- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple VPN Connections
The Issue:
We can only ever have one VPN user connected at any one time! If another user tries to connect they will kick the other person off. Access to the network If connected to the VPN is fine. We will change config soon however need this issue resolved in the mean time - any help will be very much appreciated.
Device: Fortigate 100d Firmware: v5.0,build0252 (GA Patch 5)
Our LAN address: 5.5.10.1 - 5.5.10.239 /24
VPN Config:
IPSEC Accept any peer ID IKE VErsion 1 Mode Config enabled Start IP : 5.5.10.240 End IP: 5.5.10.254 DNS: 5.5.5.10
P1 Proposal: AES256 SHA1 DH Group 5 Keylife 28800
XAUTH: Enabled as server Server type Auto User Group VPN Dead Peer Detection enabled
P2 Proposal 1-Encryption: AES128 Authentication: SHA1 2-Encryption: AES128 Authentication: SHA1 Enable replay detection Enable perfect forward secrecy (PFS).
Keylife: Seconds: 28800
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's how I suggest your doing it;
config vpn ipsec phase1-interface edit "DialupWarrior" set type dynamic set interface "wan1" set dhgrp 2 set peertype one set xauthtype auto set mode aggressive set mode-cfg enable set proposal aes256-md5 aes256-sha1 set negotiate-timeout 15 set peerid "defined a peerid" <----- this would be the groupname for us cisco guys set authusrgrp "DialRemUSERS" set ipv4-start-ip 192.168.91.1 set ipv4-end-ip 192.168.91.10 set ipv4-netmask 255.255.255.0 set ipv4-split-include "NETWORK_192.168.254.0" <-----optional for split tunnel define a addr or addrgroups set psksecret ENC BAAAACrBjgTZw9qZM1PBAIvf639qcM5GHQ3YruMjynTbxfq2raDZXa2jmdqd7zMdkVw4VRMhng2Uz4qRT3fHNrJK44a+Qf0stu5eBFcK7KvBOlEf next
config vpn ipsec phase2-interface edit "DialupWarrior2" set keepalive enable set pfs disable set phase1name "DialupWarrior" set proposal aes256-md5 aes256-sha1 next
and in your group you have the uses
config user group edit "DialRemUSERS" set member "user1" "user2" "user3" "user4" "user5" "kfelixsslvpn" next end
Diag debug flow is your friend btw. I would suggest you use it for diagnostics of your current problems.
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
*set type dynamic *set dhgrp 2 (currently on 5) *set peertype one (is this option only in CLI?) *set proposal aes256-md5 aes256-sha1 (Currently aes256-sha1) *set negotiate-timeout 15 (Can' t see this option - cli only?) *set peerid "defined a peerid" (we currently have accept any peer ID, however the VPN group as user group - should it still work?) -phase2 *set keepalive enable *set pfs disable *set proposal aes256-md5 aes256-sha1 Diag debug flow is your friend btw. I would suggest you use it for diagnostics of your current problems.
HI Ken - Thanks alot for the response.
I've made some notes on the above, can you advise further please?
Also is the config I currently have incorrect? I think the Keepalive has not been enabled, probably causing the current config to only allow one person?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think that's t he issues but without seeing the "actual" cfg I can't offer a definite answer, but what you posted does seems strange or unique. I never heard of one active sessions unless it was a ip_assigment issue
Are you logging in with a 2nd unique user or the same login?
PCNSE
NSE
StrongSwan