[nsp] VPN Clients through Border Manager

info at beprojects.com info at beprojects.com
Tue Jul 20 10:25:56 EDT 2004


Change the VPN3005 to use tcp connections and set the users to transparent
tunneling through tcp.  This will allow virtually any user to connect from
anywhere and it doesn't matter if they are NAT'd or not.

In a typical IPSec VPN, the user initiates a connection on udp port 500,
then the server initiates an ESP connection back to the user.  Most
firewalls are smart enough to figure out how to send this back to one
internal user, but when a second user tries to connect, they don't know what
to do.  There is no port info in an ESP packet, so typically it drops the
first user.  If you switch to tcp, you only use one tcp connection per user
so there are no esp issues.  It is a much better solution.


----- Original Message ----- 
From: "Voll, Scott" <Scott.Voll at wesd.org>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 20, 2004 8:51 AM
Subject: [nsp] VPN Clients through Border Manager


> OK, I'm stumped.
>
> I have a client that needs to get around a Border Manager / filter
> server / firewall via a VPN connection to us, to use our web application
> over Citrix.  When the first person uses there Cisco VPN client and
> connect to our VPN (3005) they make the connection, and can use the web
> application.  But when the second person tries to connect to the same
> VPN the Connection gets dropped.
>
> I initially thought it was maybe a NAT issue.  But both users have
> publicly addressed computers that just go through.  I also thought that
> maybe it was that the Border Manager was only allowing one VPN
> connection but the second user can connect to a second VPN (3005 also).
>
> It looks like the only problem is when multiple users try to connect to
> one VPN at the same time.  Both user can connect to this one VPN, just
> not at the same time.  Any ideas????  I do not have access to this
> Border Manager, but if I have something for the Admin at this site to
> try, I believe he is willing.
>
> Thanks for any comments, suggestions, or thoughts.
>
> Scott
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list