[vpn-help] Shutting down one tunnel disconnects all

[Matthew Grooms]

On 8/20/2010 12:56 PM, Tim Burns wrote:
> I have 2 machines that often are on a public wireless network at a local
> building. My office had a Netgear FVS-338 firewall, and we are
> establishing our tunnels to that box using the shrew client.
>
> When we are both on at the same time, I have seen two things.
>
> First, sometimes when the person on the second machine logs in on a
> remote destop connection, the first person's connection to remote
> desktop (on a different machine) disconnects.
>
> Second, if either person disconnects the tunnel from their machine, all
> access is lost for the other machine, even though shrew's status says
> that the tunnel still exists.
>
> I have tried setting these up on different rules within the firewall and
> with different address ranges so there is not a conflict, that didn't
> change anything.
>
> Is this just part of the vpn, or am I missing something that allows us
> to independently control our tunnels?

Quite likely, this is a problem with the VPN gateway firmware. The 
client has no knowledge of other clients connected to the gateway. If 
communication errors occur when another user disconnects, the gateway is 
removing SA's it shouldn't be.

The other possibility is that you have two IPsec client connections 
being routed through a single firewall that has "IPsec pass-through" 
features enabled. This is an evil option that firmware authors added to 
SOHO firewalls which allows non NAT-T enabled clients to work ( kind of 
) through a NAT. The problem is that it inevitably screws up VPN client 
communications when more that one client connects simultaneously from 
behind the same "IPsec pass-through" enabled firewall. If there is such 
a device, try looking at the management interface and see if it has this 
feature enabled. If so, try disabling it.

-Matthew