Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple VPN Clients from single Location

We have problem when mulitple clients try and establish a VPN tunnel to our PIX515e from the same location. Only one client can be connected to the PIX at a time. Is there a way that multiple users can be simultaneously connected from the same hotel?

2 REPLIES

Re: Multiple VPN Clients from single Location

Hi .. this is a limitation of some devices which don't allow multiple ESP sessions ( tunnells ) behind them. .. here is where transparent tunneling comes in to place but again some devices don't like it either. Please see the below comment from the VPN client admin guide.

Enabling Transparent Tunneling

Transparent tunneling allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices and/or firewalls. The most common application for transparent tunneling is behind a home router performing PAT.

The VPN Client also sends keepalives frequently, ensuring that the mappings on the devices are kept active.

Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with your device's vendor to verify whether this limitation exists. Some vendors support Protocol-50 (ESP) Port Address Translation (IPSec passthrough), which might let you operate without enabling transparent tunneling.

To use transparent tunneling, the central-site group in the Cisco VPN device must be configured to support it. For an example, refer to the VPN 3000 Concentrator Manager, Configuration | User Management | Groups | IPSec tab (refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration or Help in the VPN 3000 Concentrator Manager browser).

This parameter is enabled by default. To disable this parameter, uncheck the check box. We recommend that you always keep this parameter checked.

Then choose a mode of transparent tunneling, over UDP or over TCP. The mode you use must match that used by the secure gateway to which you are connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, then in general, TCP mode is preferable. UDP does not operate with stateful firewalls, so in this case, you should use TCP.

I hope it helps ... please rate it if it does !!!

New Member

Re: Multiple VPN Clients from single Location

I had a similar problem when setting up a PIX 515E where multiple clients would connect with the Cisco client from the same location. The solution was to add the command : isakmp nat-traversal to the pix and all was well.

It's worth looking at!! :)

127
Views
0
Helpful
2
Replies
CreatePlease login to create content