Does pfsense/freebsd filter the "session id"?

avel

hello!

i have a strange question here from a customer of us, who has some of
his employees working in our office for some time.
From our office they want to connect to their cisco vpn service,
but it is only possible for one of them at the same time. At the moment the
second employee tries to connect, the server refuses to talk to him,
because he can't distinguish between both connections, therefore
treading them as the same (we have a fixed external ip as usual).

Our customer told us that this problem is on our side, and it is
happening because: "our firewall is not forwarding the session-id"
and "this could have something to with your NAT settings…"

We have a typical configuration with doing NAT automatically
and let "Lan -> any, any" so i can't figure out where i should
have disallowed that. Also i am not sure at all, what exactly
he meant by "session-id"... the usual problem, i can't reach
him until next week and the project is urgent... i suppose
something inside the TCP-Header or vpn stuff that gets
filtered, but is freebsd/pfsense doing that?

Is someone there who could identify what the actual
problem could be and if i can fix it on our side with pfsense?
Is it possible that NAT throws this "session id" away? And if so,
can i fix this somehow?

many thanks
Avel

aldo

not really your problem ther is only one ip proberly only one person can connect.
because it does not differentiate.

get more ips on your wan and send them out differnet ones????
make a tunnel between the two sites.

avel

thanks for replying.

Well, they claim that it would work on other offices were also only one
fix ip-adress for outside connections is available… so they tend to
be sure that it is our problem.

A site-to-site is not possible, since the policy of the customer
does not allow that anymore (big company, you know...).

Any other idea? Can it be NAT?

cmb

I've had 3-4 simultaneous client machines connected to the same Cisco VPN device before.

I'm guessing they must not have NAT-T enabled on their end. It works fine with that.

avel

thanks for the answer.

Ok, but if their configuration works for other supporting companies
and since you can confirm that these kind of connections do work at all,
the problem must be on our side.

What could it be? We only got some inbound-NAT rules, but
i don't think they have anything to do with it, as said, the
firewall rules are just "LAN -> any", and we do automatic NAT
from LAN to internet.

cmb

what pfsense version are you running?

avel

pfSense 1.0.1 RELEASE

cmb

Well, shouldn't matter, one of the machines I go through to get to the Internet is a 1.0-RC version.

Do you have advanced outbound NAT enabled?

avel

no, "advanced outbound NAT " is disabled.
I have "Enable IPSec passthru" aktivated.

sullrich

Upgrade to a recent testing snapshot: http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/

cmb

I seriously doubt if a snapshot is going to change anything, but I would try it.

There are some IPsec passthrough changes, though I don't think it will matter because I'm running behind way older versions than what you are and don't have problems.

cmb

Something just hit me. Looking back at the subject, "session ID", that's not IPsec related (AFAIK). Is this by chance a PPTP or L2TP connection? We (or at least I) hear Cisco and assume IPsec.

avel

i assume they use IPSec yes, but i have forwarded the question to be sure.
I will post the answer as soon as i get it.

avel

ok i got an answer:

"…this is a common problem we do encounter with many routers that are not Cisco/AVM,
the address translation of IPSec is not handled correctly, therfore our gateway can't
differentiate between the incomming connections..."

So it's IPSec. Any ideas?