jamespev wrote:
Hello. I am having an issue with pfsense. Essentially, only one user
can be connected to VPN from behind the pfsense firewall.(ie we are
connected to a VPN concentrator which is outside the network on the
internet from inside the pfsense firewalled network) We are using the
Cisco VPN client. The client works fine when TCP transport is used, but
only one UDP transport user can be connected at once. Since the Linux
Cisco client vpnc only supports UDP this is quite annoying for the linux
users. We started with 1.2Beta1, then Beta2, now RC1... issue has
remained the same throughout. We have paved and reinstalled the machine
and played with configuration extensively but couldn't get it to work.
It appears from the logs that when the second user attempts to login,
the return traffic from the concentrator is getting blocked by pfsense.
Any ideas? We are pretty much stumped on this. We did not have
issues like this with our previous firewalls (although they were much
less capable in every other way, I love pfsense).
I assume you are using NAT. If you are using ESP-in-UDP encapsulation
then any number of clients should be able to communicate outbound via pf
when NAT is being performed.
What do your rules look like? Are you restricting any outbound traffic?
At a minimum, ISAKMP UDP port 500 and NAT-T UDP port 4500 need to be
allowed. Also, a firewall may be performing the equivalent of this ...
nat on $ext proto udp from $prv_net port 500 to any -> ( $ext ) port 500
nat on $ext proto udp from $prv_net port 4500 to any -> ( $ext ) port 4500
... which acts like a VPN pass-through by forcing the source port to not
be translated. This is fine when only a single host is attempting to
communicate with a VPN gateway but could cause serious problems if you
have multiple simultaneous connection attempts.
-Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
