[vpn-help] Only one concurrent session possible / VPN with Netscreen

Andy LaFontaine Andy.LaFontaine at ehc-global.com
Wed Nov 6 22:30:53 CST 2013


I have several SSG20s setup for user VPNs with Shrew, using preshared keys. Been many years since I did the setup, so really rusty, but here’s what I do.

I have a single IKE user defined in Netscreen, with a FQDN identity as vpndudes at mydomain.com<mailto:vpndudes at mydomain.com>. I reference this identity in the Shrew connection profile under the Authentication tab/Local Indentity.  This IKE user I share for all user logons, and since its shared I have to make sure to set a high number for allowed multiple logons for the IKE user.

When users logon, they then supply a username and password, which is the individual authentication they each use. In my case I’m using a RADIUS server for external authentication, but I suppose it could be local authentication users on Netscreen too.

I’m not sure if you are creating multiple IKE users to go with multiple authentication users, or just 1 like I did, but to my knowledge the only time Netscreen cares if you logon multiple times with the same user is if you are sharing the IKE user in your VPN setup (like I am), and not setting the allowed logons for that IKE user greater than 1.


Andy

From: vpn-help-bounces at lists.shrew.net [mailto:vpn-help-bounces at lists.shrew.net] On Behalf Of J. Schröder
Sent: Friday, November 01, 2013 12:06 PM
To: ppluciennik at yahoo.com; vpn-help at lists.shrew.net
Subject: Re: [vpn-help] Only one concurrent session possible / VPN with Netscreen

Hi there,

I tried to assign IP addresses manually to the different VPN users, but that didn't solve the problem. In the Netscreen logs I can see, that established vpn connections are terminated, because the respective user is already connected:

2013-10-31 21:40:35   system   info  00536  IKE<xx.xx.xx.xx>: XAuth login was terminated because the user logged in again. Previous gateway: <xx.xx.xx.xx>. Username: <user1> at <192.168.1.11/255.255.255.255>.

2013-10-31 21:38:53   system   info  00536  IKE<xx.xx.xx.xx>: XAuth login was terminated because the user logged in again. Previous gateway: <xx.xx.xx.xx>. Username: <user2> at <192.168.1.10/255.255.255.255>.

Really strange. So I assume that only using certificates (instead of preshared keys) would solve the problem.

Any other idea?

Regards
Johan

------ Originalnachricht ------
Von: "Piotr Pluciennik" <ppluciennik at yahoo.com<mailto:ppluciennik at yahoo.com>>
An: "ponymann at gmail.com<mailto:ponymann at gmail.com>" <ponymann at gmail.com<mailto:ponymann at gmail.com>>
Gesendet: 30.10.2013 17:05:32
Betreff: Re: Re[2]: [vpn-help] Only one concurrent session possible / VPN with Netscreen


I had similiar problem with Cisco. The solution was changing manually ip asigned to client. I'm not sure wchich tab it is, as I remember it is in general, now I'm away form the computer, using only tablet., so cannot check it for you. Check what ip is assigned to each client. It should be different. Manualy setting different ip's solved my problem.

Let me know if it helped you.
Regards
Piotr


________________________________
From: J. Schröder <ponymann at gmail.com<mailto:ponymann at gmail.com>>;
To: <ppluciennik at yahoo.com<mailto:ppluciennik at yahoo.com>>;
Subject: Re[2]: [vpn-help] Only one concurrent session possible / VPN with Netscreen
Sent: Wed, Oct 30, 2013 3:58:13 PM

Hi,

which setting do you mean exactly? The client IP is assigned automatically using the IP pool configured in the Netscreen.

Regards
Johnny

------ Originalnachricht ------
Von: "Piotr Pluciennik" <ppluciennik at yahoo.com<javascript:return>>
An: "ponymann at gmail.com<mailto:ponymann at gmail.com>" <ponymann at gmail.com<javascript:return>>
Gesendet: 30.10.2013 16:46:28
Betreff: Re: [vpn-help] Only one concurrent session possible / VPN with Netscreen

Hi,

Probably it is ip conflict. How it is set in your shrewsoft? If manualy - change each client to have different ip.

Hope that helps.

Regards
Piotr


________________________________
From: J. Schröder <ponymann at gmail.com<javascript:return>>;
To: <vpn-help at lists.shrew.net<javascript:return>>;
Subject: [vpn-help] Only one concurrent session possible / VPN with Netscreen
Sent: Wed, Oct 30, 2013 3:32:12 PM

Hi there,

I setup my Netscreen and Shrewsoft client using the manual at https://www.shrew.net/support/Howto_Juniper_SSG.
I created multiple user accounts. Everything works fine, but it's only possible to connect one user to the Netscreen: When user A is connected and the user B connects to the Netscreen, user A is disconnected.
So, how can I use more than one concurrent session for different users? All user are in the same VPN user group.

Any idea? Thank you!

Regards
Johnny



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20131107/49b68531/attachment-0001.html>


More information about the vpn-help mailing list