[strongSwan] Multiple vpn clients behind NAT support
Volker Rümelin
vr_strongswan at t-online.de
Thu Jul 2 21:57:06 CEST 2015
Hi Martin,
> If that is not an option for you, you might have a look at the connmark
> plugin [2], which allows you to use Conntrack and Netfilter marks to
> bind connections to specific SAs. This is all not that trivial, though.
>
> [2]https://wiki.strongswan.org/projects/strongswan/wiki/Connmark
>
Windows ipsec/l2tp clients always select port 1701 as source port for
the l2tp packets. I don't know how the CONNMARK target can restore the
correct Netfilter mark in the OUTPUT mangle chain when the tuple (src,
dst, sport, dport) is identical for all Windows clients behind the same
NAT router. I guess the Connmark plugin works with a high probability
for clients selecting a random source port, but not for multiple windows
clients.
Regards,
Volker
More information about the Users
mailing list