On 9/17/2010 8:32 AM, Scott Zech wrote:
Hello to all and thanks in advance for your help.
Relative newbie to shrew and vpn's in general.
Here's The issue I'm facing.
I have a pfsense firewall running ipsec - preshare key setup
I have 4 remote users using shrew client release 2.1.6 on windows xp
workstations.
2 of the users are at individual remote sites. Client is configured with
ufqdn and ip address is set using virtual adapter and specify the
settings (i.e. 192.168.200.1 nm 255.255.255.0) The use a soft phone
device and use a phone at home. Works GREAT. Figured out how to
autostart the client on startup and they are thrilled. (donation coming
for the shrew client BTW :))
Here's the issue. The other 2 users are at a remote location that they
share. They are both behind a junker linksys natting router sharing a
single public ip address. I configured both users shrew client as I did
the others with unique identifiers, key, etc.
When I connect the first user, works great, pings successful.
When I connect the second user, works great, pings successful, but it
causes some type of packet loss on the first user, until I
disconnect/reconnect. Then the first user works again, but the second is
disconnected. Rinse/Repeat.
After looking at the logs, it appears that racoon on the pfsense side is
getting confused because it sees the remote public ip address of that
linksys router and doesn't see that there are multiple tunnels trying to
be established.
Hi Scott,
You may be in for a rough time with this. I assume you use pfsense 1.2
which uses a FreeBSD 7 kernel. I don't think ipsec-tools works well with
FreeBSD 7.2 and multiple clients behind a NAT. From what I recall, one
client works fine but multiple clients ( using NAT-T ) will cause
problems if they are behind the same firewall. This has supposedly been
resolved in FreeBSD 8.x ( native support for NAT-T without patching ),
but you must use the head version of ipsec-tools on that platform. You
may want to bring this up on the ipsec-tools developers list. I believe
Yvan from NetASQ was driving the FreeBSD NAT-T effort.
As an alternative, you may want to try out the pfSense 2.0 beta which I
believe is now based on FreeBSD 8.x and ipsec-tools head. It also has a
completely re-written ipsec interface which Shrew Soft Inc contributed
to the pfSense project.
Good luck,
-Matthew
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
