[strongSwan] Multiple L2TP-IPsec clients behind the same NAT.

Noel Kuntze noel at familie-kuntze.de
Sat Jun 14 22:39:37 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

Disable VPN forwarding, because your router can't distinguish between traffic for another IP, if the source IP and port is the same for both connections.
e.g. A and B are behind a NAT router. C is the VPN server. The NAT router uses VPN forwarding and only changes the source IP of the packets.
That means, that traffic from A and B both appear to come from the IP of the NAT router and port 500.
A can establish a connection just  fine. The mapping of the NAT router tells it, that all traffic from C and port 500 should go to A.
If B tries to establish an IPsec connection to C, its traffic will be mapped to port 500, too.
C responds to the initiation packet from B correctly and sends it to the NAT router on port 500.
To the NAT router, traffic from C for either A or B looks identical and sends it all to A.
The response packet to B's initiation packet never reaches B.

This can be worked around by disabling VPN forwarding on the NAT router, so it maps
different UDP connections from port 500 to different, distinguished high ports.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 14.06.2014 22:21, schrieb CpServiceSPb .:
> Do StrongSwan 5.1.2+ support multiple L2TP/IPsec clients behind the same NAT configuration ?
> That is some different clients with different Win OSes is behind one NAT with one external IP and is it possible multiple connections from such clients when only one IP - NAT external IP will be as IP of incoming connection.
> At the moment I have not been able to make working at the same time Win XP and Win 7 sited behind one NAT. Only one connection - first one can be established, second one is not up until first, for example is disconneted by user.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTnLMJAAoJEDg5KY9j7GZYQX0QAJYhWnJ1N7Rv/vm4pjIUM7kF
1RLP1ajoX1NxM+GS1lUbcplN30JNw2ftfiDZMkMWs2IldR0lCk6OLC2tG0hiFMBm
xXo3HrWbQIEqy0MJZMUw5GakwVO9lw5Bc64guupmGF5mdZR8yClhU9RYZR0Ifzz4
LYLfnHENLIKHUMqM9ezKvxwNTV+26+6IJfRs+uA1VWZav3DwHxhxe1JdVkNwy1WY
ChwCm6GbcNC/olMINcxGTniieIRZIcK+O/Jf9qLsrei+mg0ADJYmYWg/j6BW9BNm
CXQgz9ETwjLhb+4llAAyjBMQQVvoBBDUiGuSK9E1BogRbb7jFUxbaLz/bEOZE51X
vPnkkb4euwImRWZ2KLt6w2RK3UwdR+lODegCjpWfe2jLOofcV9YzfvYdebRjcEdF
wzpcj9ppr2yV6bMhDgN1fvoPGylJx/uga8jhfFQV2qnuhBjVAgWNTRcckOwvSIjT
/fPBvbb2Vs4Rd9hwB1UVWdzddbsmHjBFGnFV4v9vw82ViTQDeBgcS53P8ue/SHv4
P0OfI/CyjJ9ih2+5L/AiybXucJGhHLk/38+BCLrAhAOmBy0hbGX9OX5jbaxmccGg
dVOxp9S35uxJYf1tXF9xi4VS/GjjtEwkwcg1ctJ0MH1s9G4tGAZMhI2783jxjgzP
wu9UctHuG4bhyoFJUaEk
=ManV
-----END PGP SIGNATURE-----



More information about the Users mailing list