We have the following Setup in our company
[client] --->c2s vpn-->[m0n0] ---->[internet]---->[OpenBSD FW1]---->[OpenBSD VPN]--->[OpenBSD FW2] --> [Systems]
-We are using SafeNet SoftRemote as VPN Client
-We are using NAT-T on the OpenBSD VPN-GW
We are connecting via client to site VPN to our infrastructure which normally goes pretty good as long that every client has its own external IP address (his internal IP gets nat'ed to a unique external ip via outbound NAT).
The problem occurs if a secondary client connects to the GW and uses an external IP which is already connected to the GW. The VPN tunnel which is already connected gets disconnected.
Log says:
isakmpd: dropped message from xxx.xxx.xxx.xxx port 11320 due to notification type INVALID_COOKIE
We currently have not enough external IP's to address all our employees ...
is it possible to have multiple VPN Tunnels without having to assign each client an unique IP?
It has to be the m0n0wall, since our endpoint VPN gateway was completely replaced through a diferent product, from linux now to openbsd. same error again .....
What are we doing wrong? we already tried to disable/enable portmapper, checkt the logs etc.
any idea?
thanks
phil
|
Topic: Client 2 Site VPN NAT Problems