We have recently changed our FW to a ZyWall 310 with drastically improved throughput over the old one. However there is a new problem that occurred, we have several L2TP/IPSec clients that connect to the FW from remote. But if two of these tries to connect from a remote office with a NAT-router, only the first can connect, the other one is refused. This is a new issue where most settings are very similar from the previous FW.
It seems that there is some sort of policy conflict when multiple clients connect from the same remote public IP? The only log message that can guide us here is the IKE log:
ISAKMP SA [Default_L2TP_VPN_GW] is disconnected
There is a config "Use Policy Route to control dynamic IPSec rules" in the IPSec VPN connection settings – should this be unchecked?
Thanks for any suggestions with this issue!
Best Answer
To the best of my knowledge. Some NATs can detect the call ID “conflict” and will modify them to keep the multiple VPN connections unique. The NAT must have a PPTP editor to allow this. This of course isn’t something router manufacturers generally advertise on their spec sheets. You will need to go digging around on their website to find. For example on the Netgears routers VPN support page, you will see some Netgear routers only support one VPN connection; this will be where they can’t modify the call ID’s while some other Routers that could support multiple VPN connections. So kindly contact Zyxel support center and make sure it's support multiple VPN connections.