Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: bud on November 19, 2002, 07:57:08 PM
-
We replaced an IBM Whistlejet with SME5. Now, we are only able to connect a single Checkpoint VPN-1 Secure Remote connection at a time.
If someone is already connected, nobody else in the office can connect.
The Whistlejet allowed multiple connections AND it did NAT. What's up?
-
all a bit new to me this stuff but I take it you have correctly setup the remote access options in the server-manager to allow multiple connections? If the checkpoint box is passing pptp connections you'd need to tell the sme server to allow for x number of pptp clients. not familiar with the checkpoint box, I use a Gnatbox GB1000 myself.
-
Bob,
Thanks for the reply. Let me clarify my question...
I am not talking about using the PPTP services on the server. I am talking about allowing passthru:
CP VPN-1 Client --> "thru Mitel server" --> to Internet --> to CP Firewall
It only allows a single client to connect. If another client tries to connect from behind the server, it rejects them. The Mitel server is using NAT.
-
is this maybe a setting on the CP firewall thats the problem then - is it rejecting multiple connections from a single IP, remembering that if you're using NAT then all connections from your network behind the SME box appear to come from the one "external" IP ?
-
That's a good point; however, the old Whistlejet was using NAT as well. Maybe I need to open additional ports?
-
Take a look here:
http://forums.contribs.org/index.php?topic=15598.msg60006#msg60006
-
Do a search for IPSEC vpn in this forum. This issue has been discussed several times.
Ryan
-
It still doesn't answer my first question:
How can I get more than one person to connect to the VPN at once? Can the IPSEC module support multiple connections?
-
I had the same problem with Nortel Extranet Client. The simple commands on shown on the link in my last message will allow multiple connections for Extranet Clients. This command adds IPSEC through NAT for the kernel (or something like that). I also had to check 'disable keep alives' for each client or the connection fails within a few minutes.
Ryan
-
Just stumbled across this...
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html (from http://ipmasq.cjb.net/)
"If you are using a Checkpoint SecuRemote VPN with FWZ-encapsulated tunnels, you will not be able to masquerade the traffic. Configure your VPN to use pure IPsec protocols and permit NAT, and avoid the CheckPoint proprietary FWZ protocols. See the VPN Masquerade HOWTO for more details."
Might help you out...
-
Thanks Ryan,
We will try your suggestions. If anyone is searching this thread in the future, I have included a copy of help text from checkpoint. I think this might have something to do with my problem:
--------------
5. Symptom : "Two users behind the same NAT device can not have access to the corporate network"
Scenario : Two SecuRemote users behind the same NAT device.
Explanation : Some NAT devices do not translate the Source port and therefore cannot support the following scenario: IKE is UDP/500 and UDP Encapsulation is UDP/2746 over static Source/Destination port. It is not a Check Point, but a NAT device limitation.
Workaround : Use a NAT device that supports port address translation.
Solution:
- SecureClient NG FP3 addresses this issue, by binding in two different UDP ports for IKE and UDP Encapsulation. In order to support it, you need to force UDP Encapsulation on the Client and add the option ChangeUDPsport to “true” in the userc.C .
- with previous SecureClient builds. Some NAT devices handle ESP packets better than UDP. Therefore, you may want to force ESP. In order to do it, you need to disable “force UDP Encapsulation” on the Client. On the Mgmt, you need to change the property udp_encapsulation_by_qm_id from “true” to “false”.
----------------
-
Does SME support port address translation? I'm pretty sure that it does... These are the modules that I have loaded:
ModuleSize Used by
appletalk-fixed 20960 12 (autoclean)
rtl8139 12416 2 (autoclean)
ip_masq_vdolive 1376 0 (unused)
ip_masq_raudio 3008 0 (unused)
ip_masq_quake 1392 0 (unused)
ip_masq_pptp 4560 0 (unused)
ip_masq_irc 1632 0 (unused)
ip_masq_ipsec 7728 0 (unused)
ip_masq_icq 10144 0 (unused)
ip_masq_h323 3600 0 (unused)
ip_masq_ftp 4256 0 (unused)
ip_masq_cuseeme 1120 0 (unused)
ip_masq_portfw 2608 0 (autoclean) (unused)
agpgart 18608 0 (unused)
usb-uhci 19056 0 (unused)
usbcore 42096 1 [usb-uhci]
It looks like ip_masq_ipsec and ip_masq_pptp are both loaded and ready to go...