[strongSwan] Multiple vpn clients behind NAT support

Jayapal Reddy jayapalatiiit at gmail.com
Thu Jul 2 08:20:27 CEST 2015 

Hi all,

I have the below scenario.


    |------win vpn client1
    VirtualRouter(VpnServer) -----------Firewall/NAT ----|

    |-------win vpn client2

I am using strong verson 4.5.2
# ipsec --version
Linux strongSwan U4.5.2/K3.2.0-4-686-pae


*problem:*
>From behind NAT only one client is able to connect at a time. If one remote
access vpn in up second vpn connection is failed connect.


Is there way to connect multiple vpn client behind nat to to vpn server ?
Is it supported in strongswan ?

>From google search it seems it is not supported. But want the confirmation
from you guys.


Below are the logs:
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[5] 10.147.52.222 #7:
NAT-Traversal: Result using RFC 3947: peer is NATed
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[5] 10.147.52.222 #7: Peer
ID is ID_IPV4_ADDR: '10.1.1.196'
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222 #7:
deleting connection "L2TP_PSK" instance with peer 10.147.52.222
{isakmp=#0/ipsec=#0}
Jun 26 06:59:54 r-314-VM pluto[23641]: | NAT-T: new mapping
10.147.52.222:500/1024)
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sent MR3, ISAKMP SA established
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #8:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #8:
responding to Quick Mode

*Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024
<http://10.147.52.222:1024> #8: cannot install eroute -- it is in use for
"L2TP_PSK"[4] 10.147.52.222:4500 <http://10.147.52.222:4500> #6 Jun 26
06:59:55 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024
<http://10.147.52.222:1024> #7: Quick Mode I1 message is unacceptable
because it uses a previously used Message ID 0x01000000 (perhaps this is a
duplicated packet)*
Jun 26 06:59:55 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 06:59:56 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Jun 26 06:59:56 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 06:59:59 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Jun 26 06:59:59 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:01 r-314-VM CRON[28456]: pam_unix(cron:session): session
opened for user root by (uid=0)
Jun 26 07:00:01 r-314-VM CRON[28456]: pam_unix(cron:session): session
closed for user root
Jun 26 07:00:06 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Jun 26 07:00:06 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:21 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Jun 26 07:00:21 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:36 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x01000000 (perhaps this is a duplicated packet)
Jun 26 07:00:36 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
received Vendor ID payload [RFC 3947]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [IKE CGA version 1]
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[7] 10.147.52.222 #9:
responding to Main Mode from unknown peer 10.147.52.222
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[7] 10.147.52.222 #9:
NAT-Traversal: Result using RFC 3947: peer is NATed
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[7] 10.147.52.222 #9: Peer
ID is ID_IPV4_ADDR: '10.1.1.196'
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222 #9:
deleting connection "L2TP_PSK" instance with peer 10.147.52.222
{isakmp=#0/ipsec=#0}
Jun 26 07:00:51 r-314-VM pluto[23641]: | NAT-T: new mapping
10.147.52.222:500/1024)
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222:1024 #9:
sent MR3, ISAKMP SA established
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222:1024
#10: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222:1024
#10: responding to Quick Mode
Jun 26 07:00:51 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222:1024
#10: cannot install eroute -- it is in use for "L2TP_PSK"[4]
10.147.52.222:4500 #6
Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
received Delete SA payload: deleting ISAKMP State #7
Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024:
deleting connection "L2TP_PSK" instance with peer 10.147.52.222
{isakmp=#0/ipsec=#0}
Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222:1024 #9:
received Delete SA payload: deleting ISAKMP State #9
Jun 26 07:00:52 r-314-VM pluto[23641]: "L2TP_PSK"[8] 10.147.52.222:1024:
deleting connection "L2TP_PSK" instance with peer 10.147.52.222
{isakmp=#0/ipsec=#0}

Thanks,
Jayapal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150702/5f8a7cc2/attachment.html>

More information about the Users mailing list