multiple VPN tunnels through linux routers vs hardware routers

[FoBoT]

my linux router boxen at home ( www.coyotelinux.com ) supports VPN from my Windows desktop PC (i have done it from both win98 and w2kpro)

tonight i am going to try to run two VPN tunnels from two different winders PC's simultaneously

will it work?

does anybody know which linux based router/NAT solutions/programs/distributions support multiple VPN connections?

how about the hardware routers? like the little linksys routers? the big/expensive Cisco routers can do this, right?

is it just a port/NAT issue?

thanks for any info on this matter and have a nice day!

 

[FoBoT]

to clarify my real question, i found a hardware router that claims to do what i need (see the part down below the dashed line)

what i really want to know is if any PC based linux routers will do this too?

-------------------------

ok, after reading about that hardware router, the Nexland
i figured out what my REAL question is

do any/all linux routers do

Unlimited IPsec Tunnels Passing-Through

which is what that hardware box says it does ?

the page describing that nexland says

Multi-Session IPsec/PPTP ?Pass Through?
Unlimited Tunnels Through NAPT with No Performance Hit!
Exclusive to Nexland - Patent Pending

and

Note: The ISB Pro100 does not have the IPsec client in the router. It passes through
IPsec tunnels from computer hardware/software based clients by tracking
authentication and communication phases. This allows the IPsec data to remain
encrypted from the application level and enhances internal VPN security.

can i do the same thing with a PC based linux router?

 

[spidey07]

Good luck.

From an IP standpoint it is virtually impossible to run VPN tunneling through NAT. I say virtually because it all depends on how the tunnel is setup. I have yet to see IPsec ESP work with NAT for more than one session. The information is just not there for the Network Address Translation to occur.

Keep in mind I didn't say it was impossible, just extremely tricky and haven't seen it yet. I'd be very interested in a technology that could make this work (then again I wouldn't. NAT just sucks donkey balls. Bad NAT, Bad evil NAT)

 

[FoBoT]

nope, it didn't work
as soon as the second client established the connection to the vpn server, the first client is booted off, connection lost

anybody know if linux can be setup to support multiple vpn pass throught clients? (other than making the router box the vpn end point)

 

[Garion]

The only way I could think to make it work woudl be to get two REAL IP's on the Linux box, the send the two different tunnels out different source IP's. Clumsy, but might work. No idea how to do it, however.

- G

 

[FoBoT]

"two different tunnels out different source IP's"

i thought that was the problem, based on the message, and since my box is using NAT it makes sense, it sees the second connection as a reconnect from the same IP ?

hmmm, i wonder how that hardware thing (see links above) does it? guess that is probably why they are trying to patent it

 

[mobly99]

Some of the newer VPN gateways are supporting "IPSec over TCP (or UDP)" as Cisco calls it. Basicly, the ESP packets are encapsulated within UDP (or possibly TCP with Cisco) packets which allows the NAT/PAT to support multiple VPN tunnels. Both the client and the VPN gateway have to support this.

I beleive Nortel refers to this as Nat Transversal, althought I'm not sure if they ever released version 4.0 of the Contivity firmware that supported it. Shiva/Intel added support in ver 6.9 of their code. Not sure what versions of code support it on Cisco but I beleive that the 3000 and 5000 VPN concentrators will do it.

Here is a good draft on IPsec over NAT Justification for UDP Encapsulation

 

[Abzstrak]

Y cant you just use PAT and change the pptp port for the second internal IP to another external port # ? This should work.

-Danny

<edit>
I've done this before on a cisco for like 7 pptp sessions
</edit>

 

[Santa]

It is possible via an Asante router. This is the only one I have tested so far as a consumer grade router but we have also had PIX firewalls allow multiple user through without a problem. The VPN client that we are using is Checkpoint SecureRemote for VPN1 solution.

If you are having problems having multiple connection use UDP encapsulation like mobly99 mentioned.