[vpn-help] multiple connections

Matthew Grooms mgrooms at shrew.net
Mon Sep 20 16:42:45 CDT 2010 

On 9/17/2010 8:32 AM, Scott Zech wrote:
> Hello to all and thanks in advance for your help.
> Relative newbie to shrew and vpn's in general.
>
> Here's The issue I'm facing.
>
> I have a pfsense firewall running ipsec - preshare key setup
>
> I have 4 remote users using shrew client release 2.1.6 on windows xp
> workstations.
>
> 2 of the users are at individual remote sites. Client is configured with
> ufqdn and ip address is set using virtual adapter and specify the
> settings (i.e. 192.168.200.1 nm 255.255.255.0) The use a soft phone
> device and use a phone at home. Works GREAT. Figured out how to
> autostart the client on startup and they are thrilled. (donation coming
> for the shrew client BTW :))
>
> Here's the issue. The other 2 users are at a remote location that they
> share. They are both behind a junker linksys natting router sharing a
> single public ip address. I configured both users shrew client as I did
> the others with unique identifiers, key, etc.
> When I connect the first user, works great, pings successful.
> When I connect the second user, works great, pings successful, but it
> causes some type of packet loss on the first user, until I
> disconnect/reconnect. Then the first user works again, but the second is
> disconnected. Rinse/Repeat.
>
> After looking at the logs, it appears that racoon on the pfsense side is
> getting confused because it sees the remote public ip address of that
> linksys router and doesn't see that there are multiple tunnels trying to
> be established.
>

Hi Scott,

You may be in for a rough time with this. I assume you use pfsense 1.2 
which uses a FreeBSD 7 kernel. I don't think ipsec-tools works well with 
FreeBSD 7.2 and multiple clients behind a NAT. From what I recall, one 
client works fine but multiple clients ( using NAT-T ) will cause 
problems if they are behind the same firewall. This has supposedly been 
resolved in FreeBSD 8.x ( native support for NAT-T without patching ), 
but you must use the head version of ipsec-tools on that platform. You 
may want to bring this up on the ipsec-tools developers list. I believe 
Yvan from NetASQ was driving the FreeBSD NAT-T effort.

As an alternative, you may want to try out the pfSense 2.0 beta which I 
believe is now based on FreeBSD 8.x and ipsec-tools head. It also has a 
completely re-written ipsec interface which Shrew Soft Inc contributed 
to the pfSense project.

Good luck,

-Matthew

More information about the vpn-help mailing list