Let me guess, the clients are behind a Linksys router doing PAT
(NAPT)?
PATing devices typically cannot allow more than 1 IPSec session
to pass-thru. The reason for this is that the inbound IPSec SA is
only determined by 3 things: dst addr, protocol (ESP or AH) and
the Security Parameter Index (SPI). The dst addr and protocol will
be the same, only ESP will work, so that only leaves the SPI to
differentiate inbound SA's.
The SPI is chosen by the destination and given to the sender
during the initial ISAKMP negotiation. The PATing device can't see
this negotiation, so it would be very difficult to allow multiple IPSec
stations to establish connections. i.e. how can the PATing device
determine which internal station the traffic is being sent to?
One way you could do this would be to make an assumption that
any new inbound SA's belong to the last inside station to initiate a
connection and just keep track of all IPSec initiations from internal
stations and map it to inbound SPI's. This would work in some
cases, but then there are potential problems if you have lots of
internal clients making requests about the same time.
Bottom line, don't expect anyone to implement this functionality
any time soon, if ever. What is more likely is that vendors will
implement proprietary schemes to allow their VPN clients to talk
through a NAT/PAT gateway to their VPN gateway as Cisco has
done with the VPN 3000. (ala wrapping the IPSec packets with a
UDP header)
An option would be to terminate the IPSec tunnels on a common
perimeter device for all internal clients, or use an alternative VPN
protocol, like SSL ala the Aventail product.
HTH,
Kent
On 29 Mar 2001, at 13:22, The.Rock wrote:
> Here's the problem:
>
> 2 clients,both sharing a DSL line. both use VPN client for 5001
>
> When one is connected it is fine and if you add another connection off
> the same dsl while the other computer is connected, the VPN tunnel
> keeps dropping. Any ideas ?
>
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
