IPSec masquerade with multiple clients

IPSec masquerade with multiple clients

[Leonid Zeitlin]

Hi all,
I have the following problem. I have a local network behind a Linux router
that does IP masquerade. All hosts on the LAN have 192.168.*.* addresses,
and the Linux router has only one external IP address. I need IPSec VPN
clients from the LAN to connect to an outside server. The client VPN
software is Contivity VPN Client by Nortel Networks. If only one clients
connects at a time, everything works fine. But once one client connects, no
other client can do so. For the second client the connection cannot be
established. Is there any way to have multiple clients connect to the
external VPN server simultaneously? Any help will be appreciated.

Thanks in advance,
   Leonid

Re: IPSec masquerade with multiple clients

[Georgi Alexandrov]

Leonid Zeitlin wrote:

>Hi all,
>I have the following problem. I have a local network behind a Linux router
>that does IP masquerade. All hosts on the LAN have 192.168.*.* addresses,
>and the Linux router has only one external IP address. I need IPSec VPN
>clients from the LAN to connect to an outside server. The client VPN
>software is Contivity VPN Client by Nortel Networks. If only one clients
>connects at a time, everything works fine. But once one client connects, no
>other client can do so. For the second client the connection cannot be
>established. Is there any way to have multiple clients connect to the
>external VPN server simultaneously? Any help will be appreciated.
>
>Thanks in advance,
>   Leonid
>
>
>
>  
>

This question is asked at least once a week in this list, please take a 
look at the archives.

regards,
Georgi Alexandrov

Re: IPSec masquerade with multiple clients

[Leonid Zeitlin]

----- Original Message ----- 
From: "Georgi Alexandrov" <tehlists@hotpop.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, May 13, 2005 2:37 PM
Subject: Re: IPSec masquerade with multiple clients


> Leonid Zeitlin wrote:
>
> >Hi all,
> >I have the following problem. I have a local network behind a Linux
router
> >that does IP masquerade. All hosts on the LAN have 192.168.*.* addresses,
> >and the Linux router has only one external IP address. I need IPSec VPN
> >clients from the LAN to connect to an outside server. The client VPN
> >software is Contivity VPN Client by Nortel Networks. If only one clients
> >connects at a time, everything works fine. But once one client connects,
no
> >other client can do so. For the second client the connection cannot be
> >established. Is there any way to have multiple clients connect to the
> >external VPN server simultaneously? Any help will be appreciated.
> >
> >Thanks in advance,
> >   Leonid
> >
> >
> >
> >
> >
>
> This question is asked at least once a week in this list, please take a
> look at the archives.
>
> regards,
> Georgi Alexandrov
>

Yes, the answer is usually "enable NAT Traversal". My question then is, does
anyone know if NAT Traversal can be enabled in Contivity VPN Client. I
profess ignorance in this subject.

Thanks,
   Leonid

Re: IPSec masquerade with multiple clients

[Daniel Lopes]

Leonid Zeitlin schrieb:
> ----- Original Message ----- 
> From: "Georgi Alexandrov" <tehlists@hotpop.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Friday, May 13, 2005 2:37 PM
> Subject: Re: IPSec masquerade with multiple clients
> 
> 
> 
>>Leonid Zeitlin wrote:
>>
>>
>>>Hi all,
>>>I have the following problem. I have a local network behind a Linux
> 
> router
> 
>>>that does IP masquerade. All hosts on the LAN have 192.168.*.* addresses,
>>>and the Linux router has only one external IP address. I need IPSec VPN
>>>clients from the LAN to connect to an outside server. The client VPN
>>>software is Contivity VPN Client by Nortel Networks. If only one clients
>>>connects at a time, everything works fine. But once one client connects,
> 
> no
> 
>>>other client can do so. For the second client the connection cannot be
>>>established. Is there any way to have multiple clients connect to the
>>>external VPN server simultaneously? Any help will be appreciated.
>>>
>>>Thanks in advance,
>>>  Leonid
>>>
>>>
>>>
>>>
>>>
>>
>>This question is asked at least once a week in this list, please take a
>>look at the archives.
>>
>>regards,
>>Georgi Alexandrov
>>
> 
> 
> Yes, the answer is usually "enable NAT Traversal". My question then is, does
> anyone know if NAT Traversal can be enabled in Contivity VPN Client. I
> profess ignorance in this subject.
> 
> Thanks,
>    Leonid
> 
> 
> 
How about taking a look at the clients dokus or asking it at the Nortel 
Support? I think they will help you ;), although I think the client 
provides NAT-T because nearly all newer clients do it.

RE: IPSec masquerade with multiple clients

[dave beach]

I had the same problem - class C private net behind both a hardware
broadband router and a dedicated IPTables firewall. My employer uses a
Nortel Contivity VPN remote access solution, which does not have NAT
traversal enabled on the Contivity box.

With my previous router (Linksys BEFSR41), there's a tech bulletin on the
Linksys site that states it only supports a single VPN passthrough
connection. So, I upgraded to a newer model that supports more than one
(because both my wife and I both need to do VPN passthrough from our
respective at-home work laptops). I couldn't get multiple connections
working through the IPTables firewall, so I "solved" it by leaving my wife's
laptop connected through the IPTables firewall (and thence out via the
broadband router), and plugging my laptop directly into a spare jack on the
back of the broadband router.

Both laptops can now happily connect to the mothership Contivity VPN box,
and all is goodness. Not what I would have preferred (which would have been
both laptops connecting through the IPTables box), but I can live with it.

Other work users report that with various other broadband routers (SMC,
particularly) they can connect multiple concurrent VPN passthrough sessions
to the Contivity box, even with NAT traversal disabled - but they're just
wiring multiple computers directly into the back of the routers. Why I
couldn't get it to work through IPTables remains a mystery to me.

Your mileage may vary.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Leonid Zeitlin
Sent: May 13, 2005 8:04 AM
To: netfilter@lists.netfilter.org
Subject: Re: IPSec masquerade with multiple clients


----- Original Message -----
From: "Georgi Alexandrov" <tehlists@hotpop.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, May 13, 2005 2:37 PM
Subject: Re: IPSec masquerade with multiple clients


> Leonid Zeitlin wrote:
>
> >Hi all,
> >I have the following problem. I have a local network behind a Linux
router
> >that does IP masquerade. All hosts on the LAN have 192.168.*.* 
> >addresses, and the Linux router has only one external IP address. I 
> >need IPSec VPN clients from the LAN to connect to an outside server. 
> >The client VPN software is Contivity VPN Client by Nortel Networks. 
> >If only one clients connects at a time, everything works fine. But 
> >once one client connects,
no
> >other client can do so. For the second client the connection cannot 
> >be established. Is there any way to have multiple clients connect to 
> >the external VPN server simultaneously? Any help will be appreciated.
> >
> >Thanks in advance,
> >   Leonid
> >
> >
> >
> >
> >
>
> This question is asked at least once a week in this list, please take 
> a look at the archives.
>
> regards,
> Georgi Alexandrov
>

Yes, the answer is usually "enable NAT Traversal". My question then is, does
anyone know if NAT Traversal can be enabled in Contivity VPN Client. I
profess ignorance in this subject.

Thanks,
   Leonid