2 remote VPN users on same network - when one connects, the other is bumped off.
I’m sure this is elementary, but I really need some direction.
I have 2 law firms in the same building; one downstairs and one upstairs and they have separate LANs. One has the NS 5GT and the other has 2 VPN users with the NS remote client, who need access to files on the downstairs network.
The setup is the most basic dial-up VPN and works fine for any single user (in this building or not). The problem is that whenever the 2nd upstairs user connects to the downstairs network, the 1st upstairs user is bumped off.
Each remote user has a unique security policy, but only authenticated by email address.
I assume the problem relates to the 2 upstairs users being on the same network, specifically the same default gateway. Are both upstairs users being identified by the routers IP, therefore not allowing them both to connect?
Any obvious answers here? I can provide any necessary configuration details if needed.
I’m with you. I was trying to handle this through VPN myself, so I was just trying to avoid the obvious risks. It’s no problem though. I’ll test it out on location and let you know how it goes.
Thanks again for the help,
I think my example pretty much covers the complete VPN configuration. If you want more of a wizard/guide I suggest you read the configuration examples here, or the Juniper KB (http://kb.juniper.net). You could also try the route-based VPN wizard in the Webui and after that take a look at the configuration and try understanding, grasping the configuration.
I have no problem helping out with any issues, but this is quite explanatory if you put some effort in reading the Configuration & Examples and the other links I posted.
Thanks for the quick reply. As you can probably tell, I’m very new to this. In your sample config, is this the entire file? I mean, because I’m not sure which lines deal with which parts of the config, I don’t want to reverse any of my settings that I DO need.
Is there any chance you could show me the exact config I’ll need from my original, but with your modifications, possibly using my “red X’s” where I’d need to plug in my IPs, etc?
This would be a huge help in my learning by reverse engineering. Again, I apologize for my lack of experience, but still learning.
Could be as simple as nat-t not being enabled on the vpn gateway object.
I recommend you set it up something close to this:
set auth-server “Local” server-name "Local"
set auth default auth server "Local"
set zone id 100 “VPNZone"
set interface tunnel.1 zone VPNZone
set interface tunnel.1 ip unnumbered interface bgroup0
set ippool “Dialup_pool” 192.168.2.1 192.168.2.128
set route 192.168.2.0/25 interface tunnel.1
set user “SharedXauth” ike-id u-fqdn "email@example.com” share-limit 10
set user “XAuth” type ike
set user “XAuth” "enable"
set user-group “MyXauthUsers” user "SharedXauth"
set user “DonaldDuck” type xauth
set user “DonaldDuck” password "disney1"
set user “MickeyMouse” type xauth
set user “MickeyMouse” password "disney2"
set ike gateway “p1_dialup” dialup “MyXauthUsers” Aggr outgoing-interface “ethernet0/0” preshare “aSecretPassPhrase” proposal “pre-g2-aes128-sha” "pre-g2-3des-sha"
set ike gateway “p1_dialup” nat-traversal udp-checksum
set ike gateway “p1_dialup” nat-traversal keepalive-frequency 5
set ike gateway “p1_dialup” xauth server “Local” query-config
set xauth default ippool "DialupPool"
set xauth default dns1 192.168.1.10
set xauth default wins1 192.168.1.10
set vpn “p2_dialup” gateway “p1_dialup” no-replay tunnel idletime 0 proposal “pre-g2-aes128-sha” "pre-g2-3des-sha"
set vpn “p2_dialup” bind interface tunnel.1
set vpn “p2_dialup” proxy-id local-ip 0.0.0.0/0 remote-ip 255.255.255.255/32 “ANY”
P.S. Note that the VPN tunnel is different in a few aspects from yours. First of it is route based, and the tunnel interface is terminated in a custom zone: VPNzone. I normaly do this because I can put in granular policies from lets say VPNZone > Trust. Also it has a single shared ike-id. Of course you can do it as you have done with a group with IKE users. Then I’m using Xauth for the dialup users and provide them with an IP, Dns and Wins. (this also helps when creating policies for dialup users).
