One DSL router, three VPN clients? How to do this.

[Gepost]

I have three W2K clients in a small office, networked through a D-Link 704P router. They can all connect to the Internet and all have Cisco VPN client installed. All three have their own VPN account and can each connect to the main network through the router. The problem is, when one is connected with VPN, and another workstation tries to connect to VPN, it kicks the first computer off.

I don't know much about VPN and search some of the posts, but did not find an answer. I think it has to do with the router using only one external IP, even though the workstations have their own, dynamic IP. Therefore, when the main VPN server sees a second logon from the same IP (router) it kicks off the existing one.

Am I correct in this and if so, can I configure the 704 to allow multiple VPN connections, or will I need a different router. I don't want to spend much money. I saw a D-Link 804 that says it handles multiple VPN connections. If not the D-Link, what is an alternative.

Thanks in advance.

 

[Kremlar]

I could be wrong, but I don't believe there is a solution other than:

1 - install a VPN box in your small office that will tie into the main office, instead of individual clients installed on each station.

2 - somehow get each PC a public IP address.

 

[Garion]

IPSec and VPN's in general are difficult with NAT. The problem that is most commonly seen is that IPSec (Really, ESP) negotiates a network connection to the VPN server on a very specific TCP/UDP port. Once the VPN session has been established, it continues to use the SAME port. Most other apps that work well through NAT negotiate a session on a port, then pick a NEW, random port to talk on so they don't interfere with other computers. (UDP: The protocol you love to hate)

If a port is in use for one application, you can't use it from another without a REALLY smart router. Sounds like this isn't one. You might be able to make it smarter with a firmware upgrade, however - Check out what's available and give it a try. Might help, might not.

There's a better solution - If it's a Cisco VPN concentrator, they can enable "NAT transparent mode" that gets around this, for the most part. It's not perfect, but it works well. Look at details on the Cisco Website. Unfortunately, this is a *very* common problem.

- G

 

[BS911]

A very cheap and easy solution would be to put a Linksys VPN router on each end. They cost around $130 each and work pretty well! Support up to 70 tunnels; supports router to router VPN or client to router VPN.

http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=411