[strongSwan] Multiple vpn clients behind NAT support

Volker Rümelin vr_strongswan at t-online.de
Thu Jul 2 21:57:06 CEST 2015


Hi Martin,

> If that is not an option for you, you might have a look at the connmark
> plugin [2], which allows you to use Conntrack and Netfilter marks to
> bind connections to specific SAs. This is all not that trivial, though.
>
> [2]https://wiki.strongswan.org/projects/strongswan/wiki/Connmark
>

Windows ipsec/l2tp clients always select port 1701 as source port for 
the l2tp packets. I don't know how the CONNMARK target can restore the 
correct Netfilter mark in the OUTPUT mangle chain when the tuple (src, 
dst, sport, dport) is identical for all Windows clients behind the same 
NAT router. I guess the Connmark plugin works with a high probability 
for clients selecting a random source port, but not for multiple windows 
clients.

Regards,
Volker


More information about the Users mailing list