Multiple ipsec vpn connection from same IP

valerio_vanni

Device is USG-Flex 200.

We have an ipsec dynamic vpn policy on firewall. Clients connect from their machine, with Zyxel vpn client, Shrew soft etc.

Tunnel works, and there is no issue with multiple concurrent connections.

But if two connection come from same IP, it doesn't work.

Let's say that we have 2 employees with their notebooks in a remote office, connected to office LAN. Not managed office (at least not from us), there is no site-to-site vpn with main site but a simple internet connections. The two use their vpn connection as they would do everywhere, but in this case they come out natted behind the same IP.

The first connects, nothing strange about this.

As soon as the second connects, the first is kicked out. Tunnel seems active on client for a bit, but traffic (i.e. a continuous ping launched before) stops immediately.

Is it expected? Or should it work?

zyman2008

valerio_vanni said:

zyman2008 said:

Hi @valerio_vanni,
You can try to setup different local id for different client. 
So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.

Here the example of Zyxel IPSec VPN client, 

But in this way I would have to set remote id=any in firewall.

Now I keep an explicit remote-id.

Does this configuration work in your environment?

Yes. That's works fine in my environment (ZyWALL110 as VPN server with multiple Windows Zyxel IPSec VPN clients. No matter the clients behind the same NAT router or not).

For a IPSec server rule on your firewall.
It's one VPN rule for all clients. I setup the remote-id to "any" in the VPN server rule.

PeterUK

I take it you have different user names when connecting?

Testing here with a USG40 with a WAN IP and having two VM running connecting out a 4G connection under the same IP to USG its fine.

Its likely a NAT problem most likely a ISP router that can't offset the source port to allow two vpn clients by NAT-T so putting the ISP in modem/bridge mode with a better router should work. 

valerio_vanni

Yes, I forgot to say but user names are different.

On my side there is no NAT, both WAN have public IPs.

PeterUK

Are the users using a NAT router as in they have IP's 192.168.0.x when connecting to your USG-Flex 200?

valerio_vanni

Yes, they are natted. In the scenario I described clients are connected to a LAN of a remote office (or house).

But they are natted even when they use 4G connection through a SIM. Here in Italy, in general, mobile providers don't give public IPs.

And it works: issue arises when they are natted behind the same IP.

PeterUK

O2 my 4G by NAT works fine on the same IP for two users to my USG with virgin media so the limitation is with your 4G and their router or the Dongle they are using.

The 4G Dongle I'm using is HUAWEI E3372

valerio_vanni

I said that 4G is usually behind NAT, just to say that a single client behind NAT works.

But so far such a case didn't happen on 4G, when users roam with their notebooks. Providers leave users behind NAT, but it's unlikely that 2 casual users with their SIMs get under the same IP.

Instead, it would be difficult to create such a test.

Leave 4G and dongles alone...

Scenario is users connected to a LAN of an office.

Tests have been done on ADSL/VDSL lines.

PeterUK

valerio_vanni said:

Tests have been done on ADSL/VDSL lines.

Then its to do with their router and that likely doing NAT which don't allow two VPN connections.

valerio_vanni

PeterUK said:

valerio_vanni said:

Tests have been done on ADSL/VDSL lines.

Then its to do with their router and that likely doing NAT which don't allow two VPN connections.

What could the issue be?

It happens also from my home, here I can test.

PeterUK

Here is my test looking at it by Wireshark when two users connect by NAT-T protocol under the same IP.

User 1 has a source port of 515 (this would normally be 500) to 500 then it builds the connection to 4500 from source port 21167 (this would normally be 4500) then User 2 connects has a source port of 670 (this would normally be 500 again but if the NAT sees it in use it should offset it) to 500 then builds the connection to 4500 from source port 21168 (this would normally be 4500 again but if the NAT sees it in use it should offset it).

Its likely your NAT is not offsetting the source port and this causes two connections with the same source port for ipsec VPN connections kicking the other offline.

zyman2008

Hi @valerio_vanni,
You can try to setup different local id for different client. 
So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.

Here the example of Zyxel IPSec VPN client,