dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
741
share rss forum feed

Aleksandar

join:2010-12-08
Beach Haven, NJ

L2TP connection problem

Hi, I have Zywall 110, and it is configured as server side vpn. There are some remote clients that have Zyxel USG 100, and one static IP. If one of them connects over L2TP or IPsec (windows client) everything works OK. The problem begins when two or more clients from the same location try to connect. First one that is connected will stay connected, and the others will just bounce off and they wont be successful. Is there anything else that needs to be configured so that several remote users can connect (from the same static IP address) ?
This is the network; I would like not to configure site to site connection.

Remote LAN ----110----------USG 100 ---------Clients


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:12
Seems like an isseue with the FW. Contact ZyXel USA. ...please keep us updated.

Aleksandar

join:2010-12-08
Beach Haven, NJ
Hi, I was just told that it is not possible to have multiple L2TP clients connecting from the same static IP to zywall 110. It is because they use same port. They said that it is possible with IPsec client, but I tried with SHrew client and didn't work. Any thoughts ?? What to do ?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:12

1 edit
That doesn't sound right. Who did you talk to? Try again and ask them to switch you to next level of support.

Aleksandar

join:2010-12-08
Beach Haven, NJ
Hi , I know that it doesn't sound right ..... I called twice and they claim the same, although this second one said that it is not possible also with IPsec client .... did anyone tried the same ??
They are saying that the only solution is to buy another router and configure site to site .....
Thanks


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:12
Reviews:
·TekSavvy DSL
·Bell Fibe
Quick internet search reveals that many have this problem. However, reading through several articles mostly due to poor implementation of the VPN server or NAT device on the source side.
Here's one example of many »support.microsoft.com/kb/2028625/en-us
...ZyXel needs accept the fact that this is nothing unheard of and fix the firmware instead trying to (as many times before) sell you another box.

That said, if you have VPN router on both ends, yes, you could create site-to-site VPN in this case.

JPedroT

join:2005-02-18
kudos:2
reply to Aleksandar
In the older ZyNOS based devices, there was a CI command to jiggy a bit to get the clients to use different source ports for IKE.

ip nat incike

It was used to get Cisco clients to connect to Cisco VPN concentrators, because it did not like that multiple clients connect from port 520 for IKE.

Maybe something like this exists for ZLD devices also?
--
"Perl is executable line noise, Python is executable pseudo-code."

Aleksandar

join:2010-12-08
Beach Haven, NJ
reply to Aleksandar
I tried yesterday from home to connect 2 clients remotely at the same time. I used two laptops and I was able to connect without any problem via IPsec client at the same time and use resources on the remote subnet. So it is possible to use several IPsec clients at the same time. I forgot to try the same with l2tp. I can try that today ..... Either way the branch office with the problem has static IP, I at home have dynamic, and they have zyxel USG 100 that maybe is doing something with the packets (NAT).
@Brano; yap I tried similar with editing registry so that l2tp knows that it is behind NAT, but then there is the problem when the remote user goes somewhere else then he needs to edit registry once again, ..... this is really pain in the .....,
@JPedroT; thanks for the tip, I was hoping to find something like that. I was searching internet but wasn't able to find anything similar for zywall 110.

Aleksandar

join:2010-12-08
Beach Haven, NJ

1 recommendation

reply to Aleksandar
Hi, I managed to configure it with IPsec. The problem was that in Zyxel or Greenbow VPN client there is a field "VPN Client Address" and it is usually 0.0.0.0. So I thought that they will automatically receive some address, but not, they will use all the same address and that is 10.10.10.10. After I changed that to example: 192.168.155.5 (not overlapping with any local nor remote network range) I was able to ping and use resources on remote network. I also configured Shrew Free VPN, it is a bit complicated but still doable.