Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
86 posts

Master Geek
+1 received by user: 11


  Reply # 2084640 6-Sep-2018 00:19
Send private message quote this post

vulcannz:

 

Again that is not true. I've done it plenty. Each connection SA has a unique SPI. Each client can maintain a connection even if everyone is on that same IP. Otherwise you'd have problems with CGNAT, hotels, airport lounges and so forth. I've been in a hotel with 800 people from the same company using the same IPSEC VPN portal no problems whatsoever.

 

The only time you'd ever see such an issue was a long long time ago when routers at the client end did not properly support Protocols 50 and 51, and couldn't not handle multiple outbound NAT sessions for IPSEC.

 

Network security is what I do for a job. VPNs are a big part of that (IPSEC site to site/client and SSL). Over the last 18 years I've worked with VPNs on Sonicwall/Juniper/Netscreen/Palo Alto/Fortinet/and Checkpoint boxes.

 

 

You again referring to clients. VPN gateway should have capabilities to distinguish clients behind the same IP by some kind of mapping (like using connmarks/SAref on Linux, I would not argue about Juniper/Cisco/whatever). With Windows L2TP/IPsec (ikev1) combo it's even more tricky, because clients behind the same NAT device will try to install the same IPsec policy <public NAT IP>[udp/l2tp] === <server IP>[udp/l2tp]. Windows L2TP client always uses udp/1701 as source and destination ports and does not care about NAT device mappings. IKEv2 is probably a solution, Windows IPSec implementation supports it, but Cyberoam UTM does not.

 

Appreciate your 18y of broad experience, but devil hides in details. I would advise to the topic starter to use something like OpenVPN or buy static IPs for remote clients.


327 posts

Ultimate Geek
+1 received by user: 77


  Reply # 2084683 6-Sep-2018 07:52
Send private message quote this post

qwerty123:

 

You again referring to clients. VPN gateway should have capabilities to distinguish clients behind the same IP by some kind of mapping (like using connmarks/SAref on Linux, I would not argue about Juniper/Cisco/whatever). With Windows L2TP/IPsec (ikev1) combo it's even more tricky, because clients behind the same NAT device will try to install the same IPsec policy <public NAT IP>[udp/l2tp] === <server IP>[udp/l2tp]. Windows L2TP client always uses udp/1701 as source and destination ports and does not care about NAT device mappings. IKEv2 is probably a solution, Windows IPSec implementation supports it, but Cyberoam UTM does not.

 

Appreciate your 18y of broad experience, but devil hides in details. I would advise to the topic starter to use something like OpenVPN or buy static IPs for remote clients.

 

 

 

 

Of course I would refer to clients, that is the subject of the topic. The statement made was that multiple clients behind a CGNAT IP cannot use IPSEC because they share an IP and the terminating device (Cyberoam) with IPSEC cannot handle that (not true). He is not using a Windows RRAS server, even so windows IPSEC doesn't have this issue either. IKEv2 is irrelevant. Cyberoam uses openvpn afaik.

 

 




726 posts

Ultimate Geek
+1 received by user: 202


  Reply # 2085100 6-Sep-2018 15:25
Send private message quote this post

Thanks for all the help folks, One user has just got a static IP and can now connect, one other user is house sitting and so she cant get a static IP on her internet as it is not hers, the last house also had Spark wireless.

 

I think the issue might be with the Cyberoam, we have another client that uses a draytek and users can VPN to that without issue over the Spark mobile network.

 

I dont want to create an OpenVPN server but if I have to I have to.

 

Thanks again.

 

John





I know enough to be dangerous


2443 posts

Uber Geek
+1 received by user: 838

Trusted
Lifetime subscriber

  Reply # 2085120 6-Sep-2018 16:05
Send private message quote this post

I have used an OpenVPN server behind numerous routers, or using Raspberry Pi's or ODroid C2 are awesome SBCs. OpenVPN is rock solid if you use SSL Certificates issues which is super easy if you follow these instructions: https://github.com/Nyr/openvpn-install

 

Otherwise getting a Static IP on Spark Wireless Broadband works well, the only issue could be if you get DDoSed or from random inbound traffic from the background noise that is the internet. While an outbound OpenVPN can be chatty depending on how you configure it a publicly facing internet address might have more background noise.






455 posts

Ultimate Geek
+1 received by user: 128


  Reply # 2085141 6-Sep-2018 16:57
Send private message quote this post

SATTV:

 

Thanks for all the help folks, One user has just got a static IP and can now connect, one other user is house sitting and so she cant get a static IP on her internet as it is not hers, the last house also had Spark wireless.

 

I think the issue might be with the Cyberoam, we have another client that uses a draytek and users can VPN to that without issue over the Spark mobile network.

 

I dont want to create an OpenVPN server but if I have to I have to.

 

Thanks again.

 

John

 

 

https://www.cyberoam.com/downloads/TechReading/HowToConfigureSSLVPNinCyberoam.pdf


1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.