Multiple ipsec vpn connection from same IP
Accepted Solution
-
valerio_vanni said:zyman2008 said:Hi @valerio_vanni,
You can try to setup different local id for different client.
So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.
Here the example of Zyxel IPSec VPN client,
But in this way I would have to set remote id=any in firewall.Now I keep an explicit remote-id.Does this configuration work in your environment?
For a IPSec server rule on your firewall.
It's one VPN rule for all clients. I setup the remote-id to "any" in the VPN server rule.
0
All Replies
-
I take it you have different user names when connecting?
Testing here with a USG40 with a WAN IP and having two VM running connecting out a 4G connection under the same IP to USG its fine.
Its likely a NAT problem most likely a ISP router that can't offset the source port to allow two vpn clients by NAT-T so putting the ISP in modem/bridge mode with a better router should work.
0 -
Yes, I forgot to say but user names are different.On my side there is no NAT, both WAN have public IPs.0
-
Are the users using a NAT router as in they have IP's 192.168.0.x when connecting to your USG-Flex 200?
0 -
Yes, they are natted. In the scenario I described clients are connected to a LAN of a remote office (or house).But they are natted even when they use 4G connection through a SIM. Here in Italy, in general, mobile providers don't give public IPs.And it works: issue arises when they are natted behind the same IP.0
-
O2 my 4G by NAT works fine on the same IP for two users to my USG with virgin media so the limitation is with your 4G and their router or the Dongle they are using.
The 4G Dongle I'm using is HUAWEI E3372
0 -
I said that 4G is usually behind NAT, just to say that a single client behind NAT works.But so far such a case didn't happen on 4G, when users roam with their notebooks. Providers leave users behind NAT, but it's unlikely that 2 casual users with their SIMs get under the same IP.Instead, it would be difficult to create such a test.Leave 4G and dongles alone...Scenario is users connected to a LAN of an office.Tests have been done on ADSL/VDSL lines.0
-
valerio_vanni said:Tests have been done on ADSL/VDSL lines.
Then its to do with their router and that likely doing NAT which don't allow two VPN connections.
0 -
PeterUK said:valerio_vanni said:Tests have been done on ADSL/VDSL lines.
Then its to do with their router and that likely doing NAT which don't allow two VPN connections.
What could the issue be?It happens also from my home, here I can test.0 -
Here is my test looking at it by Wireshark when two users connect by NAT-T protocol under the same IP.
User 1 has a source port of 515 (this would normally be 500) to 500 then it builds the connection to 4500 from source port 21167 (this would normally be 4500) then User 2 connects has a source port of 670 (this would normally be 500 again but if the NAT sees it in use it should offset it) to 500 then builds the connection to 4500 from source port 21168 (this would normally be 4500 again but if the NAT sees it in use it should offset it).
Its likely your NAT is not offsetting the source port and this causes two connections with the same source port for ipsec VPN connections kicking the other offline.
0 -
Hi @valerio_vanni,
You can try to setup different local id for different client.
So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.
Here the example of Zyxel IPSec VPN client,
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight