Multiple Cisco VPN Clients 2

[Andy12345]

Hi all,

I have a problem getting two computers to connect to a cisco pix
server
via the cisco vpn client. Its the age old problem of being able to
connect the one computer, and then connecting the other computer
which
forces the first connection to stop working.

My setup is that there is a Westell 2200 modem/router connected to a
Netgear EN524 ethernet hub. These two devices are in another office
(shared internet usage) and so there is a link that comes from the
hub
into a local ethernet switch. From this switch i run in to a DLink
DI-624 router. My two computers are connected into this router.
The internet connection is a Verizon dsl business connection with
1.5down/0.5up.

To confuse matters (well mainly confuse me) i took the computers home
to the following setup. Cable modem (new installation, cant remember
the model number) through Optimum Online. This is connected to the
same
DLink router. The computers again run from this router. Originally in
this setup i couldnt get multiple computers to connect until i turned
off ipsec passthrough in the router settings. This made them both
work
at the same time.

So my question is how do i get multiple cisco clients working in my
office setup?

Any help is greatly appreciated, ive been tearing my hair out for
weeks
over this issue.

Cheers,

Andy.

 

[themut]

The headend device (PIX, router, VPN3000) has to enable Nat Traversal (NAT-T). With NAT-T enabled you will not face this problem. The issue is some PAT devices are not able to handle the ESP protocol properly, hence the problem you are experiencing. NAT-T encapsulates the ESP protocol on a UDP packet thus solving this problem. Hope this helps!

 

[Andy12345]

Hi themut,

I was assuming that as i could get it all to work using my home setup then it couldnt be a problem with the headend device (which is a PIX).
Am i not correct with this assumption?

Cheers,
Andy.

 

[lgarner]

Correct. You'll need to modify the Pix configuration.

isakmp nat-traversal <policy no.>

 

[Andy12345]

Sorry lgarner, i've confused myself with the double negatives.
Do you mean that my assumption was wrong in my previous post, and that the problem i am having is that the pix server doesn't have nat traversal enabled?

Cheers,
Andy.

 

[themut]

Obviously IPSec passthrough was preventing the simultaneous IPSec sessions. You need to make sure NAT-T is enabled on the headend device, a simple test is to establish a VPN connection and then go to VPN Client Status and then click on statistics, under Transport make sure Transparent Tunneling is active on UDP port 4500. If not then you need to configure the command provided by lgarner on the previous post on the headend PIX.

 

[Andy12345]

Thank you themut. I have wondered about that in the past, indeed on the statistics tab it shows the the tunneling is inactive.
This definately sounds like the problem so i want to thank both of you very much for helping me out.

Cheers,

Andy.