Here is my config file. For security purposes, Red X’s are items that I have removed from this post. Again, my problem is that these 2 users cannot gain access at the same time.
set clock timezone -6
set vrouter trust-vr sharable
unset vrouter “trust-vr” auto-route-export
set auth-server “Local” id 0
set auth-server “Local” server-name "Local"
set auth default auth server "Local"
set admin name " xxxxxxxxxxxxx "
set admin password "xxxxxxxxxxxxx"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone “Trust” vrouter "trust-vr"
set zone “Untrust” vrouter "trust-vr"
set zone “VLAN” vrouter "trust-vr"
set zone “Trust” tcp-rst
set zone “Untrust” block
unset zone “Untrust” tcp-rst
set zone “MGT” block
set zone “VLAN” block
set zone “VLAN” tcp-rst
set zone “Untrust” screen tear-drop
set zone “Untrust” screen syn-flood
set zone “Untrust” screen ping-death
set zone “Untrust” screen ip-filter-src
set zone “Untrust” screen land
set zone “V1-Untrust” screen tear-drop
set zone “V1-Untrust” screen syn-flood
set zone “V1-Untrust” screen ping-death
set zone “V1-Untrust” screen ip-filter-src
set zone “V1-Untrust” screen land
set interface “trust” zone "Trust"
set interface “untrust” zone “Untrust"
unset interface vlan1 ip
set interface trust ip XX.XX.X.X/XX
set interface trust nat
set interface untrust ip XX.XX.X.X/XX
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface trust dhcp server service
set interface trust dhcp server enable
set interface trust dhcp server option gateway XX.XX.X.X/XX
set interface trust dhcp server option netmask XX.XX.X.X/XX
set interface trust dhcp server option dns1 XX.XX.X.X/XX
set interface trust dhcp server option dns2 XX.XX.X.X/XX
set interface trust dhcp server ip XX.XX.X.X to XX.XX.X.X
set flow tcp-mss
set hostname ns5gt
set dns host dns1 XX.XX.X.X
set dns host dns2 XX.XX.X.X
set address “Trust” " XX.XX.X.X " XX.XX.X.X XX.XX.X.X
set address “Trust” “Internal Net” XX.XX.X.X XX.XX.X.X
set user “remote_1” uid 21
set user “remote_1” ike-id u-fqdn "firstname.lastname@example.org” share-limit 1
set user “remote_1” type ike
set user “remote_1” “enable"
set user “remote_2” uid 22
set user “remote_2” ike-id u-fqdn "email@example.com” share-limit 1
set user “remote_2” type ike
set user “remote_2” "enable"
set user-group “VPN Users” id 1
set user-group “VPN Users” user "remote_1"
set user-group “VPN Users” user "remote_2"
set ike gateway “vpngateway1” dialup “VPN Users” Aggr outgoing-interface “untrust” preshare " XX.XX.X.X " proposal "pre-g1-des-sha"
unset ike gateway “vpngateway1” nat-traversal
set ike respond-bad-spi 1
set vpn “dialupvpn1” gateway “vpngateway1” no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 60
set policy id 1 from “Trust” to “Untrust” “Internal Net” “Any” “ANY” permit log
set policy id 2 from “Untrust” to “Trust” “Dial-Up VPN” “Internal Net” “ANY” tunnel vpn “dialupvpn1” id 1 log
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set route 0.0.0.0/0 interface untrust gateway XX.XX.X.X
set vrouter "trust-vr"
set route 0.0.0.0/0 vrouter "untrust-vr"
Configuration > Update > Config File is where you find it in the webui
Please don’t hold this against me, but how do I generate that config from the WEBUI? I feel comfortable with sifting through it to remove passwords etc.
sure, we can take a look at it. Start by posting a config (free of passwords and pre-shared keys).
C’mon guys. Is it that my problem is not difficult enough?
Please help me with this one.