[strongSwan] Multiple vpn clients behind NAT support

Martin Willi martin at strongswan.org
Thu Jul 2 13:35:48 CEST 2015


Hi,

> From behind NAT only one client is able to connect at a time. If one remote
> access vpn in up second vpn connection is failed connect.

The Windows L2TP/IPsec client uses transport mode to secure L2TP. A
gateway can't distinguish two clients behind the same NAT without some
tricks, as they both have the same external IP address.

Given that Windows 7 supports IKEv2 and real IPsec, I highly recommend
to consider switching to that superior protocol [1].

If that is not an option for you, you might have a look at the connmark
plugin [2], which allows you to use Conntrack and Netfilter marks to
bind connections to specific SAs. This is all not that trivial, though.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
[2]https://wiki.strongswan.org/projects/strongswan/wiki/Connmark



More information about the Users mailing list