[strongSwan] Multiple L2TP-IPsec clients behind the same NAT.
noel at familie-kuntze.de
Sat Jun 14 22:39:37 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Disable VPN forwarding, because your router can't distinguish between traffic for another IP, if the source IP and port is the same for both connections.
e.g. A and B are behind a NAT router. C is the VPN server. The NAT router uses VPN forwarding and only changes the source IP of the packets.
That means, that traffic from A and B both appear to come from the IP of the NAT router and port 500.
A can establish a connection just fine. The mapping of the NAT router tells it, that all traffic from C and port 500 should go to A.
If B tries to establish an IPsec connection to C, its traffic will be mapped to port 500, too.
C responds to the initiation packet from B correctly and sends it to the NAT router on port 500.
To the NAT router, traffic from C for either A or B looks identical and sends it all to A.
The response packet to B's initiation packet never reaches B.
This can be worked around by disabling VPN forwarding on the NAT router, so it maps
different UDP connections from port 500 to different, distinguished high ports.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 14.06.2014 22:21, schrieb CpServiceSPb .:
> Do StrongSwan 5.1.2+ support multiple L2TP/IPsec clients behind the same NAT configuration ?
> That is some different clients with different Win OSes is behind one NAT with one external IP and is it possible multiple connections from such clients when only one IP - NAT external IP will be as IP of incoming connection.
> At the moment I have not been able to make working at the same time Win XP and Win 7 sited behind one NAT. Only one connection - first one can be established, second one is not up until first, for example is disconneted by user.
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Users