Skip to main content
A
Anonymous_User
Contributor
March 2, 2005
Question

only one VPN client can establish connection at one time

  • March 2, 2005
  • 7 replies
  • 8672 views
We are currently using the Kerio Firewall 6.x to connect to the remote site using the Fortigate 100A. However, only one VPN client (forticlient v1.2.04) can connect to the VPN gateway at one time. The other workstation will fail to established the VPN connection. We set the outbound rule as follows for the VPN connection: Sources Destination Services allow Translation ------------- --------------- ------------------------ ----------------- internal IPs VPN gateway UDP 500, UDP 4500 NAT to WAN IP In the Fortigate 100A VPN gateway, we set the encryption rule with dial_up VPN gateway and place the rule at the top of the firewall policies. Thx

    7 replies

    A
    Anonymous_UserAuthor
    Contributor
    March 2, 2005
    How do you assing IP' s? If your not using DHCP over IPsec, but static address in the VPN client and they are the same, that would explain why only one vpn client can connect at the same time. Regards, Eric
    A
    Anonymous_UserAuthor
    Contributor
    March 2, 2005
    We have different IP assigned to each client. In fact, we are able to have multiple clients behind a NETGEAR firewall connected to the VPN. However, we' re having problem with clients behind Kerio WinRoute Firewall. We actually reconfigure our settings on Kerio so that it' s identical to the settings of NETGEAR. Even with that, only one client is allowed to get connected. From the log we saw the Phase 1 was okay. However, the next thing we saw is error message (from client behind Kerio) below: " No response from peer, retransmit [st=1]"
    A
    Anonymous_UserAuthor
    Contributor
    March 2, 2005
    Have you tried to make a specific rule in the kerio fw? like allow port 450 etc? Does it work if you disable the Kerio FW? I assume you connect in agressive mode?
    UkWizard
    UkWizard
    New Member
    March 2, 2005
    The problem is the NAT rule, change the outbound rule to just allow traffic through and NOT to nat it to a specific IP/Port. Then the outbound connections will have DIFFERENT source ports and should then work fine. With the rule you have, all clients would be natted behind one port on the firewall, so the returning packets would mostly return to the first machine that was connected. (this is common).
    A
    Anonymous_UserAuthor
    Contributor
    March 27, 2005
    Hi UkWizard, I have the same problem as fortigate@hhlmail.com, I have checked NAT option in rule All(internal)->All(external), and disabled Fix Port option. But now only one dialup VPN tunnel can be established, Static VPN tunnel all work fine. Thanks. Harward Gao
    UkWizard
    UkWizard
    New Member
    March 27, 2005
    Explain your setup and problem in more detail.
    UkWizard
    UkWizard
    New Member
    March 28, 2005
    Or you could try agressive mode mode and use peerid with multiple dialup vpn rules (one for each peerid). Never tried this personally though, idea above is better. Also remember that every site would need its own individual IP subnet, otherwise it gets really messy and needs to be a site-to-site confg.
    A
    Anonymous_UserAuthor
    Contributor
    March 28, 2005
    hello, nearly the same problem here. forti100 with static IP, about 30 forti50A' s with dynamic IP' s. on the forti100 the first dialup-tunnel works fine. all others are getting a connection for about 1-30 seconds, then the connection is lost. log: " delete IPSEC..." misterious: it works fine for about 8 month. last softwareupdate 2 month ago. problem since yesterday...
    A
    Anonymous_UserAuthor
    Contributor
    March 29, 2005
    hello, found the problem for my forti100... solved.
    A
    Anonymous_UserAuthor
    Contributor
    March 31, 2005
    Hi all, i am the original sender of this message. I have solved this problem by disabling the IPSEC traffic of my current firewall. Now i have have more than one VPN client connect to the remote site. Regards.
    A
    Anonymous_UserAuthor
    Contributor
    April 1, 2005
    Hi Sir, Sorry I don' t get your message right. You are saying to disable the IPSEC traffic in the firewall, but how to do this? Is it disable the IKE service in the firewall policy (Internal to External, Encryption policy)? Thanks in advance. Chew
    A
    Anonymous_UserAuthor
    Contributor
    April 1, 2005
    yes, not all firewall are the same. here i attached the pciture for my firewall setting that disable the IPSEC passthrough. After I unclick this option (IPSEC passthrough), the VPN clients work fine.
    Terms & ConditionsAccessibility statement