<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)">Hi all,</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)">I have the below scenario.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)">                                                                                |------win vpn client1</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)">    VirtualRouter(VpnServer) -----------Firewall/NAT ----|</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)">                                                                                |-------win vpn client2</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(51,0,153)">I am using strong verson 4.5.2</div><div class="gmail_default" style="color:rgb(51,0,153)"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"># ipsec --version</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Linux strongSwan U4.5.2/K3.2.0-4-686-pae</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><b>problem:</b></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">From behind NAT only one client is able to connect at a time. If one remote access vpn in up second vpn connection is failed connect.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Is there way to connect multiple vpn client behind nat to to vpn server ? </div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Is it supported in strongswan ?</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">From google search it seems it is not supported. But want the confirmation from you guys.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Below are the logs:</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[5] 10.147.52.222 #7: NAT-Traversal: Result using RFC 3947: peer is NATed</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[5] 10.147.52.222 #7: Peer ID is ID_IPV4_ADDR: '10.1.1.196'</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222 #7: deleting connection "L2TP_PSK" instance with peer 10.147.52.222 {isakmp=#0/ipsec=#0}</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: | NAT-T: new mapping <a href="http://10.147.52.222:500/1024">10.147.52.222:500/1024</a>)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sent MR3, ISAKMP SA established</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #8: responding to Quick Mode</span><br>
<b><span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #8: cannot install eroute -- it is in use for "L2TP_PSK"[4] <a href="http://10.147.52.222:4500">10.147.52.222:4500</a> #6</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:55 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)</span></b><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:55 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sending encrypted notification INVALID_MESSAGE_ID to <a href="http://10.147.52.222:1024">10.147.52.222:1024</a></span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:56 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:56 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sending encrypted notification INVALID_MESSAGE_ID to <a href="http://10.147.52.222:1024">10.147.52.222:1024</a></span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:59 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 06:59:59 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sending encrypted notification INVALID_MESSAGE_ID to <a href="http://10.147.52.222:1024">10.147.52.222:1024</a></span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:01 r-314-VM CRON[28456]: pam_unix(cron:session): session opened for user root by (uid=0)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:01 r-314-VM CRON[28456]: pam_unix(cron:session): session closed for user root</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:06 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:06 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sending encrypted notification INVALID_MESSAGE_ID to <a href="http://10.147.52.222:1024">10.147.52.222:1024</a></span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:21 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:21 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sending encrypted notification INVALID_MESSAGE_ID to <a href="http://10.147.52.222:1024">10.147.52.222:1024</a></span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:36 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:36 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: sending encrypted notification INVALID_MESSAGE_ID to <a href="http://10.147.52.222:1024">10.147.52.222:1024</a></span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: received Vendor ID payload [RFC 3947]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: ignoring Vendor ID payload [FRAGMENTATION]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: ignoring Vendor ID payload [Vid-Initial-Contact]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: packet from <a href="http://10.147.52.222:500">10.147.52.222:500</a>: ignoring Vendor ID payload [IKE CGA version 1]</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[7] 10.147.52.222 #9: responding to Main Mode from unknown peer 10.147.52.222</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[7] 10.147.52.222 #9: NAT-Traversal: Result using RFC 3947: peer is NATed</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[7] 10.147.52.222 #9: Peer ID is ID_IPV4_ADDR: '10.1.1.196'</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222 #9: deleting connection "L2TP_PSK" instance with peer 10.147.52.222 {isakmp=#0/ipsec=#0}</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: | NAT-T: new mapping <a href="http://10.147.52.222:500/1024">10.147.52.222:500/1024</a>)</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #9: sent MR3, ISAKMP SA established</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #10: NAT-Traversal: received 2 NAT-OA. using first, ignoring others</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #10: responding to Quick Mode</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #10: cannot install eroute -- it is in use for "L2TP_PSK"[4] <a href="http://10.147.52.222:4500">10.147.52.222:4500</a> #6</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #7: received Delete SA payload: deleting ISAKMP State #7</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[6] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a>: deleting connection "L2TP_PSK" instance with peer 10.147.52.222 {isakmp=#0/ipsec=#0}</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[8] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a> #9: received Delete SA payload: deleting ISAKMP State #9</span><br>
<span style="font-stretch:normal;font-size:13px;font-family:Arial">Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[8] <a href="http://10.147.52.222:1024">10.147.52.222:1024</a>: deleting connection "L2TP_PSK" instance with peer 10.147.52.222 {isakmp=#0/ipsec=#0}</span></div><div class="gmail_default"><font face="Arial"><br></font></div><div class="gmail_default"><font face="Arial">Thanks,</font></div><div class="gmail_default"><font face="Arial">Jayapal<br></font>
<span style="font-stretch:normal;font-size:13px;font-family:Arial"></span><br></div></div></div>