|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Som
Guest
|
 Posted: Thu Apr 20, 2006 12:32 am Post subject: 2 vpn clients on Home LAN |
 |
|
I have two employees (a married couple) that recently started working from
home. The problem is that only one PC can run the vpn client from home at
a time.
I'm running a pix 515 v.6.1
they are running ADSL with one dynamic public IP.
internally they have a 2WIRE 1800HG modem/router. Both are using win xp
sp2.
Can someone give me some tips on how I can allow both systems to connect to
the home office at the same time?
THANKS! |
|
| Back to top |
|
 |
|
|
Mark Williams
Guest
|
| Posted: Thu Apr 20, 2006 1:10 am Post subject: Re: 2 vpn clients on Home LAN |
|
|
This is an issue with NAT. Since your employee's home router has one
public IP address, two traditional IPSec (ESP & AH) VPN sessions can't
occur at the same. You will have to implement IPSec NAT Traversal
(IPSec over UDP) on the PIX, and in the client your employees are
using.
In the PIX, use the global command
isakmp nat-traversal |
|
| Back to top |
|
|
Som
Guest
|
| Posted: Thu Apr 20, 2006 2:40 am Post subject: Re: 2 vpn clients on Home LAN |
|
|
"Mark Williams" <webmaster@sdps-idpa.org> wrote in
news:1145481028.029142.30890@i39g2000cwa.googlegroups.com:
| Quote: | This is an issue with NAT. Since your employee's home router has one
public IP address, two traditional IPSec (ESP & AH) VPN sessions can't
occur at the same. You will have to implement IPSec NAT Traversal
(IPSec over UDP) on the PIX, and in the client your employees are
using.
In the PIX, use the global command
isakmp nat-traversal
|
Excuse my ignorance, but will this change the connection settings for all
of the other existing clients or will it only affect the 2 in
question/anyone else with this problem?
Thanks for you patience. |
|
| Back to top |
|
|
Mark Williams
Guest
|
| Posted: Thu Apr 20, 2006 2:58 am Post subject: Re: 2 vpn clients on Home LAN |
|
|
NAT traversal in negotiated for clients that support it. If a client
and the PIX both support NAT traversal (IPSec over UDP), it will be
chosen as the preferred method for the connection. If a client does not
support it, you can still use traditional IPSec.
In other words, using the isakmp nat-traversal command *allows* to PIX
to use IPSec NAT traversal, but doesn't force all connections to use
it. I think!
Keep in mind that the maximum number of traditional IPSec connections
your PIX can support is set by the number of globally routable
addresses available at the outside interface. If you have a pool of say
13 routable addresses assigned at the outside interface, you can
support a max of 13 traditional IPSec sessions. If you enable nat
traversal, you would be able to support many more connections. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Thu Apr 20, 2006 4:25 am Post subject: Re: 2 vpn clients on Home LAN |
|
|
In article <1145487523.019941.198720@i40g2000cwc.googlegroups.com>,
Mark Williams <webmaster@sdps-idpa.org> wrote:
| Quote: | NAT traversal in negotiated for clients that support it. If a client
and the PIX both support NAT traversal (IPSec over UDP), it will be
chosen as the preferred method for the connection. If a client does not
support it, you can still use traditional IPSec.
|
Not quite -- if both ends support (and have enabled) NAT-T, then
the protocol will probe to determine which directions are NAT'd,
and only encapsulates into UDP where necessary. For example, it
is in theory capable of encapsulating AH packets (which cannot
survive any form of NAT) but having ESP packets (which can survive
1-to-1 NAT but not PAT) go unencapsulated for the same tunnel.
| Quote: | In other words, using the isakmp nat-traversal command *allows* to PIX
to use IPSec NAT traversal, but doesn't force all connections to use
it. I think!
|
Encapsulation is not used unless it is necessary, because the
encapsulation process lowers the effective MTU and is thus less
efficient.
| Quote: | Keep in mind that the maximum number of traditional IPSec connections
your PIX can support is set by the number of globally routable
addresses available at the outside interface.
|
Not as phrased.
| Quote: | If you have a pool of say
13 routable addresses assigned at the outside interface, you can
support a max of 13 traditional IPSec sessions. If you enable nat
traversal, you would be able to support many more connections.
|
The PIX does not know how to play games with SPI (System Parameter
Index) to "identify" an ESP session [as some manufacturers have
implemented apparently], so Yes, each ESP session which *passes
through* the PIX requires a unique outside IP. {Global routability is
not a strict criteria, by the way, since the other end of the link is
not necessarily reached through public IP space.}
My "Not as phrased" comment was because your phrasing did not
make clear that the limit was on pass-through traffic. If the
IPSec connections terminate -at- the PIX, then the number of
outside addresses available does not matter: the PIX uses its own
IP address for all tunnels that terminate -at- the PIX. |
|
| Back to top |
|
|
Mark Williams
Guest
|
| Posted: Thu Apr 20, 2006 5:29 am Post subject: Re: 2 vpn clients on Home LAN |
|
|
| Quote: | My "Not as phrased" comment was because your phrasing did not
make clear that the limit was on pass-through traffic. If the
IPSec connections terminate -at- the PIX, then the number of
outside addresses available does not matter: the PIX uses its own
IP address for all tunnels that terminate -at- the PIX.
|
For IPSec tunnel mode I believe, but does the same hold true for
transport mode?
I've seen non-NATed transport mode connections to a PIX fail because
the outside address pool was exhausted. |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted: Thu Apr 20, 2006 7:55 pm Post subject: Re: 2 vpn clients on Home LAN |
|
|
In article <1145496580.370499.193260@i39g2000cwa.googlegroups.com>,
Mark Williams <webmaster@sdps-idpa.org> wrote:
| Quote: | My "Not as phrased" comment was because your phrasing did not
make clear that the limit was on pass-through traffic. If the
IPSec connections terminate -at- the PIX, then the number of
outside addresses available does not matter: the PIX uses its own
IP address for all tunnels that terminate -at- the PIX.
For IPSec tunnel mode I believe, but does the same hold true for
transport mode?
I've seen non-NATed transport mode connections to a PIX fail because
the outside address pool was exhausted.
|
Good question. I have never use transport mode (never really seen the
point), but thinking about the documentation of it, you might be
correct. |
|
| Back to top |
|
|
|
|
Martin Bilgrav
Guest
|
| Posted: Mon Apr 24, 2006 12:54 am Post subject: Re: 2 vpn clients on Home LAN |
|
|
"Som" <kreeseis@yahoo.com> wrote in message
news:Xns97AA89C14C470kreeseish@207.115.17.102...
| Quote: | I have two employees (a married couple) that recently started working from
home. The problem is that only one PC can run the vpn client from home at
a time.
I'm running a pix 515 v.6.1
|
upgrade to 6.3 at once !
| Quote: | they are running ADSL with one dynamic public IP.
internally they have a 2WIRE 1800HG modem/router. Both are using win xp
sp2.
Can someone give me some tips on how I can allow both systems to connect
to
the home office at the same time?
|
upgrade to 6.3 at once !
and isssue the cmd isakmp nat-t
Use the Cisco VPN client for IPSEC ver 4.x
np
MARTIN
8) |
|
| Back to top |
|
|
|
|
