Thanks for the detailed response. Basically, I use VPN from Site A to
Site B for VNC reasons to do tech support for the company. I had Site B
doing a VPN back in Site A as a test to make sure I could VNC back the
other way to those machines. That's when I ran into the issue.
Basically, as long as I remember to shutdown the VPN from one end to
making another connection from the other I'm ok, so it's not a big show
stopper for me. Just a strange thing that happened and I know better
not to do that in the future. It just struck me odd that you can't do
this though the technical reason you outlined is probably a better
reason. I just though since you can VPN out of m0n0wall and have people
VPN at the same time, it wouldn't be a big deal until you have two
m0n0wall's cross paths and that seems to be a big no-no.
David Cook wrote:
> Michael Brown wrote:
>> Basically, we have (2) sites that have m0n0wall. Each is using the
>> built in PPTP which works great. Both use m0n0wall as a
>> NAT/Firewall/VPN setup. The odd thing is, should one person from
>> Company A do a VPN into Company B, it works. But, if Company B does
>> a VPN into Company A while Company A is still VPN into Company B,
>> they both cancel each other out and you have to restart m0n0wall at
>> both locations to fix the problem.
> This is a problem caused by PPTP VPN NAT sessions originating and
> terminating at the same IP addresses.
> You could confirm this next time you get the situation of multiple VPN
> connections 'blocking' each other. Rather than restarting each
> firewall, use the 'Reset State' option under the 'Diagnostics' menu
> and see if that allows one person to reinitiate their PPTP VPN.
> A possible work around would be assigning 1:1 NAT IP addresses to each
> of the clients intiating the PPTP VPN, but for this to work your ISP
> would need to assign multiple IP addresses to your internet
> connection. This would mean that each VPN session would originate from
> unique IP addresses and the sessions would not clash.
>> Just to clarify, I'm not going VPN from m0n0wall to m0n0wall, but
>> it's a computer behind the NAT doing a VPN across to each other that
>> causes this to happen.
> It seems that you are dismissing the obvious solution which is a
> m0n0wall to m0n0wall IPSEC VPN. Is there a technical reason for this,
> or is this to retain control over whom has inter-site access?
> Best regards.
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch