So I received the following email from someone asking about a VPN connection between remote offices and a main office:
I have a TZ170 with a static IP (dsl) at my so called corporate office (server resides in this office). The appliance is set for DHCP for the clients that are set up on the inside of the firewall at that corporate office.
All my remote offices have a basic setup with either cable or dsl (no static ip), behind a modem and a dlink router. When more than one person in the same remote office connects to the tz170 at corporate, both clients experience awful delays and disconnections. If only one client connects in that remote office it works great, but as soon as you add another person from the same office that try’s to connect forget it, nothing but problems. Is this because the tz170 is seeing to tunnels coming from the same ip (isp assigned)?
Will purchasing another tz170 for the remote offices solve my problem? Is there an additional configuration that I am missing in the tz170 that will enable me to do this ?
Here is the response I sent:
You are absolutely on the right track. The problem you are having is that more than 1 person from the same public IP address is establishing a tunnel.
There is not a good way to establish a tunnel using a VPN client from more than one client behind a NAT device to the same central VPN device. In this case, the user has a D-Link router as the NAT device. Some devices do a better job of handling the NAT for IPSEC VPN traffic, which is what the Sonicwalls use. The only thing he could try in this case, other than the guaranteed solution of implementing a remote-office VPN gateway device, would be to ensure that the D-Link is upgraded to the latest firmware and has the appropriate IPSEC pass through settings. The most reliable solution, though, would be a VPN appliance to maintain a site-to-site VPN device at each remote office.