Thanks, that was very informative. But let me give you an update...
We decided to try another scenario:
We tried throwing a Win200 running Internet connection sharing into the mix:
Internet > router > Win2K ( workstation dual nic, one to router other to
hub)> hub > clients on hub.
This seems to somehow bypass any problems that we had with the router. I
guess Win2k is able to differentiate the sessions to the corresponding
client when multiple tunnels are initiated. We have tried this with 2
different routers and haven't had any problems.
<[EMAIL PROTECTED]> wrote in message
3A39CA99.6102.409A2@localhost">news:3A39CA99.6102.409A2@localhost...
> Let me guess, the clients are behind a Linksys router doing PAT
> (NAPT)?
>
> PATing devices typically cannot allow more than 1 IPSec session
> to pass-thru. The reason for this is that the inbound IPSec SA is
> only determined by 3 things: dst addr, protocol (ESP or AH) and
> the Security Parameter Index (SPI). The dst addr and protocol will
> be the same, only ESP will work, so that only leaves the SPI to
> differentiate inbound SA's.
>
> The SPI is chosen by the destination and given to the sender
> during the initial ISAKMP negotiation. The PATing device can't see
> this negotiation, so it would be very difficult to allow multiple IPSec
> stations to establish connections. i.e. how can the PATing device
> determine which internal station the traffic is being sent to?
>
> One way you could do this would be to make an assumption that
> any new inbound SA's belong to the last inside station to initiate a
> connection and just keep track of all IPSec initiations from internal
> stations and map it to inbound SPI's. This would work in some
> cases, but then there are potential problems if you have lots of
> internal clients making requests about the same time.
>
> Bottom line, don't expect anyone to implement this functionality
> any time soon, if ever. What is more likely is that vendors will
> implement proprietary schemes to allow their VPN clients to talk
> through a NAT/PAT gateway to their VPN gateway as Cisco has
> done with the VPN 3000. (ala wrapping the IPSec packets with a
> UDP header)
>
> An option would be to terminate the IPSec tunnels on a common
> perimeter device for all internal clients, or use an alternative VPN
> protocol, like SSL ala the Aventail product.
>
> HTH,
> Kent
>
> On 29 Mar 2001, at 13:22, The.Rock wrote:
>
> > Here's the problem:
> >
> > 2 clients,both sharing a DSL line. both use VPN client for 5001
> >
> > When one is connected it is fine and if you add another connection off
> > the same dsl while the other computer is connected, the VPN tunnel
> > keeps dropping. Any ideas ?
> >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html Report misconduct and
> > Nondisclosure violations to [EMAIL PROTECTED]
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
