2 remote VPN users on same network - when one connects, the other is bumped off.



  • I’m sure this is elementary, but I really need some direction.

    I have 2 law firms in the same building; one downstairs and one upstairs and they have separate LANs.  One has the NS 5GT and the other has 2 VPN users with the NS remote client, who need access to files on the downstairs network.

    The setup is the most basic dial-up VPN and works fine for any single user (in this building or not).  The problem is that whenever the 2nd upstairs user connects to the downstairs network, the 1st upstairs user is bumped off.

    Each remote user has a unique security policy, but only authenticated by email address.

    I assume the problem relates to the 2 upstairs users being on the same network, specifically the same default gateway.  Are both upstairs users being identified by the routers IP, therefore not allowing them both to connect?

    Any obvious answers here?  I can provide any necessary configuration details if needed.

    Thanks,

    Josh



  • I’m with you.  I was trying to handle this through VPN myself, so I was just trying to avoid the obvious risks.  It’s no problem though.  I’ll test it out on location and let you know how it goes.

    Thanks again for the help,

    J



  • I think my example pretty much covers the complete VPN configuration. If you want more of a wizard/guide I suggest you read the configuration examples here, or the Juniper KB (http://kb.juniper.net). You could also try the route-based VPN wizard in the Webui and after that take a look at the configuration and try understanding, grasping the configuration.

    I have no problem helping out with any issues, but this is quite explanatory if you put some effort in reading the Configuration & Examples and the other links I posted.



  • Thanks for the quick reply.  As you can probably tell, I’m very new to this.  In your sample config, is this the entire file?  I mean, because I’m not sure which lines deal with which parts of the config, I don’t want to reverse any of my settings that I DO need.

    Is there any chance you could show me the exact config I’ll need from my original, but with your modifications, possibly using my “red X’s” where I’d need to plug in my IPs, etc?

    This would be a huge help in my learning by reverse engineering.  Again, I apologize for my lack of experience, but still learning.

    Thanks again,

    Josh



  • Could be as simple as nat-t not being enabled on the vpn gateway object.

    I recommend you set it up something close to this:

    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set zone id 100 “VPNZone"
    set interface tunnel.1 zone VPNZone
    set interface tunnel.1 ip unnumbered interface bgroup0
    set ippool “Dialup_pool” 192.168.2.1 192.168.2.128
    set route 192.168.2.0/25 interface tunnel.1
    set user “SharedXauth” ike-id u-fqdn "mydialup@groupid.com” share-limit 10
    set user “XAuth” type ike
    set user “XAuth” "enable"
    set user-group “MyXauthUsers” user "SharedXauth"
    set user “DonaldDuck” type xauth
    set user “DonaldDuck” password "disney1"
    set user “MickeyMouse” type xauth
    set user “MickeyMouse” password "disney2"
    set ike gateway “p1_dialup” dialup “MyXauthUsers” Aggr outgoing-interface “ethernet0/0” preshare “aSecretPassPhrase” proposal “pre-g2-aes128-sha” "pre-g2-3des-sha"
    set ike gateway “p1_dialup” nat-traversal udp-checksum
    set ike gateway “p1_dialup” nat-traversal keepalive-frequency 5
    set ike gateway “p1_dialup” xauth server “Local” query-config
    set xauth default ippool "DialupPool"
    set xauth default dns1 192.168.1.10
    set xauth default wins1 192.168.1.10
    set vpn “p2_dialup” gateway “p1_dialup” no-replay tunnel idletime 0 proposal “pre-g2-aes128-sha” "pre-g2-3des-sha"
    set vpn “p2_dialup” bind interface tunnel.1
    set vpn “p2_dialup” proxy-id local-ip 0.0.0.0/0 remote-ip 255.255.255.255/32 “ANY”

    P.S. Note that the VPN tunnel is different in a few aspects from yours. First of it is route based, and the tunnel interface is terminated in a custom zone: VPNzone. I normaly do this because I can put in granular policies from lets say VPNZone > Trust. Also it has a single shared ike-id. Of course you can do it as you have done with a group with IKE users. Then I’m using Xauth for the dialup users and provide them with an IP, Dns and Wins. (this also helps when creating policies for dialup users).

    regards,
    oldO



  • Here is my config file.  For security purposes, Red X’s are items that I have removed from this post.  Again, my problem is that these 2 users cannot gain access at the same time.

    thanks,

    Josh

    set clock timezone -6
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set admin name " xxxxxxxxxxxxx "
    set admin password "xxxxxxxxxxxxx"
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “untrust” zone “Untrust"
    unset interface vlan1 ip
    set interface trust ip XX.XX.X.X/XX
    set interface trust nat
    set interface untrust ip XX.XX.X.X/XX
    set interface untrust route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface untrust manage ping
    set interface trust dhcp server service
    set interface trust dhcp server enable
    set interface trust dhcp server option gateway XX.XX.X.X/XX
    set interface trust dhcp server option netmask XX.XX.X.X/XX
    set interface trust dhcp server option dns1 XX.XX.X.X/XX
    set interface trust dhcp server option dns2 XX.XX.X.X/XX
    set interface trust dhcp server ip XX.XX.X.X  to XX.XX.X.X
    set flow tcp-mss
    set hostname ns5gt
    set dns host dns1 XX.XX.X.X
    set dns host dns2 XX.XX.X.X
    set address “Trust” " XX.XX.X.X " XX.XX.X.X XX.XX.X.X
    set address “Trust” “Internal Net” XX.XX.X.X  XX.XX.X.X
    set user “remote_1” uid 21
    set user “remote_1” ike-id u-fqdn "remote_1@remote.com” share-limit 1
    set user “remote_1” type  ike
    set user “remote_1” “enable"
    set user “remote_2” uid 22
    set user “remote_2” ike-id u-fqdn "remote_2@remote.com” share-limit 1
    set user “remote_2” type  ike
    set user “remote_2” "enable"
    set user-group “VPN Users” id 1
    set user-group “VPN Users” user "remote_1"
    set user-group “VPN Users” user "remote_2"
    set ike gateway “vpngateway1” dialup “VPN Users” Aggr outgoing-interface “untrust” preshare " XX.XX.X.X " proposal "pre-g1-des-sha"
    unset ike gateway “vpngateway1” nat-traversal
    set ike respond-bad-spi 1
    set vpn “dialupvpn1” gateway “vpngateway1” no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 60
    set policy id 1 from “Trust” to “Untrust”  “Internal Net” “Any” “ANY” permit log
    set policy id 2 from “Untrust” to “Trust”  “Dial-Up VPN” “Internal Net” “ANY” tunnel vpn “dialupvpn1” id 1 log
    set global-pro policy-manager primary outgoing-interface untrust
    set global-pro policy-manager secondary outgoing-interface untrust
    set ssh version v2
    set config lock timeout 5
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    set route  0.0.0.0/0 interface untrust gateway XX.XX.X.X
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 vrouter "untrust-vr"
    exit



  • Configuration > Update > Config File is where you find it in the webui

    regards,
    /oldO



  • Please don’t hold this against me, but how do I generate that config from the WEBUI?  I feel comfortable with sifting through it to remove passwords etc.

    Thanks,

    Josh



  • sure, we can take a look at it. Start by posting a config (free of passwords and pre-shared keys).

    regards,
    oldO



  • C’mon guys. Is it that my problem is not difficult enough?

    Please help me with this one.

    Josh


 

27
Online

38.4k
Users

12.7k
Topics

44.5k
Posts