allow UDP=4500, TCP=1000 (or any other port you defined).

Summary:

It's the NAT device that has to generate a new source port (UDP/TCP) for

multiple connections to be identifiable by the headend VPN 3000.

Hope this helps.

Nelson

0 Helpful
Customers Also Viewed These Support Documents