Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Connecting 2 users to a 3030 via a Linksys BEFSR41

Scenario: Husband/Wife work for same company. Company has a VPN 3030 box. They each have their own laptop with VPN Client code 3.6.1 for Windows (using Win2K). Each also have their own id.

Problem:

Husband connects first, using his laptop, successfully to 3030...wife tries next, connecting using her laptop to the same 3030. When she does, husband's connection drops and she can get on. This seems to occur most likely because linksys is doing NAT'ing and VPN 3030 see's same Linksys address come on and drops first one.

Question: How can I fix this ?? We have many 'happily' married couples in our company! What does work is if one points their client to one VPN 3030 and the other points their client to a backup 3030, then they both get on successfully.

4 REPLIES
New Member

Re: Connecting 2 users to a 3030 via a Linksys BEFSR41

Just got this working last night on a Linksys BEFW11S4 -- the wireless equivalent to your router.

You need to enable Transparent Tunneling, but over TCP, not UDP:

http://www.cisco.com/warp/public/471/vpn3k_ipsec_tcp.html#second

This solved our problem not only with the Linksys, Belkin and SMC router/firewalls as well.

--Darryl

New Member

Re: Connecting 2 users to a 3030 via a Linksys BEFSR41

Thanks for your response...things look good now.

New Member

Re: Connecting 2 users to a 3030 via a Linksys BEFSR41

I attempted this, and ran into something interesting. The PC trying to connect used to kick the 1st one right off its VPN connection. Now, the 1st stays connected, but the second PC, the user cannot authenticate. It keeps asking for the user password.

Scott

Cisco Employee

Re: Connecting 2 users to a 3030 via a Linksys BEFSR41

Scott,

1) Linksys has a problem/limitation of allowing only 1 tunnel on UDP port

500 (straight-IPSec). Here is Linksys's link describing this:

http://kb.linksys.com/cgi-bin/om_isapi.dll?clientID=268504&QuestionText=can%20we%20support%20multiple%20IPsec%20connections&SelectName1=&advquery=%5bs%5d%5bRank%2c%2050%3a%5bSum%3a%20can%20we%20support%20multiple%20IPsec%20connections%5d%5bMerge%3a%2...={311}&softpage=IKW_ENU_JDocView

This is the case if on the VPN client under Properties|General tab Enable Transparent Tunneling is not checked.

If you want multiple clients behind the Linksys check on Enable Transparent

Tunneling and also either check UDP or TCP.

With NAT-T over UDP the Linksys will use source port 4500 for the 1st client,

then choose another source port for the 2nd client and so on....

You can verify which source ports the Linksys used by checking the connection detail on the VPN 3000 Administration Sessions and drilling down on the tunnel, for the IPSec session.

Fot NAT over TCP it's basically the same thing. The clients generates a random source port, the Linksys will use this port or genrates a new source port to connenct to the VPN 3000 destinatination(ie. 1000 by defautl).

In either case, firewalls in between will need to allow UDP=4500, TCP=1000 (or any other port you defined).

Summary:

It's the NAT device that has to generate a new source port (UDP/TCP) for

multiple connections to be identifiable by the headend VPN 3000.

Hope this helps.

Nelson

182
Views
0
Helpful
4
Replies
CreatePlease login to create content