Michael Brown wrote:
> Hi,
> Thanks for the detailed response. Basically, I use VPN from Site A to 
> Site B for VNC reasons to do tech support for the company.  I had Site B 
> doing a VPN back in Site A as a test to make sure I could VNC back the 
> other way to those machines. That's when I ran into the issue.  
> Basically, as long as I remember to shutdown the VPN from one end to 
> making another connection from the other I'm ok, so it's not a big show 
> stopper for me.  Just a strange thing that happened and I know better 
> not to do that in the future.  It just struck me odd that you can't do 
> this though the technical reason you outlined is probably a better 
> reason. I just though since you can VPN out of m0n0wall and have people 
> VPN at the same time, it wouldn't be a big deal until you have two 
> m0n0wall's cross paths and that seems to be a big no-no.
> 
> Thanks,
> Michael
> 

I can see now that a permanent VPN isn't a useful solution. Interesting 
that you came across the problem from supporting customers as we came 
across a related scenario in the same way.

Our problem came about from one technician already with a PPTP VPN up to 
a customer's site requesting help from a colleague. Their colleague 
would try to VPN in themselves and would get to the point where PC and 
remote firewall (well ... server the connection was being passed through 
to) were trying to establish the PPTP tunnel after authentication had 
suceeded.

At this point we were using NAT and all outbound connections from users 
PCs where NATed from the IP address of the m0n0wall's WAN interface. The 
resolution was to assign all the technical team their own IP address 
from the blocks our ISP kindly route to us using 1:1 NAT and internal IP 
addresses reserved to the PC via DHCP. Everything works ok now.

Best regards.
David