Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple VPN Connections on Shared Internet Connection 1

Status
Not open for further replies.
deintinis

deintinis

IS-IT--Management
Nov 14, 2001
174
US
We have VPN set up through a Win2K terminal server. One of our satellite offices has three users that connect to the internet via a cable modem that is shared through a wireless connection. THe problem is that it will only allow one person at a time to vpn into our server. If one of them is online, and the other one trys to log in--it will knock off the first person who had the VPN connection.
Is their a way to allow multiple users to use a vpn connection through a shared interenet connection?

Thanks IN Advance
 
Sort by date Sort by votes
As I understand it, Windows 2000 server does not support NAT-T in it's Routing and Remote Access (this feature was only added in W2003 server), so I think you're out of luck. Although you can upgrade the client machines to support NAT-t (from this link: ), as the 2k server doesn't have NAT-t support, it's not going to work.

If you're not clear on what NAT-t is, and why you would need it, have a read of this thread, I posted an explanation recently:


In your scenario your cable modem is the NAT device that's causing your problem.



CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Thanks for the helpful articles. Are you absolutely sure that their is not a patch for Win2K server? Are there any other alternatives for setting this up...software?...hardware? I need to find some sort of work around.

Thanks
 
Upvote 0 Downvote
There is no patch because Microsoft want you to upgrade to 2003 :)

From Technet - "Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access." (about halfway down this page - )

You do have hardware alternatives, a pix firewall sitting in front of the server could terminate ipsec tunnels and supports Nat-T, it can pass authentication on to Microsoft's IAS server (a free optional component with windows 2000) so users are prompted for windows usernames and passwords.

Basically you need a vpn endpoint that supports Nat-T.


CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Chico, i am not so sure of that, I was tinkering on with IPSec tunneling (gateway to gateway) in windows 2000 professional and at first it wouldn't work, I later found out that it was because i was also running a NAT firewall(winroute firewall 5) on the win2k prof gateway (even though KWF supports IPSec pass-thru). I got it to work with one of MS's updates (can't remember which one) but i believe it had to do with updated IPSec NAT traversal support, after which the IPSec tunnel worked flawlessly, straight thru the NAT firewall and on to the other gateway (draytek vigor 2600). I know this isn't really a solution for multiple client to gateway tunnels, but i just thought i'd let you know about my experience with this issue.
 
Upvote 0 Downvote
pmf71,

I think you've misunderstood what i was saying. There is an update for win2000pro clients (I've posted a link to it) so that they support NAT-t, the problem is that there is no update for Routing and Remote Access in Windows 2000 server, so if you terminate the vpn on a windows 2000 server, you can't pass through a NAT device. (2k Server can't terminate a NAT-t IpSec tunnel - it CAN pass NAT-t traffic through it though, if it's a multihomed server, it just can't terminate the tunnel)

In your example you terminate the vpn on the Draytek vigor 2600 (which I presume supports NAT-t). You don't terminate it on a W2k server, which is where the problem lies.

So really we're both saying the same thing :)

Any NAT device will pass NAT-t traffic, as it's just ordinary UDP port 4500 traffic. The problem is whether the two endpoint devices recognise that UDP port 4500 should be unbundled and treated as ESP traffic or not.

2k server doesn't know how to do this.

Chico

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
I was able to fix the problem simply by hooking up the cable modem and wireless access point to a linksys router. It has solved the problem.
 
Upvote 0 Downvote
Which Linksys router did you purchase? I have the same problem. I purchased the SMC7000FVR which claim on the advertisement to handle multiple VPN tunnels, but didn't. When I talked to SMC they said it would only support one client tunnel but that it would support multiple server tunnels (which is what I am trying to avoid).

thanks
Ed

 
Upvote 0 Downvote
ran across this thread doing a Google on multiple vpn pass thru's. I have the same problem on my home network as both my wife and I work for the same company.

You mentioned that you solved this by getting the linksys switch but could you please elaborate on the complete configuration?
I currently have a linksys 4 port (wired) switch model BEFSR41 which does not support multiple sessions. I want to upgrade to wireless anyway and need to know what I would have to have to make this work.
In other words - do I hook the cable modem to the wireless router and add the switch you found or is there some wireless router/switch that will support multiple vpn sessions. Linksys tech support has not been much help. Thanks for any suggestions.
 
Upvote 0 Downvote
I also was using the BEFSR41 thus only one tunnel. I've ordered the switch that deintinis mentioned. Should have it Wednesday, I'll post the outcome. Keeping my fingers crossed. . .
 
Upvote 0 Downvote
The setup configuration for the switch is as follows:

Linkys switch is hooked from desktop NIC to the 5th port on the switch.

Wireless Access Point is hooked to 4th port on the switch.

Cable Modem is hooked to the 1st (Uplink) port on the switch.

2 and 3 were left open for additional machines.

The first time I set it up, it did not work because I did not have the cable modem hooked into the "Uplink" port on the switch. Make sure this is hooked into the appropriate port. Also, if you have any problems, be sure to do a reboot of your machines as well as the cable modem (power cycle down) after everything is all hooked up.

Hope this helps!
 
Upvote 0 Downvote
It depends on the client software you are using.
I have a SMC2404 router and 2 computers with vpn checkpoint clients installed, I have laptop on wireless with checkpoint client.

I can establish a vpn connections from all 3 computers at the same time.
 
Upvote 0 Downvote
I've got the linksys BEFSR41 (11b w/4prt switch) and it supports multiple vpn sessions. Also on the BEFSR41, check and make sure you have the latest firmware. Some of their earlier codes didn't do to well with IPSEC.

Forester, Go ahead and change your SSID and disable broadcast on your linksys once you get it.[wink]
 
Upvote 0 Downvote
deintinis,

I like your idea about using the switch, however, my DSL connection is static so how do I configure a static address in the switch?

By the way, I have 4 client machines behind a Linksys cable / DSL router where only 1 client can connect at a time using IPsec.

Thanks,

dieselBREATH
 
Upvote 0 Downvote
I purchased the Linksys switch and now am capable of using two VPN tunnels via Cisco 4.02 clients. But, as I launch a third pc's client, it will terminate the first. This is what I had to do:
1. From the cable modem CAT5 to the switch (not one of the uplink ports)
2. From the switch CAT5 to an SMC Barricade router LAN connection (worked with the Netgear FVS318 as well).
3. Then from the router to the various pc's and my wireless AP. The router will supply the individual ip's
4. I can run either two wireless pc's with VPN or a combination of hardwired pc and one wireless, but two has been the limit.
5. I do have one site that I have a Nexland Pro400 that I have four users running simultaneously. Nexland was the only router that I have found that allowed multiple VPN client initiated tunnels. Problem is they were purchased by Symantec. Symantec is suppose to have a 300 series router out at the end of the month that might solve our issues.
 
Upvote 0 Downvote
Follow-up to 1911man's post regarding multiple vpn sessions with the Linksys BEFSR41 router :

Were you able to have multiple VPN sessions to the SAME VPN host simultaneously ? In my situation my wife and I both need to connect to the same VPN host.

thanks
 
Upvote 0 Downvote
Yes,

Also, I just purchased a Symantec Pro100 VPN appliance (router) and it allows multiple VPN tunnels via software Cisco Client 4.02 on individual pc's. It uses the Nexland technology to allow this. It's running fine at one of satellite offices on Bell DSL with two users.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
437
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
325
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
270
sircles
sircles
F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
232
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top