Hi,

I got a rather specific question:
Me and my colleague are connecting to a cisco VPN server with our
Cisco VPN clients from different computers in our office network. The
VPN server, which resides in another country, "receives" our
connections from the same IP (our xDSL internet connection dynamic IP
address).
This seems to work, but only for a few minutes (10 or so). After
working for a few minutes our connection is "reset by peer".
Ofcourse this delays our work and we would like to stay connected
until we disconnect ourselves (like it does when we use different
internet connections).

Anyone has any idea how we can solve this?
Maybe I didn't mention this clearly enough, but we're residing in the
same network and connecting through a router to the xDSL modem.

Thanks in advance!

Kind Regards,
S.

[ Post a follow-up to this message ]

In article <1b58b4f1.0409161317.21eb40b2@posting.google.com>,
Anubis <dd_devils@hotmail.com> wrote:
:I got a rather specific question:
:Me and my colleague are connecting to a cisco VPN server with our
:Cisco VPN clients from different computers in our office network. The
:VPN server, which resides in another country, "receives" our
:connections from the same IP (our xDSL internet connection dynamic IP
:address).
:This seems to work, but only for a few minutes (10 or so). After
:working for a few minutes our connection is "reset by peer".
:Ofcourse this delays our work and we would like to stay connected
:until we disconnect ourselves (like it does when we use different
:internet connections).

:Anyone has any idea how we can solve this?
:Maybe I didn't mention this clearly enough, but we're residing in the
:same network and connecting through a router to the xDSL modem.

Do the disconnects coincide with other people starting up sessions?
If so then your problem is that the protocols used for VPNs (AH, ESP, and
sometimes GRE) do not have 'ports' so it is not possible for your xDSL
router to figure out -which- internal client to send an incoming AH, ESP,
or GRE packet to.

If this is what is happening to you then the solution is to use VPN client
3.5 or later; use software on the VPN server that is no older than roughly
the beginning of 2003; configure any filters or firewalls on your xDSL
router to allow UDP port 4500 in both directions, and to configure the
VPN server to have "NAT Traversal" enabled. With that all done, the
VPN client and VPN server will negotiate UDP ports to communicate
over, and will encapsulate the IPSec packets within UDP. Note that
as the UDP is dynamically allocated, your filters or firewall must allow
the dynamic port range through. If your firewall happens to be a
Cisco PIX then you could have it do that automatically by using
6.3(2) or later and configuring  isakmp nat-traversal 20  -- that will
tell the PIX to monitor the nat traversal negotiations and automatically
open the proper ports.

--
Warhol's Law: every Usenet user is entitled to his or her very own
fifteen minutes of flame                  -- The Squoire

[ Post a follow-up to this message ]

"Anubis" <dd_devils@hotmail.com> wrote in message
news:1b58b4f1.0409161317.21eb40b2@posting.google.com...
> Hi,
>
> I got a rather specific question:
> Me and my colleague are connecting to a cisco VPN server with our
> cisco VPN clients from different computers in our office network. The
> VPN server, which resides in another country, "receives" our
> connections from the same IP (our xDSL internet connection dynamic IP
> address).
> This seems to work, but only for a few minutes (10 or so). After
> working for a few minutes our connection is "reset by peer".
> Ofcourse this delays our work and we would like to stay connected
> until we disconnect ourselves (like it does when we use different
> internet connections).
>
> Anyone has any idea how we can solve this?
> Maybe I didn't mention this clearly enough, but we're residing in the
> same network and connecting through a router to the xDSL modem.
>
> Thanks in advance!
>
> Kind Regards,
> S.

I ran into something like this once. I found that if the crypto acl
specified the vpn destination ip of the terminating vpn device, the isakmp
could not renegotiate as required and would die when its lifetime expired.

[ Post a follow-up to this message ]