Multiple VPN connections behind NAT

Question

I have the following problem:

I have Windows 2003 RAS VPN server configured with a single Nic (let's call it LAN1) behind a firewall (lets call it's public address WAN1). PPTP & L2TP ports are forwarded to the Server.

When a client (Windows or LINUX) in a remote network behind a firewall (LAN2) tries to connect to a PPTP VPN on the WAN1 everything goes fine.

When a second client in the same LAN2 tries to connect to the same VPN on the same WAN1 I get an error 629.

It's independant of which machine gets the first connection.

Apparently the problem is also independant of the router/firewall hardware of LAN2 (We have tested it from at least five different types of remote small router/firewalls - linksys, huawey, d-link, etc.)

The firewall WAN1 listens to two internet connections. The problem is independant of which external address the clients are pointing to (even if two different workstations point to different IP addresses to attempt to stablish a vpn).

Inside LAN1, there is no such limitation and multiple workstations connect just fine.

Theres also no limitation from different remote LANs.

Is this a limitation of PPTP protocol?

Thanx in advance.

Answer 1

From your description it sounds like the issue is at the remote end. You mention that when a second user from LAN2 attempts to reach the same VPN server at WAN1 you receive an error.

Depending on the firewall mechanism in use there can be a "limitation" that exists with regard to PPTP connection tracking and multiple VPN connections to the same server address.

Google: pptp multiple connections to same ip

Due to the way in which NAT tracks PPTP connections, specific modules need to be loaded in order to handle multiple connections to a single server.

If it's netfilter based, make sure 'nf_conntrack_pptp' and 'nf_nat_pptp' are loaded.