Windows Client to WinServer - Windows Built in VPN (GRE) - Only first connection works

bingo600

I have a strange issue (might be known) , think i see the issue described in the pfSense manual (GRE) issue.

I have a hosted setup , where the implementor uses the Windows Server Built in VPN as connection method.

This means i have used the Win10 Client built in VPN to access the service on the server. Aka ... Start the Win VPN , then start the Client program , and make tests. This is done for 3 clients at the same time.

This is a VoIP service , and i need at least 3 clients to be able to test our functionality.

2 clients in a call , and when the 3'rd dials one of the other , you should hear a "knock/Incomming-call" in the headset.

This has worked wo. issues when the Client Vlan used had def-gw on our Cisco ASA.

Now i have migrated that Vlan to our pfSense firewall , and i was just informed that : "IT DOESN'T WORK" .....

Well the error report is "correct" ....
The first Win10 Client VPN always succeds in connecting to the Win10-Server VPN. The next client doesn't.

All 3 clients can connect provided they are "the first & only".

On the server i see a message "from memory" ....
Windows sees a connection , but "blab...blah" .... This is usually if the remote end doesn't permit GRE ... "Blah..Blah".

If i take one of the PC's and move to my Test-pfSense , i can again connect the first PC , and now i can make a call between the Client on the Prod-Pfsense to the Test-pfSense. Indicating that the server and app works.

I dug a little into the pfSense doc , and i'm quite sure i saw something about pf having issues with NAT & GRE for more than 1 connection. This seems to be consistent with my experience.
Solution to use one public IP per connection

1:
Can anyone confirm that the above pf limit is correct ?

2:
Does anyone have a "better workaround" than multi public ip's ?
Or do i have to put my Cisco ASA in production again , and make a "Win-VPN VLAN" that has def-gw via the ASA , as the ASA handles Multi Clients wo. probs. ??

PS: Changing the server VPN away from the M$ C..p is unfortunately not an option.

Tips/Hints are welcome.

/Bingo

stephenw10

Yeah sounds like you're hitting a state limit in pf.
GRE has no concept of ports so the state on WAN is simply the WAN IP to the destination IP for protocol GRE. That's a problem if more than one client behind the firewall want to access the same remote server.

But that is almost never an issue since PPTP is thankfully almost never used anymore.
https://docs.netgate.com/pfsense/en/latest/nat/compatibility.html#pptp-gre

Are they really still using that in Win10? in 2020?

Steve

bingo600

Thanx Steve

I guess it's back to putting the ASA in production again.

/Bingo

stephenw10

Maybe no choice if they are really using PPTP still.

If they are using GRE over IPSec which I would expect to find more commonly it implies they might not be encrypting it correctly.

Steve