Solved

For LRMOORE:   More 2 vpn router issues

Posted on 2004-10-14
9
210 Views
Last Modified: 2011-09-20
I got the linksys router, but I still can't do 2 concurrent vpn sessions

Additional information.   I called Linksys, and it took a while for them to realize I'm interested in running vpn into a corporate server, not being a web server myself.  At that time, the immediately told me that the router only supports one concurrent ipsec session.  If you try to start a second, the first will be dropped. Which is exactly the behavior I'm seeing.

I asked why the specs say the router can fun 25 or more concurrent vpn sessions. Explanation is that the router itself can be the vpn server, and that in that case i wouldn't have to run vpn software on each client. sorta like a corporate bureau setting doing into a larger server farm.

The problem I have with this is that I have clients on the home network that I don't want to use the vpn at all. They have nothing to do with corporate, like my kids machines, and don't want their traffic going thru the company.  Also, there are times I want to use one of these clients for private browsing without having the corporate police see whats going on

So, when I asked about running two vpn (udp,ipsec) concurrent sessions, they said I had to find out the port number and open it on the router.  I have no clue what this means, or what the implications of it are.  

The good news is that it does file and printer sharing regardless of the vpn being on or off or switched in the middle
0
Comment
Question by:joemz
  • 5
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12315798
Which model did you buy?
What VPN client are you using?
0
 

Author Comment

by:joemz
ID: 12317660
linksys wvr54g and the firmware has been upgraded to latest rev, cisco vpn client 4.0.2a
0
 

Author Comment

by:joemz
ID: 12317882
Some more playing shows the following:

My corporation maintains two server sites, and a remote client (me) can choose to connect to either of them for the vpn.  The data is the same either way, but they operate the two sites and provide independent access probably for failover purposes.  So, when I start the vpn I can say connect to site 1, or connect to site 2.

At home, I cannot have my two clients both connected to either site 1, or site 2

However, I just discovered that I can have one client connected to site 1, and the other client connected to site 2.

Therefore, the way I see it, I seem to be able to have two ipsec sessions running concurrenlty, as long as they're not going to the same corporate vpn server location

????
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12318947
OK, well at least it does support more than one VPN - just not to the same remote endpoint..

On your Cisco VPN client, do you use "Enable Transparent Tunneling" over UDP ?
Do you have IPSEC passthrough enabled on the Linksys?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:joemz
ID: 12319440
Ipsec, PPTP and L2Tp are all ENABLED.

As far as Enable Transparent Tunneling over UDP,  I haven't found any setting for that. Under Security/VPN these is a place to enter Tunnel numbers, and then enable vpn tunnel and vpn gateway. Nothing is set for that. But I don't think that is the setting you're referencing.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12319582
On your VPN client, Options/Advanced Mode
Select the Connection Entry, Modify, Transport Tab...
Which of these are selected?
                             
Authentication  || Transport ||  Backup Servers   |  Dial-up
-------------------------------------------------------------------
[x] Enable Transparent Tunneling
     (*) IPSec over UDP (NAT/PAT)
     ( ) IPSec over TCP        TCP Port: [ 10000  ]


[x] Allow Local LAN Access

0
 

Author Comment

by:joemz
ID: 12319668
Yes,  enable transparent tunneling, ipsec over udp and allow local lan access is set for the clients on both machines
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12319853
Just checking...looks like the correct setup.

So, are you pleased with the results so far, just don't quite understand?

The issue is that no router/firewall can create multiple port maps from UDP 4500 on the inside (that's what the transparent tunneling over UDP sets it to) to the same external IP port 4500.
  PC1 192.168.1.100  UDP 4500  -------- UDP 4500 Server1
  PC2 192.168.1.101  UDP 4500 /

But there is no problem with having multiple remote servers
If you Disable Allow IPSEC passthrough on the Linksys, and enable IPSEC over TCP, (must also be allowed on the remote end),
then you have more ability to map multiple TCP ports. These are configurations that must be specifically supported at the server end... Try playing around with those settings and see what you can get away with..
Uncheck Enable Transparent Tunneling completely  - what happens
Check Enable Transparent Tunneling, IPSec over TCP  - what happens
Back to the existing if those fail.

I might expect on one or the other that you will get one-way communication only (packets out, no packets in in the counters)


0
 

Author Comment

by:joemz
ID: 12320248
If i were able to see the forest from the trees, i would have realized that even with the old belkin router i was able to connect to two different vpns at the same time.  When my wife works at home, she goes to her company, I go to mine, and we've never had conflicts.  It was only when I tried to connect both of my clients to the SAME vpn server that I got into trouble.

So, I wonder if I need the expensive Linksys at all?  Its advantage at this time is that it supports wep and wpa, something the real old belkin didn't

thank you, another case solved
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now