Multiple users behind one IP address...

[IanGlinka]

I have a situation where multiple users on a local LAN, all behind one router with a single public IP, are trying to connect into a certain hospital's VPN server simultaneously. The cisco VPN clients will connect, but once I've been authenticated, I can't ping anything on their network unless I am the first one to have connected.

Even after all computers disconnect, it seems you must wait a few minutes in order to be able to logon from another machine...

Is there any hardware or software that allows for multiple VPN connections from the same IP address?

Thanks
Ian

 

[LoopyLoo]

Why not get something on your internal network that sets up the VPN to the hospital and have all your users route through that? So instead of multiple tunnels you only have one. Any decent Firewall with VPN capabilities should do.

 

[IanGlinka]

This sounds interesting... could you please expand on your initial explanation? Are you referring to setting a computer up with some software on it... or were you more thinking along the lines of a piece of Cisco hardware?

Ian

 

[LoopyLoo]

I assume you are connecting to some piece of Cisco VPN kit? If so, you can get a reasonably low-level cisco box (not sure of the right level) to create a VPN from your network to the hospital network. You can then set access-lists on the cisco box to only allow the clients who need access through the cisco to cisco VPN tunnel.

We use Netscreen Firewalls here and have put in a 200 user, 50 user and 20 user VPN for about USD5000. If you are doing 1 site to another you should be able to get that down to under 1K.

 

[ls62]

I have exactly the same problem here, but haven't had time to investigate (or experience to figure it out!). Although I don't have cisco routers my symptoms are the same. Small lan office behind a dsl router with 1 public ip. Users can vpn (pptp) into our NT system and get autthenicated but can not do anything past that.

Now if just one user tries ... it works fine, but as soon as the 2nd user tries to vpn in they get hung up after authenication.

Other than purchasing special equipment can someone tell us WHY this won't work? At least if I understood why it would help me justify the purchase of addionial equipment.

Thanks.

LEE

 

[mtphoenix]

Lee,

Did you un-check the box on the owrkstation VPN connection, under tcp advanced settings to "use gateway on remote network"? Is the subnet you're on locally different than the remote network's?

 

[ls62]

mtphoenix,

I'll have to check. This is a remote location and I'm not located there. I'll have to have someone check for me and I'll get back to you.

Thanks for your response.

LEE

 

[LoopyLoo]

I think it's the same problem as the original. It looks like Microsoft's PPTP only allows for 1 tunnel from 1 IP address.

On a simpler note you could configure up a box in the rmote office to act as a PPTP router to the head office. Then have a route on all user's PC's so that all traffic gets routed down the tunnel.

Any user's PC could be set up to do this.

 

[ls62]

LoopyLoo,

Yep, I think my problem IS the same as original post. I was just wondering 'why' this doesn't work. :>

Regarding setting up a pptp box to do routing. That sounds perfect, but how do I do that? Any instructions or somewhere where I could get more detailed info on how to do this?

Thanks for your help.

LEE

 

[LoopyLoo]

Windows RRAS can do it for you. Have a look through MS Knowledgebase. Basically it's the same as having your computer connecting to the PPTP and then sharing it using Internet Connection Sharing. Not exactly but that's roughly it.

 

[ls62]

LoopyLoo,

Thanks. I give that a try! But ... just remember, the two users at my remote lan are able to vpn and get authenicated, just that once they are authenicated they can't telnet to my local unix server on our local lan.

Individually the can, but together they can't. Do you still think ICS on the will help?

Thanks again for your input/help.

LEE

 

[LoopyLoo]

Have a look at the logs on your Unix box to see if they are being denied by Unix. Can they ping the Unix box? Do they both appear to be coming from the same IP to Unix? IS there a restriction of only one session per IP on Telenet for your Unix system (unlikely but you never know!)

 

[ls62]

LoopyLoo,

I'll have to check into this a little more for a exact answer. I know when I was trying to diagnose this a couple of weeks ago I noticed that the 1st vpn session was able to telnet to the unix box, but the 2nd would get a SYN_REC (I think) message on the unix box ( I got this by doing a netstat). I can't confirm the ip address and the other stuff without trying again.

I will and let you know.

Thanks

 

[IanGlinka]

I encourage the current thread to continue... but I wanted to continue my post from the top...

We decided to give up entirely and just buy multiple IP addresses from our ISP. We're setting up a wireless access point and we are going to create a small army of notebook computers that are all on the internet. These notebooks will not be on our local network, however, for security purposes.

Kind of a sloppy workaround, but it's really one of the only that I could think of that would actually allow multiple users to connect to these VPNs.

Ian