[vpn-help] Shutting down one tunnel disconnects all
Matthew Grooms
mgrooms at shrew.net
Mon Aug 23 23:30:18 CDT 2010
On 8/20/2010 12:56 PM, Tim Burns wrote:
> I have 2 machines that often are on a public wireless network at a local
> building. My office had a Netgear FVS-338 firewall, and we are
> establishing our tunnels to that box using the shrew client.
>
> When we are both on at the same time, I have seen two things.
>
> First, sometimes when the person on the second machine logs in on a
> remote destop connection, the first person's connection to remote
> desktop (on a different machine) disconnects.
>
> Second, if either person disconnects the tunnel from their machine, all
> access is lost for the other machine, even though shrew's status says
> that the tunnel still exists.
>
> I have tried setting these up on different rules within the firewall and
> with different address ranges so there is not a conflict, that didn't
> change anything.
>
> Is this just part of the vpn, or am I missing something that allows us
> to independently control our tunnels?
Quite likely, this is a problem with the VPN gateway firmware. The
client has no knowledge of other clients connected to the gateway. If
communication errors occur when another user disconnects, the gateway is
removing SA's it shouldn't be.
The other possibility is that you have two IPsec client connections
being routed through a single firewall that has "IPsec pass-through"
features enabled. This is an evil option that firmware authors added to
SOHO firewalls which allows non NAT-T enabled clients to work ( kind of
) through a NAT. The problem is that it inevitably screws up VPN client
communications when more that one client connects simultaneously from
behind the same "IPsec pass-through" enabled firewall. If there is such
a device, try looking at the management interface and see if it has this
feature enabled. If so, try disabling it.
-Matthew
More information about the vpn-help
mailing list