[ previous ] [ next ] [ threads ]
 From:  David Cook <david dot cook at jpcompserv dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Back to Back PPTP Across M0n0Wall(s) Cancel Each Other Out
 Date:  Tue, 26 Sep 2006 13:05:33 +0100
Michael Brown wrote:

> Basically, we have (2) sites that have m0n0wall.  Each is using the 
> built in PPTP which works great. Both use m0n0wall as a NAT/Firewall/VPN 
> setup. The odd thing is, should one person from Company A do a VPN into 
> Company B, it works.  But, if Company B does a VPN into Company A while 
> Company A is still VPN into Company B, they both cancel each other out 
> and you have to restart m0n0wall at both locations to fix the problem. 

This is a problem caused by PPTP VPN NAT sessions originating and 
terminating at the same IP addresses.

You could confirm this next time you get the situation of multiple VPN 
connections 'blocking' each other. Rather than restarting each firewall, 
use the 'Reset State' option under the 'Diagnostics' menu and see if 
that allows one person to reinitiate their PPTP VPN.

A possible work around would be assigning 1:1 NAT IP addresses to each 
of the clients intiating the PPTP VPN, but for this to work your ISP 
would need to assign multiple IP addresses to your internet connection. 
This would mean that each VPN session would originate from unique IP 
addresses and the sessions would not clash.

> Just to clarify, I'm not going VPN from m0n0wall to m0n0wall, but it's a 
> computer behind the NAT doing a VPN across to each other that causes 
> this to happen.  

It seems that you are dismissing the obvious solution which is a 
m0n0wall to m0n0wall IPSEC VPN. Is there a technical reason for this, or 
is this to retain control over whom has inter-site access?

Best regards.