multiple VPN tunnels through linux routers vs hardware routers

FoBoT

No Lifer
Apr 30, 2001
63,084
15
81
fobot.com
my linux router boxen at home ( www.coyotelinux.com ) supports VPN from my Windows desktop PC (i have done it from both win98 and w2kpro)

tonight i am going to try to run two VPN tunnels from two different winders PC's simultaneously

will it work?

does anybody know which linux based router/NAT solutions/programs/distributions support multiple VPN connections?

how about the hardware routers? like the little linksys routers? the big/expensive Cisco routers can do this, right?

is it just a port/NAT issue?

thanks for any info on this matter and have a nice day! :)
 

FoBoT

No Lifer
Apr 30, 2001
63,084
15
81
fobot.com
to clarify my real question, i found a hardware router that claims to do what i need (see the part down below the dashed line)

what i really want to know is if any PC based linux routers will do this too?

-------------------------

ok, after reading about that hardware router, the Nexland
i figured out what my REAL question is

do any/all linux routers do
Unlimited IPsec Tunnels Passing-Through
which is what that hardware box says it does ?

the page describing that nexland says
Multi-Session IPsec/PPTP ?Pass Through?
Unlimited Tunnels Through NAPT with No Performance Hit!
Exclusive to Nexland - Patent Pending
and
Note: The ISB Pro100 does not have the IPsec client in the router. It passes through
IPsec tunnels from computer hardware/software based clients by tracking
authentication and communication phases. This allows the IPsec data to remain
encrypted from the application level and enhances internal VPN security.

can i do the same thing with a PC based linux router?
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Good luck.

From an IP standpoint it is virtually impossible to run VPN tunneling through NAT. I say virtually because it all depends on how the tunnel is setup. I have yet to see IPsec ESP work with NAT for more than one session. The information is just not there for the Network Address Translation to occur.

Keep in mind I didn't say it was impossible, just extremely tricky and haven't seen it yet. I'd be very interested in a technology that could make this work (then again I wouldn't. NAT just sucks donkey balls. Bad NAT, Bad evil NAT)
 

FoBoT

No Lifer
Apr 30, 2001
63,084
15
81
fobot.com
nope, it didn't work
as soon as the second client established the connection to the vpn server, the first client is booted off, connection lost

anybody know if linux can be setup to support multiple vpn pass throught clients? (other than making the router box the vpn end point)
 

Garion

Platinum Member
Apr 23, 2001
2,331
7
81
The only way I could think to make it work woudl be to get two REAL IP's on the Linux box, the send the two different tunnels out different source IP's. Clumsy, but might work. No idea how to do it, however.

- G
 

FoBoT

No Lifer
Apr 30, 2001
63,084
15
81
fobot.com
"two different tunnels out different source IP's"

i thought that was the problem, based on the message, and since my box is using NAT it makes sense, it sees the second connection as a reconnect from the same IP ?

hmmm, i wonder how that hardware thing (see links above) does it? guess that is probably why they are trying to patent it ;)
 

mobly99

Senior member
Apr 27, 2001
260
0
0
Some of the newer VPN gateways are supporting "IPSec over TCP (or UDP)" as Cisco calls it. Basicly, the ESP packets are encapsulated within UDP (or possibly TCP with Cisco) packets which allows the NAT/PAT to support multiple VPN tunnels. Both the client and the VPN gateway have to support this.

I beleive Nortel refers to this as Nat Transversal, althought I'm not sure if they ever released version 4.0 of the Contivity firmware that supported it. Shiva/Intel added support in ver 6.9 of their code. Not sure what versions of code support it on Cisco but I beleive that the 3000 and 5000 VPN concentrators will do it.

Here is a good draft on IPsec over NAT Justification for UDP Encapsulation
 

Abzstrak

Platinum Member
Mar 11, 2000
2,450
0
0
Y cant you just use PAT and change the pptp port for the second internal IP to another external port # ? This should work.

-Danny

<edit>
I've done this before on a cisco for like 7 pptp sessions
</edit>
 

Santa

Golden Member
Oct 11, 1999
1,168
0
0
It is possible via an Asante router. This is the only one I have tested so far as a consumer grade router but we have also had PIX firewalls allow multiple user through without a problem. The VPN client that we are using is Checkpoint SecureRemote for VPN1 solution.

If you are having problems having multiple connection use UDP encapsulation like mobly99 mentioned.