Does pfsense/freebsd filter the "session id"?

  • hello!

    i have a strange question here from a customer of us, who has some of
    his employees working in our office for some time.
    From our office they want to connect to their cisco vpn service,
    but it is only possible for one of them at the same time. At the moment the
    second employee tries to connect, the server refuses to talk to him,
    because he can't distinguish between both connections, therefore
    treading them as the same (we have a fixed external ip as usual).

    Our customer told us that this problem is on our side, and it is
    happening because: "our firewall is not forwarding the session-id"
    and "this could have something to with your NAT settings…"

    We have a typical configuration with doing NAT automatically
    and let "Lan -> any, any" so i can't figure out where i should
    have disallowed that. Also i am not sure at all, what exactly
    he meant by "session-id"... the usual problem, i can't reach
    him until next week and the project is urgent... i suppose
    something inside the TCP-Header or vpn stuff that gets
    filtered, but is freebsd/pfsense doing that?

    Is someone there who could identify what the actual
    problem could be and if i can fix it on our side with pfsense?
    Is it possible that NAT throws this "session id" away? And if so,
    can i fix this somehow?

    many thanks

  • not really your problem ther is only one ip proberly only one person can connect.
    because it does not differentiate.

    get more ips on your wan and send them out differnet ones????
    make a tunnel between the two sites.

  • thanks for replying.

    Well, they claim that it would work on other offices were also only one
    fix ip-adress for outside connections is available… so they tend to
    be sure that it is our problem.

    A site-to-site is not possible, since the policy of the customer
    does not allow that anymore (big company, you know...).

    Any other idea? Can it be NAT?

  • I've had 3-4 simultaneous client machines connected to the same Cisco VPN device before.

    I'm guessing they must not have NAT-T enabled on their end. It works fine with that.

  • thanks for the answer.

    Ok, but if their configuration works for other supporting companies
    and since you can confirm that these kind of connections do work at all,
    the problem must be on our side.

    What could it be? We only got some inbound-NAT rules, but
    i don't think they have anything to do with it, as said, the
    firewall rules are just "LAN -> any", and we do automatic NAT
    from LAN to internet.

  • what pfsense version are you running?

  • pfSense 1.0.1 RELEASE

  • Well, shouldn't matter, one of the machines I go through to get to the Internet is a 1.0-RC version.

    Do you have advanced outbound NAT enabled?

  • no, "advanced outbound NAT " is disabled.
    I have "Enable IPSec passthru" aktivated.

  • Upgrade to a recent testing snapshot:

  • I seriously doubt if a snapshot is going to change anything, but I would try it.

    There are some IPsec passthrough changes, though I don't think it will matter because I'm running behind way older versions than what you are and don't have problems.

  • Something just hit me. Looking back at the subject, "session ID", that's not IPsec related (AFAIK). Is this by chance a PPTP or L2TP connection? We (or at least I) hear Cisco and assume IPsec.

  • i assume they use IPSec yes, but i have forwarded the question to be sure.
    I will post the answer as soon as i get it.

  • ok i got an answer:

    "…this is a common problem we do encounter with many routers that are not Cisco/AVM,
    the address translation of IPSec is not handled correctly, therfore our gateway can't
    differentiate between the incomming connections..."

    So it's IPSec. Any ideas?