[strongSwan] Windows native L2TP/IPsec with multiple clients behind the same IP (NAT)

[Jaime Vargas]

Hi Diego,

I'm the one who started the thread you referenced. Until now I have
had semi-success with XP, and it was a bit of a kludge. What we did
was create a script that would poke around the registry to create a
secondary IP address for the network card and assign it the address
that the PC would have received if XP supported ModeConfig, and then
create a tunnel IPsec policy between that address and the strongSwan
gateway.

The reason to do that bit about the IP address is that if you just
create the tunnels with the private IP you turn the problem of not
conflict between two PCs within the same networks into the MUCH more
problematic conflict between all the PCs from different networks that
are all using, say, 192.168.1.2.

I haven't been able to do the same in Vista yet, because Microsoft
decided some day that tunnel mode is for routers and as such shouldn't
be allowed behind NAT. The provided a Hotfix for that but I haven't
been able to make it work.

For 7 I guess it's best to investigate IKEv2.

On Thu, Aug 26, 2010 at 10:27 PM, Diego Morales <morales at propus.com.br> wrote:
> Hello,
>
> I have a strongswan (+ xl2tpd) road-warrior setup for windows native L2TP/IPsec clients,
> using PSK (I known that's not quite recommended for security, but I prefer to stick
> to it for now).
>
> It works, except for the case of two+ clients with the same valid address,
> e.g. behind the same NAT device. The best thread I've found about it is this
> one:
>
> https://lists.strongswan.org/pipermail/users/2009-June/003481.html
>
> So the question is, does anybody known of a success case for a setup like this
> (multiple native windows XP/vista/7 clients behind nat on a strongswan server)?
>
> Thanks in advance,
>
> --
> Diego Morales
> Propus
> http://www.propus.com.br
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>