[ previous ] [ next ] [ threads ]
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Back to Back PPTP Across M0n0Wall(s) Cancel Each Other Out
 Date:  Tue, 26 Sep 2006 12:14:33 -0500
Thanks for the detailed response. Basically, I use VPN from Site A to 
Site B for VNC reasons to do tech support for the company.  I had Site B 
doing a VPN back in Site A as a test to make sure I could VNC back the 
other way to those machines. That's when I ran into the issue.  
Basically, as long as I remember to shutdown the VPN from one end to 
making another connection from the other I'm ok, so it's not a big show 
stopper for me.  Just a strange thing that happened and I know better 
not to do that in the future.  It just struck me odd that you can't do 
this though the technical reason you outlined is probably a better 
reason. I just though since you can VPN out of m0n0wall and have people 
VPN at the same time, it wouldn't be a big deal until you have two 
m0n0wall's cross paths and that seems to be a big no-no.


David Cook wrote:
> Michael Brown wrote:
>> Basically, we have (2) sites that have m0n0wall.  Each is using the 
>> built in PPTP which works great. Both use m0n0wall as a 
>> NAT/Firewall/VPN setup. The odd thing is, should one person from 
>> Company A do a VPN into Company B, it works.  But, if Company B does 
>> a VPN into Company A while Company A is still VPN into Company B, 
>> they both cancel each other out and you have to restart m0n0wall at 
>> both locations to fix the problem. 
> This is a problem caused by PPTP VPN NAT sessions originating and 
> terminating at the same IP addresses.
> You could confirm this next time you get the situation of multiple VPN 
> connections 'blocking' each other. Rather than restarting each 
> firewall, use the 'Reset State' option under the 'Diagnostics' menu 
> and see if that allows one person to reinitiate their PPTP VPN.
> A possible work around would be assigning 1:1 NAT IP addresses to each 
> of the clients intiating the PPTP VPN, but for this to work your ISP 
> would need to assign multiple IP addresses to your internet 
> connection. This would mean that each VPN session would originate from 
> unique IP addresses and the sessions would not clash.
>> Just to clarify, I'm not going VPN from m0n0wall to m0n0wall, but 
>> it's a computer behind the NAT doing a VPN across to each other that 
>> causes this to happen.  
> It seems that you are dismissing the obvious solution which is a 
> m0n0wall to m0n0wall IPSEC VPN. Is there a technical reason for this, 
> or is this to retain control over whom has inter-site access?
> Best regards.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch