multiple clients behind the same NAT connecting a L2TP/IPsec VPN server behind another NAT

Wed, 11 May 2011 17:55:29 -0700 

I have setup a VPN-Server on my FreeBSD 8.2 Release i386 machine, using the 
following requisites:

  - customized GENERIC Kernel builded with the following
    additional options and devices:
    IPSEC, IPSEC_FILTERTUNNEL, IPSEC_NAT_T, crypto, enc

  - ports/security/ipsec-tools (v0.8.0)
    compiled with NATT enabled and NATTF disabled

  - ports/net/mpd5 (v5.5)


The server sits in the DMZ behind a SOHO router. Everything is working fine so 
far. I can establish connections from multiple external clients at the same 
time. Even connections from within a NAT'ed local network via the internet to 
my L2TP/IPsec server do work.

The only remaining problem is, that from behind the same NAT only one client 
works well. As soon as a connection between a second client and the server has 
been established, the communication of both break down. The racoon log shows 
nothing noticeable here, and according to the log both connections are 
established successfully, anyhow, the communication is blocked.

racoon is configured to generate unique policies.

When a client disconnects from the server, racoon usually purges 2 IPsec-SA 
shortly after. The interesting thing in the case of 2 clients from the same NAT 
is, that it purges one IPsec-SA from the client just disconnected, and 1 
belonging to the client that is still connected. So, it seems that the internal 
SA house holding of racoon got confused.

I am investigating this already for some days, and finally I would like to ask 
to the experts, whether this is perhaps an issue of the ipsec-tools 
(racoon/setkey), and not with my setup. I am willing to spent more time on this 
only if there is some chance that this can be resolved.

So, is there anybody out there, who can successfully establish VPN connections 
from multiple clients behind the same NAT to a L2TP/IPsec Server running 
ipsec-tools and mpd5?

If yes, please may we discuss more in detail my setup?

If no, I would be still grateful for some insights.


BTW: Using only mpd5, I setup also a PPTP-VPN server running in parallel to the 
L2TP/IPsec one. Multiple PPTP-VPN clients behind the same NAT work perfectly 
well with my server - So, I tend to believe that it is really an issue with the 
IPsec part and not with the L2TP (mpd5) part of my setup.

Many thanks in advance for any reply

Best regards

Rolf

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to