Date: Wed, 11 May 2011 21:43:35 -0300 From: "Dr. Rolf Jansen" <rj@cyclaero.com> To: freebsd-net@freebsd.org Subject: multiple clients behind the same NAT connecting a L2TP/IPsec VPN server behind another NAT Message-ID: <042051F4-D309-4317-BBE5-5DF9DEEB342C@cyclaero.com>
next in thread | raw e-mail | index | archive | help
I have setup a VPN-Server on my FreeBSD 8.2 Release i386 machine, using =
the following requisites:
- customized GENERIC Kernel builded with the following
additional options and devices:
IPSEC, IPSEC_FILTERTUNNEL, IPSEC_NAT_T, crypto, enc
- ports/security/ipsec-tools (v0.8.0)
compiled with NATT enabled and NATTF disabled
- ports/net/mpd5 (v5.5)
The server sits in the DMZ behind a SOHO router. Everything is working =
fine so far. I can establish connections from multiple external clients =
at the same time. Even connections from within a NAT'ed local network =
via the internet to my L2TP/IPsec server do work.
The only remaining problem is, that from behind the same NAT only one =
client works well. As soon as a connection between a second client and =
the server has been established, the communication of both break down. =
The racoon log shows nothing noticeable here, and according to the log =
both connections are established successfully, anyhow, the communication =
is blocked.
racoon is configured to generate unique policies.
When a client disconnects from the server, racoon usually purges 2 =
IPsec-SA shortly after. The interesting thing in the case of 2 clients =
from the same NAT is, that it purges one IPsec-SA from the client just =
disconnected, and 1 belonging to the client that is still connected. So, =
it seems that the internal SA house holding of racoon got confused.
I am investigating this already for some days, and finally I would like =
to ask to the experts, whether this is perhaps an issue of the =
ipsec-tools (racoon/setkey), and not with my setup. I am willing to =
spent more time on this only if there is some chance that this can be =
resolved.
So, is there anybody out there, who can successfully establish VPN =
connections from multiple clients behind the same NAT to a L2TP/IPsec =
Server running ipsec-tools and mpd5?
If yes, please may we discuss more in detail my setup?
If no, I would be still grateful for some insights.
BTW: Using only mpd5, I setup also a PPTP-VPN server running in parallel =
to the L2TP/IPsec one. Multiple PPTP-VPN clients behind the same NAT =
work perfectly well with my server - So, I tend to believe that it is =
really an issue with the IPsec part and not with the L2TP (mpd5) part of =
my setup.
Many thanks in advance for any reply
Best regards
Rolf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?042051F4-D309-4317-BBE5-5DF9DEEB342C>