VPN

I have the following Setup in our company
[client] --->c2s vpn---[m0n0] ---->[internet]---->[OpenBSD FW]---->[OpenBSD VPN]
We are using SafeNet SoftRemote as VPN Client.

We are connecting via client to site VPN to our infrastructur which normally goes pretty good as long that every client has its own external address (his internal IP gets nat'ed to a unique external ip).  As soon as a client gets NAT'ed on the same external IP, one of the connected sessions gets dropped.

It has to be the m0n0wall, since our endpoint VPN gateway was completely replaced through a diferent product, from linux now to openbsd. same error again .....

What are we doing wrong? we already tried to disable/enable portmapper, checkt the logs etc.

any idea?
thanks
phil

Clearly wrong order on the server side. The two OpenBSDs machine are connected in the reverse order than they should. VPN tunnel must terminate outside of the firewall, or on it's outer interface otherwise it would cause you much much trouble.

Once you consider switching to site-to-site VPN don't forget to reverse the order on the client side too.

I wouldn't see why this setup is wrong, if:
a) they're using NAT-T on their clients
b) the VPN terminates on OpenBSD-VPN
c) there's something behind the OpenBSD-VPN box that they want to reach via VPN

m0no and OpenBSD-FW would only act as packet filters, right?

I'd first check if the outgoing sessions get natted to the same source port or not. If so, and the same source IP is used on the "internet" side of m0n0, this could be a problem.

Besides, this might be the wrong forum, as m0n0 is not acting as VPN gateway in this case.

I know that some peoples set up this way. Technically, it works. It is wrong only from the security viewpoint. In secured networks, VPN tunnels are never allowed to terminate inside firewall because VPN traffics would get out of firewall's control. Traffic that may be completely opaque to the firewall would be plain inacceptable.

Thus in this case, the order is wrong on the side of OpenBSDs.

In the case of site-to-site VPN, the same consideration apply on the side of m0n0.

Having an unprotected IPSec gateway on the internet side that can then initiate traffic into the secured network seems as bad an idea. You would have to put a firewall onto it ... and I agree with you that an additional firewall on the VPN gateway itself or immediately after it would greatly increase security. I personally would deploy VPN gateways in a separate DMZ that is sandwiched between two layers of firewalls.

right xormar ...

i moved this topic to the NAT Forum. thanks for your help...dmhb

phil