Hi all
I'm having some trouble with VPN clients (workstations) connecting to an
OBSD 4.2 VPN gateway.
All clients sit behind one natting gateway, and are natted to the same
egress ip address. They try to connect to another network behind the VPN
gateway. The first connect succeeds, and the client gets its connection
(i can track this with ipsecctl -s all on the VPN gateway). Traffic uses
nat-t (udp 4500) as destination, yet the connection gets source-natted
and the source port is changed to some unique value.
This works well. But as soon as the second client connects, the first
one is disconnected! The second connection is source-natted to the same
IP, but uses a different source port.
ipsecctl shows that both tuples for flows and sa get replaced by new
ones the moment the second client connects. tcpdump on the gateway shows
normal ipsec traffic during the first connection until the new one is
initiated. After this, no packet for the first connection is sent by the
gateway, but all belong to the second one (different SPIs and different
source port)
.
Now i'm a bit unsure. From my understanding, it should be possible to
have multiple nat-t clients use the same external ip address. Is there
any limitation that i'm not aware of? Do i need to configure something
on the gateway? It's set up for roadwarriors. Here's ipsec.conf:
ike passive esp tunnel \
from any to a.b.c.d/24 \
srcid vpn.gate.way
with a.b.c.d being the network the clients want to connect to and
vpn.gate.way the fqdn of the gateway, as it appears in its certificate.
Thx for any hint
/markus
