Topic: PPTP access

[Dave]

Hi guys,

I have setup an E-Smith server with PPTP access and using the microsoft 128 enc pack client, I have a number of remote users accessing the server. We seem to be having a problem with more than one user access the server from the same isp connection (ie connection sharing over the same dsl pipe in a remote office). When they tunnel into the server, the first user can log in fine and has full network access but any following users do not. They can all log in but only the first has access to the network. Is there anything I can do to troubleshoot/fix this? I am not an experienced linux user but I am an experienced server/network admin so with a few pointers it shouldn't be too hard. Also when I try to replicate this in the office it all works ok for me. Thanks in advance

[Bill Talcott]

When you replicate it, are you also trying from behind a NAT connection outside the e-smith? I'm guessing it has something to do with sharing a single public IP for several computers...

[Dave]

Basically each of the remote offices also has an e-smith box currently acting as an internet gateway for each office (will be introduced into a vpn with the release of 5.5 s/ware as I have requirements that are not available till then), So each office is basically a DSL connection into an e-smith which acts as an internet sharing point for the office who use the desktop vpn client to connect into my box onsite. I have replicated it the same way by putting a second esmith box onto our isp router (as close as I can get to being offsite through an isp) and then tunnelling back in from behind my second e-smith. Hope this makes sense.......

[Dave]

Basically each of the remote offices also has an e-smith box currently acting as an internet gateway for each office (will be introduced into a vpn with the release of 5.5 s/ware as I have requirements that are not available till then), So each office is basically a DSL connection into an e-smith which acts as an internet sharing point for the office who use the desktop vpn client to connect into my box onsite. I have replicated it the same way by putting a second esmith box onto our isp router (as close as I can get to being offsite through an isp) and then tunnelling back in from behind my second e-smith. Hope this makes sense.......

[Gordon Rowell]

Multiple masqueraded PPTP connections to the same remote IP address will
not work. PPTP does not have the concept of source/destination ports found
in TCP and UDP, so you can't really tell the connections apart.

A workaround would be to use an ip alias on the remote server and have each
client connect to a different remote IP address. Naturally, you need to be able
to assign multiple addresses to the remote server for this work, and not everyone
can do that.

Note: You can masquerade multiple PPTP connections concurrently, just not
to the same destination IP address.

Gordon

[Lazo]

So, if I have an e-smith server (Server 1), with vpn enabled, and for example two remote offices with e-smith servers too (Server 2 and Server 3), and two PC on each office, you mean, I can VPN over Server 1 from Server 2 and Server 3 only if I have two different IP for Server 1 (does it works with Server1a.dyndns.com and Server1b.dyndns.com), so each PC (two from each remote office) log to each IP domain.

is this what you were saying??

[Bill Talcott]

Lazo wrote:
>
> So, if I have an e-smith server (Server 1), with vpn enabled,
> and for example two remote offices with e-smith servers too
> (Server 2 and Server 3), and two PC on each office, you mean,
> I can VPN over Server 1 from Server 2 and Server 3 only if I
> have two different IP for Server 1 (does it works with
> Server1a.dyndns.com and Server1b.dyndns.com), so each PC (two
> from each remote office) log to each IP domain.
>
> is this what you were saying??

That's how I interpreted it. If both NAT-ed PCs try to PPTP to one IP, it's unable to determine which is which. If the two PCs are using different IPs though, it isn't a problem. So you'd need the same number of IPs on the server as NAT-ed PCs that you wanted to PPTP at the same time. In your case, (2 NATs with 2 PCs each), you'd need two IPs on the server. The server would see each remote location as a separate connection, so you could have a connection to each of the server's IPs from each remote location. 2 server IPs * 2 remote IPs == 4 PPTP connections (max of 2 at each location). Correct me if I'm wrong...

[Lazo]

Well, I can not correct you!! because I don't know for sure, I never try this before!! But do you know if I can make the same effect with dyndns.org??

I just have one IP (dynamic by the ADSL), but I have two dns services with two different domain names, one.dyndns.org, and two.dyndns.org, both are pointing to the same IP, to the same server, so if I VPN over my other offices using domain names, I think this colud work the same way?? right?? I hope so!

[Mark]

Hi Guys

I have the same problem trying to get concurrent users to VPN (via WIn2kPro client) to a SME5.0 server, via an SME5.1.2 gateway/server from the satellite office.

One client at a time works a treat, but the second and consecutive clients will not connect.

Initially, i was using Win2k Server, with RRAS enabled, as the gateway.  After failing on all attempts to run concurrent VPN clients through the Win2k gateway i installed a SME5.1.2 as a gateway/server with the same issue..

Not much help, but just thought i'ld add numbers to the people experiencing the problem.

[Lazo]

did you try using differenet IP address, for instance, with different dynamic domain names like dyndns.org??

[Mark]

I would have to do this via host file entries, as i don't have control of the DNS server.  Either way, with all due respect, i cannot see how this would get around the issue (as the canonical name DNS resolution would point to the same sole IP address of the destination server.  )
I believe that VPN is operating at lower layers in the OSI model(layer 3 or 4 whilst DNS would most likely be operating at 6-7), so fundamentally the packets being sent, with source and destinations addresses, would be the same regardless of the different DNS names.