[strongSwan] Multiple L2TP-IPsec clients behind the same NAT.
Noel Kuntze
noel at familie-kuntze.de
Sat Jun 14 22:39:37 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
Disable VPN forwarding, because your router can't distinguish between traffic for another IP, if the source IP and port is the same for both connections.
e.g. A and B are behind a NAT router. C is the VPN server. The NAT router uses VPN forwarding and only changes the source IP of the packets.
That means, that traffic from A and B both appear to come from the IP of the NAT router and port 500.
A can establish a connection just fine. The mapping of the NAT router tells it, that all traffic from C and port 500 should go to A.
If B tries to establish an IPsec connection to C, its traffic will be mapped to port 500, too.
C responds to the initiation packet from B correctly and sends it to the NAT router on port 500.
To the NAT router, traffic from C for either A or B looks identical and sends it all to A.
The response packet to B's initiation packet never reaches B.
This can be worked around by disabling VPN forwarding on the NAT router, so it maps
different UDP connections from port 500 to different, distinguished high ports.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 14.06.2014 22:21, schrieb CpServiceSPb .:
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTnLMJAAoJEDg5KY9j7GZYQX0QAJYhWnJ1N7Rv/vm4pjIUM7kF
1RLP1ajoX1NxM+GS1lUbcplN30JNw2ftfiDZMkMWs2IldR0lCk6OLC2tG0hiFMBm
xXo3HrWbQIEqy0MJZMUw5GakwVO9lw5Bc64guupmGF5mdZR8yClhU9RYZR0Ifzz4
LYLfnHENLIKHUMqM9ezKvxwNTV+26+6IJfRs+uA1VWZav3DwHxhxe1JdVkNwy1WY
ChwCm6GbcNC/olMINcxGTniieIRZIcK+O/Jf9qLsrei+mg0ADJYmYWg/j6BW9BNm
CXQgz9ETwjLhb+4llAAyjBMQQVvoBBDUiGuSK9E1BogRbb7jFUxbaLz/bEOZE51X
vPnkkb4euwImRWZ2KLt6w2RK3UwdR+lODegCjpWfe2jLOofcV9YzfvYdebRjcEdF
wzpcj9ppr2yV6bMhDgN1fvoPGylJx/uga8jhfFQV2qnuhBjVAgWNTRcckOwvSIjT
/fPBvbb2Vs4Rd9hwB1UVWdzddbsmHjBFGnFV4v9vw82ViTQDeBgcS53P8ue/SHv4
P0OfI/CyjJ9ih2+5L/AiybXucJGhHLk/38+BCLrAhAOmBy0hbGX9OX5jbaxmccGg
dVOxp9S35uxJYf1tXF9xi4VS/GjjtEwkwcg1ctJ0MH1s9G4tGAZMhI2783jxjgzP
wu9UctHuG4bhyoFJUaEk
=ManV
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTnLMJAAoJEDg5KY9j7GZY3xgQAItrPg4JZq0bZbWWkyQrmeKd
mVYanJCiC4zrFm1Z0apZUrWrEMKi0j8VlSHfsP7wnn0IGRl71SO5CTHxl7q7TGsp
3sy9ylYqyd2G/fxgZzidqx1o9kyIXlEj5VIV2xL4UEnS1p/2jXg8EDaFZFvG1gUx
fjnatP/wNfXVcu8Ljpo/g2x6q5si3yEOVSqOvtKpZ+AJ6RoesOp8Dk7s+SipYaWk
G17sDfXyOAfy1tVWrcsMmP1kL0ZtnPHIEs0i7i/mA5V3wf/6br4FgN2IuvW/vQE9
MrxKQ0qVLEqd+2zxXiTV5NAVxsbVL+AA6XkbBuFNkjVQ4haUODvkcanr5mz+VDZV
vTTZRyktiSBg2Uih9fSVJVPV58yh4M+Gs9PXHr/w9fNmNxCV9MwSTDc5UfBiWOop
/nfIHqO2noYRjihWjPgll92DYdhMkD/nCh9WSqSvJTRu1dvbxBGdzuGzByQZKPGU
2LhLGymK2/LLhyj6mtK6wzxX0mHpRpBdjPGjxBNNwqIiNExz2l6hUxJAkPWijl50
fzmPjsoc0tJKyU7V3vAmdJqNASfZ6PSpmkkCT4DLuTqszNbATYhM6DhPPajo0S4Y
sL3lHac5o6Sj19aPTiZIAIhn2S5fFOMOiegLq2PxDpH5YskYNBQZ8/XqZatk7NHB
KgUVP5bnuT2AX2l49pRz
=EzGm
-----END PGP SIGNATURE-----
More information about the Users
mailing list