[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  =?iso-8859-1?Q?'=22Ram=EDrez_Herrera=2C_Jorge=22'?= <jorge dot ramirez at tecsidel dot es>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Multiple vpn connections Please
 Date:  Wed, 3 Nov 2004 09:32:26 -0500
only seen a Watchguard in one site where my client was a tenant (not
his firewall - landlord was ISP). Hopefully, someone on the list has
experience with Watchguard.

On the Proxy ARP, all you should have to do is enter the public IPs
you want respond to ARP requests on the WAN interface. But, again I
only have one IP I can't really test this config.

My intent was to show how MS PPTP does not play well with NAT. By
design, the MS PPTP server will accept only one connection from each
unique IP address. And by design, most simple NAT routers (including
the default settings on m0n0wall) will use the same IP as the source
for ALL outbound connections. If a firewall is able to map each
private IP to unique public IP - the PPTP will (should) work.
M0n0wall's Outbound NAT and Proxy ARP should allow this.

_________________________________
James W. McKeand


________________________________


Sent: Wednesday, November 03, 2004 4:56 AM
To: James W. McKeand
Subject: RE: [m0n0wall] Multiple vpn connections Please



It could be that Watchguard resolved arp proxy by its own. 
Do you (or anybody) know how to configure it in Mono ? 



------------------------------------ 


------------------------------------ 


tecsidel 

08023 Barcelona 
Tel:          (+34) 93 292 21 10 
Fax:         (+34) 93 292 28 28 
mailto:<mailto:jorge dot ramirez at tecsidel dot es> 
http://www.tecsidel.es/ 

-----Mensaje original----- 
De: James W. McKeand [mailto:james at mckeand dot biz] 
Enviado el: martes, 02 de noviembre de 2004 16:52 

CC: 'M0n0wall-Help (E-mail)' 
Asunto: RE: [m0n0wall] Multiple vpn connections Please 

Could the Watchguard is assigning a different public IP to each of the

outbound VPN connections? If this is the case, I am not sure of the 
process to do this. I only have one dynamically assigned address. I 
think Outbound NAT and ARP Proxy will be involved. 

This is just a guess, based on experience with Microsoft RRAS in the 
NT 4 days of PPTP. I was dealing with an early SMC Broadband router 
(i.e. simple NAT router) at a client's home. I had two users that were

trying to connect to the same office via MS PPTP from the same house. 
The end result was a call to Microsoft. The Microsoft tech said that 
PPTP server would, by design, reject a second connection, if it 
already had a connection from an IP (i.e. a second user behind the 
same NAT - same public IP). The solution was to get a second public IP

from ISP, remove the NAT router, directly connect the two users, and 
install software firewall. Both were able to connect, too bad the line

at the office was slower than the line at their house ;-) 

I have not used the Cisco products, I cannot tell you. I have 
successfully used the SonicWall VPN Client and the Netgear VPN Client 
on different machines behind my m0n0wall to connect to the same 
SonicWall. In other words, different machines making IPSec connections

to the same IPSEC VPN. This is accomplished without doing anything 
special. I have also made multiple connections to different IPSEC 
tunnels from one machine (SonicWalls and Netgears). 

FYI, both of these clients are the SafeNet SoftRemoteLT client. The 
SonicWall's version is more restrictive on the settings than the 
Netgear's (SonicWall only wants you to connect to SonicWalls). 

_________________________________ 
James W. McKeand 


-----Original Message----- 

Sent: Tuesday, November 02, 2004 10:05 AM 

Cc: 'M0n0wall-Help (E-mail)' 
Subject: RE: [m0n0wall] Multiple vpn connections Please 

Yes, but there is one thing Watchguard doesn't have: traffic shapping.

I said Watchguard because it's based on linux. It has Nat too and pptp

connections to the same server are allowed. 
With mono, Ipsec connections with cisco vpn client are allowed to a 
Cisco 
VPN cocentrator and not to a Pix Firewall. Why? I don't know. 
It seems to be a little bug in the mono software or watchguard is 
extremely 
well done (not sure of this). 
I'd like to replace Watchguard (it is very old) with one mono, but 
with this 
problems, it cannot be done. 
Is it going to be solved in future versions of mono? 

------------------------------------ 


------------------------------------ 


tecsidel 

08023 Barcelona 
Tel:          (+34) 93 292 21 10 
Fax:         (+34) 93 292 28 28 
mailto:<mailto:jorge dot ramirez at tecsidel dot es> 
http://www.tecsidel.es/ 

-----Mensaje original----- 
De: James W. McKeand [mailto:james at mckeand dot biz] 
Enviado el: martes, 02 de noviembre de 2004 14:20 

CC: 'M0n0wall-Help (E-mail)' 
Asunto: RE: [m0n0wall] Multiple vpn connections Please 

AFAIK, *ANY* NAT will break MS PPTP, when two or more users behind the

same NAT try to connect to the same server. This is a problem with the

PPTP server end. I think L2TP (introduced with Windows 2000) was 
supposed to fix this, I have not tried it. I moved most of my clients 
to IPSEC before L2TP was introduced. IPSEC should not be affected by 
NAT. 

Why not stick with what works? If the Watchguard works use it... 

_________________________________ 
James W. McKeand 


-----Original Message----- 

Sent: Tuesday, November 02, 2004 2:59 AM 

Subject: RE: [m0n0wall] Multiple vpn connections Please 

Please, is this a limitation of the software? 

------------------------------------ 


------------------------------------ 


tecsidel 

08023 Barcelona 
Tel:          (+34) 93 292 21 10 
Fax:         (+34) 93 292 28 28 
mailto:<mailto:jorge dot ramirez at tecsidel dot es> 
http://www.tecsidel.es/ 

-----Mensaje original----- 

Enviado el: jueves, 28 de octubre de 2004 17:25 
Para: M0n0wall-Help (E-mail) 
Asunto: [m0n0wall] Multiple vpn connections 

Hello, 

I need to connect some vpn connections from my lan to other lans 
outside. 
Some people need Microsoft pptp, other cisco vpn client and it can be 
that 
two or more clients need to connect to the same server. 
The problem is that, with the same rules, some people can connect to 
pptp or 
vpn servers and some cannot. 
I don't know why, because I try the same configuration with a 
Watchguard 
firewall and I works ok. 
It seems to be a problem in NAT. 
Outbound nat is configured to only affect lan net, Opt1 is out of nat.


Can anybody help me? 

Thank you. 

------------------------------------ 


------------------------------------ 


tecsidel 

08023 Barcelona 
Tel:          (+34) 93 292 21 10 
Fax:         (+34) 93 292 28 28 
mailto:<mailto:jorge dot ramirez at tecsidel dot es> 
http://www.tecsidel.es/ 


--------------------------------------------------------------------- 
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch