Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


727 posts

Ultimate Geek
+1 received by user: 202


Topic # 240370 4-Sep-2018 16:30
Send private message quote this post

Hi All,

 

I am struggling with this one.

 

I have a client that has an office in Auckland and they have several users who remote in from home on occasion to access their desktops / network drives.

 

A few users have got the Spark wireless broadband at home that is obviously GC-NAT.

 

I cant for the life of me get a L2TP or PPTP VPN to connect. ( I know PPTP is less secure but just want to get them working )

 

I know they can apply for a static IP and that is an additional $15 per month but I would try and find other means of possible.

 

Most devices are W10 pro 1803 and just using the built in Windows VPN client.

 

At the Office they are terminating to a Cyberoam UTM.

 

I have seen on Geekzone people say to use a VPN, are they referring to a site to site VPN rather than a dial in VPN?

 

Is anyone able to point me in the right direction?

 

John

 

 

 

 

 

 





I know enough to be dangerous


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
2282 posts

Uber Geek
+1 received by user: 370

Trusted
Subscriber

  Reply # 2083959 4-Sep-2018 17:15
Send private message quote this post

The clients being behind CGNAt shouldn't have any barring on the ability to use a 'dial in' style VPN. Sounds more like an issue with an ACL not allowing inbound VPN connections from ANY ip.

 

 

 

Perhaps also get the clients to install the cyberroam client vpn software




727 posts

Ultimate Geek
+1 received by user: 202


  Reply # 2083966 4-Sep-2018 17:57
Send private message quote this post

insane:

 

The clients being behind CGNAt shouldn't have any barring on the ability to use a 'dial in' style VPN. Sounds more like an issue with an ACL not allowing inbound VPN connections from ANY ip.

 

 

 

Perhaps also get the clients to install the cyberroam client vpn software

 

 

Thank for the reply.

 

I can VPN in from work without issue and so can others who are not on GC-NAT

 

John

 

 





I know enough to be dangerous


5150 posts

Uber Geek
+1 received by user: 1672


  Reply # 2083968 4-Sep-2018 18:01
Send private message quote this post

Not a case of all the affected clients appearing as a single IP to the VPN server, and it not allowing multiple simultaneous connections from the same IP?




727 posts

Ultimate Geek
+1 received by user: 202


  Reply # 2083969 4-Sep-2018 18:05
Send private message quote this post

RunningMan:

 

Not a case of all the affected clients appearing as a single IP to the VPN server, and it not allowing multiple simultaneous connections from the same IP?

 

 

Thanks for the idea, not trying to connect at the same time.

 

John





I know enough to be dangerous


455 posts

Ultimate Geek
+1 received by user: 128


  Reply # 2084047 4-Sep-2018 20:46
Send private message quote this post

PPTP uses GRE for transport so won't work with CG-NAT.

 

Looks like Cyberoam has SSL VPN support which is probably your best long term option.


460 posts

Ultimate Geek
+1 received by user: 119


  Reply # 2084061 4-Sep-2018 20:59
Send private message quote this post

SATTV:

 

Is anyone able to point me in the right direction?

 

 

What is the error message the users are receiving?

 

CG-NAT should not be the issue. Fact is 99% of the devices in peoples homes are behind a NAT from the ADSL/UFB router, so double NATing shouldn't be any more complicated. I've used a CGNAT / NAT combo with OpenVPN without any problems.




727 posts

Ultimate Geek
+1 received by user: 202


  Reply # 2084066 4-Sep-2018 21:09
Send private message quote this post

I will have to grab the exact error tomorrow, basically after about a minute of saying connecting it fails.

 

 





I know enough to be dangerous


2445 posts

Uber Geek
+1 received by user: 840

Trusted
Lifetime subscriber

  Reply # 2084071 4-Sep-2018 21:29
Send private message quote this post

Get a static IP address on wireless broadband. Problem solved.





455 posts

Ultimate Geek
+1 received by user: 128


  Reply # 2084072 4-Sep-2018 21:37
Send private message quote this post

stinger:

 

CG-NAT should not be the issue. Fact is 99% of the devices in peoples homes are behind a NAT from the ADSL/UFB router, so double NATing shouldn't be any more complicated. I've used a CGNAT / NAT combo with OpenVPN without any problems.

 

 

Home routers often implement workarounds for common NAT issues. CG-NAT doesn't implement these as they simply don't scale to thousands of endpoints.

 

 


3415 posts

Uber Geek
+1 received by user: 405

Trusted

  Reply # 2084109 4-Sep-2018 23:00
Send private message quote this post

IPv6 VPN?






329 posts

Ultimate Geek
+1 received by user: 77


  Reply # 2084324 5-Sep-2018 13:42
Send private message quote this post

CGNAT is a pain for ipsec, SSL is probably the best option as mentioned above. It may also be MTU related, I've had to drop MTU sizes to 1308 or less to handle VPNs coming from crusty 3G/4G or CGNAT networks (and ipsec hates being fiddled with so anything vaguely fragmenty will kill it)


86 posts

Master Geek
+1 received by user: 11


  Reply # 2084407 5-Sep-2018 15:41
One person supports this post
Send private message quote this post

Those NAT'ed users probably share the same external IP. L2TP uses IPSec transport and with IPSec you cannot have multiple clients sharing the same external IP because of the way IPSec matches peer's IP to secret/certificate even if NAT traversal enabled.

 

PPTP uses TCP for control connection, but GRE for tunnel. And with GRE you also cannot have multiple clients sharing the same IP.


329 posts

Ultimate Geek
+1 received by user: 77


  Reply # 2084446 5-Sep-2018 17:16
Send private message quote this post

qwerty123:

 

Those NAT'ed users probably share the same external IP. L2TP uses IPSec transport and with IPSec you cannot have multiple clients sharing the same external IP because of the way IPSec matches peer's IP to secret/certificate even if NAT traversal enabled.

 

 

That't not true for ipsec clients (and aggressive mode).


86 posts

Master Geek
+1 received by user: 11


  Reply # 2084535 5-Sep-2018 20:12
One person supports this post
Send private message quote this post

vulcannz:

 

That't not true for ipsec clients (and aggressive mode).

 

 

Not a problem for clients, but a headache for server. In general case you cannot have multiple SAs between server and multiple clients behind the same NAT IP. Every next client will destroy already established SA during negotiation.


329 posts

Ultimate Geek
+1 received by user: 77


  Reply # 2084555 5-Sep-2018 21:06
Send private message quote this post

qwerty123:

 

vulcannz:

 

That't not true for ipsec clients (and aggressive mode).

 

 

Not a problem for clients, but a headache for server. In general case you cannot have multiple SAs between server and multiple clients behind the same NAT IP. Every next client will destroy already established SA during negotiation.

 

 

Again that is not true. I've done it plenty. Each connection SA has a unique SPI. Each client can maintain a connection even if everyone is on that same IP. Otherwise you'd have problems with CGNAT, hotels, airport lounges and so forth. I've been in a hotel with 800 people from the same company using the same IPSEC VPN portal no problems whatsoever.

 

The only time you'd ever see such an issue was a long long time ago when routers at the client end did not properly support Protocols 50 and 51, and couldn't not handle multiple outbound NAT sessions for IPSEC.

 

Network security is what I do for a job. VPNs are a big part of that (IPSEC site to site/client and SSL). Over the last 18 years I've worked with VPNs on Sonicwall/Juniper/Netscreen/Palo Alto/Fortinet/and Checkpoint boxes.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.