Multiple ipsec vpn connection from same IP
All Replies
-
zyman2008 said:Hi @valerio_vanni,
You can try to setup different local id for different client.
So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.
Here the example of Zyxel IPSec VPN client,
But in this way I would have to set remote id=any in firewall.Now I keep an explicit remote-id.Does this configuration work in your environment?0 -
PeterUK said:
Here is my test looking at it by Wireshark when two users connect by NAT-T protocol under the same IP.
User 1 has a source port of 515 (this would normally be 500) to 500 then it builds the connection to 4500 from source port 21167 (this would normally be 4500) then User 2 connects has a source port of 670 (this would normally be 500 again but if the NAT sees it in use it should offset it) to 500 then builds the connection to 4500 from source port 21168 (this would normally be 4500 again but if the NAT sees it in use it should offset it).
Its likely your NAT is not offsetting the source port and this causes two connections with the same source port for ipsec VPN connections kicking the other offline.
You look with wireshark on WAN segment, right? Now I can't do this, I can only look at firewall log filtering all IKE-LOG for remote IP.When the first client connects:First entries show client:63353 -> server:500, then they keep on (they talk every 30 seconds [1]) with client:4500 -> server:4500. In vpn monitor, under "remote gateway" I see 63346.When the second connects:Some entries show client:63359 -> server:500, then they keep on with 4500 -> 4500. In vpn monitor, I see that remote port has been changed to 1025.0 -
Yes. That's works fine in my environment (ZyWALL110 as VPN server with multiple Windows Zyxel IPSec VPN clients. No matter the clients behind the same NAT router or not).valerio_vanni said:zyman2008 said:Hi @valerio_vanni,
You can try to setup different local id for different client.
So that the VPN gateway can identify the IKE negotiation from different client even comes from the same IP.
Here the example of Zyxel IPSec VPN client,
But in this way I would have to set remote id=any in firewall.Now I keep an explicit remote-id.Does this configuration work in your environment?
For a IPSec server rule on your firewall.
It's one VPN rule for all clients. I setup the remote-id to "any" in the VPN server rule.
0 -
valerio_vanni said:You look with wireshark on WAN segment, right? Now I can't do this, I can only look at firewall log filtering all IKE-LOG for remote IP.
Yes the WAN of the server USG side but its the client side router NAT that must offset the the source port to handle two VPN connections.
0 -
Hi @valerio_vanni ,
As PM you mentioned, The issue still occur after firmware upgrade to 5.21?
Have you double checked local ID in TGB Client ?
Kevin0 -
With different local ids it works.0
Ally Member
Master Member
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
