Multiple ipsec vpn connection from same IP

2»

All Replies

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    zyman2008 said:
    Hi @valerio_vanni,
    You can try to setup different local id for different client. 
    So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.

    Here the example of Zyxel IPSec VPN client, 




    But in this way I would have to set remote id=any in firewall.
    Now I keep an explicit remote-id.

    Does this configuration work in your environment?
  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    PeterUK said:

    Here is my test looking at it by Wireshark when two users connect by NAT-T protocol under the same IP.

    User 1 has a source port of 515 (this would normally be 500) to 500 then it builds the connection to 4500 from source port 21167 (this would normally be 4500) then User 2 connects has a source port of 670 (this would normally be 500 again but if the NAT sees it in use it should offset it) to 500 then builds the connection to 4500 from source port 21168 (this would normally be 4500 again but if the NAT sees it in use it should offset it).

    Its likely your NAT is not offsetting the source port and this causes two connections with the same source port for ipsec VPN connections kicking the other offline.


    You look with wireshark on WAN segment, right?  Now I can't do this, I can only look at firewall log filtering all IKE-LOG for remote IP.

    When the first client connects:
    First entries show client:63353 -> server:500, then they keep on (they talk every 30 seconds [1]) with client:4500 -> server:4500. In vpn monitor, under "remote gateway" I see 63346.

    When the second connects:
    Some entries show client:63359 -> server:500, then they keep on with 4500 -> 4500. In vpn monitor, I see that remote port has been changed to 1025.



  • zyman2008
    zyman2008 Posts: 222  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓

    zyman2008 said:
    Hi @valerio_vanni,
    You can try to setup different local id for different client. 
    So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.

    Here the example of Zyxel IPSec VPN client, 




    But in this way I would have to set remote id=any in firewall.
    Now I keep an explicit remote-id.

    Does this configuration work in your environment?
    Yes. That's works fine in my environment (ZyWALL110 as VPN server with multiple Windows Zyxel IPSec VPN clients. No matter the clients behind the same NAT router or not).

    For a IPSec server rule on your firewall.
    It's one VPN rule for all clients. I setup the remote-id to "any" in the VPN server rule.

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    You look with wireshark on WAN segment, right?  Now I can't do this, I can only look at firewall log filtering all IKE-LOG for remote IP.

    Yes the WAN of the server USG side but its the client side router NAT that must offset the the source port to handle two VPN connections.


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 888  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    edited March 2022
    Hi @valerio_vanni ,
    As PM you mentioned, The issue still occur after firmware upgrade to 5.21?
    Have you double checked local ID in TGB Client ?
    Kevin
  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    With different local ids it works.

Security Highlight