Outgoing VPN connections only allow 1 x user to connect



  • First, I apologize for not having more details - I have asked and waiting on information.  After I have the details on the VPN configuration, i'll ask that the thread be moved to the more specific forum.  I'm told it's "Microsoft PPTP VPN".  Can someone please move this to the appropriate forum?

    I have a site that I just installed an SG-2440 at.  They were previously using the Comcast supplied "Business Gateway".  Using only the Comcast gateway, multiple people were able to connect to a VPN at a remote office.  They are using the Windows client, and I don't know the VPN type or details yet (the client is configured to Automatically detect).

    I changed the Comcast box to bridge mode, and put the SG-2440 in place.  I requested the users test - they claimed everything was working Ok.

    Today I receive a call that only 1 x person can connect to the remote VPN.  If they disconnect, another user can connect, but only one user at a time.  Error message screenshot attached.

    I've searched for what I thought would be appropriate terms, and haven't found an obvious solution.  I tried disabling automatic NAT and disabling the outbound NAT rules for port 500 (just taking a shot in the dark).

    I'm asking for pointers to appropriate threads or solutions.

    Also, maybe someone can tell me why the Comcast Business Gateway (Comcast supplied modem/FW/AP/router) "just worked".

    Thanks in advance for any and all replies!

    Thanks,
    Frank





  • dotdash - Thanks.  I've removed the rules mentioned in that post a bit ago, with no change.

    I'm waiting on the vendor on the other end to give me details regarding exactly what type of VPN connection it is.

    Thanks,
    Frank



  • @pfSense.org:

    Limitations: PPTP / GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. PPTP is insecure and should no longer be used.

    Could be this? Sounds like the likely option for Windows + (automatic) VPN.

    On a side note, nobody should be using PPTP at this point, it's old and insecure.



  • @ fragged-
    The screenshot looks like it's L2TP/L2TP-IPSec



  • @dotdash:

    @ fragged-
    The screenshot looks like it's L2TP/L2TP-IPSec

    Doh. I was originally on mobile and didn't see that at all :P



  • @fragged:

    @dotdash:

    @ fragged-
    The screenshot looks like it's L2TP/L2TP-IPSec

    Doh. I was originally on mobile and didn't see that at all :P

    Though if set to 'auto detect' doesn't windows try PPTP first, then L2TP and then fail ?  Hence if auto detect is set you only see the failure on the last attempt (L2TP)  so could still be PPTP, just that that fails first and windows moves on to try next option…



  • Thanks to all for the replies.

    I'm told the VPN service is "Microsoft PPTP VPN".  Not good…

    However, I'd like to understand why it works for multiple users with the Comcast Business Gateway in place (FW/Routing enabled), instead of the SG-2440.

    Anyone have any ideas?



  • Also, maybe someone can tell me why the Comcast Business Gateway (Comcast supplied modem/FW/AP/router)
    "just worked".

    If you was setting up the Comcast device (router) to the so called "bridged mode" it acts as a ordinary modem
    but if this was not really matching or ruling and it was a Comcast router your clients are behind a so called
    double NAT or router cascade! Could this be?

    However, I'd like to understand why it works for multiple users with the Comcast Business Gateway
    in place (FW/Routing enabled), instead of the SG-2440.

    One question of mine about this scenario. Why did you not set up only one IPSec or whatever VPN connection
    from your SG unit to the unknown box on the other side? So all peoples could be able to use this one VPN
    line instead of opening more then one.

    The in real life existing problem is called "multiple VPN clients behind NAT" or plain NAT traversal
    (NAT-T)  problem. Really often this problems are occurring and is then full filling forums and boards,
    but related to my bad english language skills it would be better to read this article over this problem,
    might be better for your all understandings. NAT-T problem

    So it is not possible to have multiple L2TP clients connecting from the same static IP to a VPN device
    on the other side, because they are using the same port!!!!

    In real life I would suggest you setting up one IPSec or L2TP/IPSec connection and then alle
    employees are able to use this instead of opening their own many VPN connections!



  • This is more of a NAT question than a PPTP one, I'll just leave it in general questions.

    Some NAT implementations can handle multiple GRE sessions to a single remote server with a single local public IP, and some can't. pf can't. Often modems can't either, but you apparently have one that doesn't have such limitations.

    Where you have multiple clients connecting to the same site, you're best off with a proper site to site VPN. Or if using mobile clients, use any type of VPN that wasn't deprecated a decade ago. PPTP is broken on a lot of networks for the same reason, plus the fact it's insecure. Any other type of VPN won't have that issue.

    If you have multiple public IPs, and are able to NAT each client out its own public IP, that's the only option to make that circumstance work while using PPTP with multiple simultaneous clients.



  • @nicholfd:

    Thanks to all for the replies.

    I'm told the VPN service is "Microsoft PPTP VPN".  Not good…

    However, I'd like to understand why it works for multiple users with the Comcast Business Gateway in place (FW/Routing enabled), instead of the SG-2440.

    It owns a NAT-T setting likes your brand new SG-xx box, but you where setting it not up?

    Anyone have any ideas?

    Set up NAT-T at your pfSense box would handle this problem proper, but for a professional
    VPN set up I really urgent suggest to set up only one VPN connection either IPSec or L2TP/IPSec
    that all users can use.

    And one tip at least, please don´t use any more a PPTP VPN in business cases, this is something
    only WISPs would do today but no one else is.



  • Thanks for the replies.

    I am pushing them to setup an IPSec tunnel to the other site - I know that's the "right" thing to do.  They're not sure they want to spend the money on a static IP (only $20 per month, but they are a small office - 3 x people).

    I was just surprised that the Comcast Business Gateway "just worked" and I could find no way to get pfSense to work.



  • Regarding PPTP, I know it shouldn't be used.

    This is an "established" services for this customer.  I can push them to change it, but it involves multiple locations and "incumbent" support/consultants.  I have to work at convincing the business PPTP is "bad".

    Thanks,
    Frank



  • You don't need a static IP to use a site to site VPN. Both IPsec and OpenVPN will work fine in that circumstance with dynamic IPs on one or both sides. Granted, that may depend on what the other side is willing to do. They may have a standard of requiring a static IP, or have equipment where it isn't possible to configure it without one.

    @BlueKobold:

    Set up NAT-T at your pfSense box would handle this problem proper

    NAT-T is a concept that's specific to IPsec. Rather than sending ESP protocol packets, where NAT-T is in use, the data will be encapsulated in UDP port 4500 traffic. No more ESP protocol, which eliminates the NAT complications.

    The case with PPTP is similar in functionality to IPsec without NAT-T support. PPTP uses TCP 1723 and GRE (IPsec no NAT-T, UDP 500 and ESP). If it supported NAT-T like IPsec does, and would switch from GRE to, say, UDP 1723, this problem with tons of NAT implementations would go away. It was never updated to accommodate that because it was an antiquated protocol already. By the time that was a problem, superior VPN alternatives with no such issues were available.



  • @cmb:

    They may have a standard of requiring a static IP, or have equipment where it isn't possible to configure it without one.

    Yep - one of the above is true.  They are insisting on a static IP before they'll set the tunnel up.

    Thanks,
    Frank