Multiple outbound VPN connections to the same IP



  • I've seen this topic twice covered ( see below) with no resolution or work around.  Maybe because its truly not possible…

    http://forum.pfsense.org/index.php/topic,13973.0.html
    http://forum.pfsense.org/index.php/topic,8214.msg46261.html

    Background:  I've been playing around with Pfsense for a little while now.  I tried to implement it in my business but it failed multiple outbound vpn connections to the same IP address so I went back to IPcop for the time being.  I have upwards of 10 people connecting to our clients site at any given time, so this is an essential function for me.  Ipcop worked out of the box in this regard, but I need the expanded feature set up pfsense, dual wan blah blah blah such is life.

    I was hoping with the release of 1.2.3 this would have been ironed out or incorporated.  I'm not even sure this is on 98% of peoples radar ...

    The setup is a straight HD install, ip set for LAN and WAN everything else is default. I have Multiple outbound IPSEC connections.  The first one connects fine, the rest fail until the first one is closed.  After the first one connection closes it takes about 2 to 5 minutes for the next attempt to work.

    Does anyone have any fresh ideas on a work around or even a direction I can sniff in, as I am not that well versed on PFsense yet.

    Thank you for your time!

    Luke



  • What type of VPN? If PPTP, not going to work. If anything other than PPTP, that will work fine.



  • Its not PPTP, its a Checkpoint Client using Ipsec.  I thought maybe it was PPTP after I read the limitations statement for Pfsense, but I double checked and its Ipsec for sure

    These are the ports used for the Client

    TCP/264 (Topology Download)
    TCP/256
    UDP 259
    IKE
    IPSEC and IKE (UDP on port 500)
    IPSEC ESP (IP type 50)
    IPSEC AH (IP type 51)
    TCP/500 (IKE over TCP)
    UDP 2746
    FW1_pslogon_NG (TCP port 18231)

    The 2nd concurrent VPN to connect gets to the Radius authentication then times out. Its as if the authentication traffic coming back is getting dropped or doesn't know where to go.  I've looked at a detailed packet capture and I didn't see anything.  Is there anything else  I should be monitoring or capturing?  I will run some tests today and post a packet capture.  I'm open to any other suggestions for tracing or capturing.

    Again Thank you for your time!

    Luke



  • That's because of the static port on 500, enable advanced outbound NAT and do not enable static port and see what happens. That will rewrite the source port on the UDP 500 traffic so it can be tracked from multiple internal hosts, though depending on the server that may break things. Usually with IPsec you use NAT-T, which has no such difficulties with rewriting source ports.



  • Success!  Everything is working thus far with nothing else broken as a result.  Thanks for pointing what turned out to be obvious and right under my nose…

    ~Luke~


Log in to reply