Re: racoon, IKEv1 and multiple ipsec clients behind NAT

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Wed, Oct 19, 2022 at 07:06:39AM +0000, Mathew, Cherry G.* wrote:
> Hello tech-net,
> 
> I had a user question about ipsec using racoon.
> 
> I have racoon running on a static IP, and I'm able to make sharedkey
> connections to it from multiple clients behind NATs over different
> ISPs. However, multiple clients behind the same NAT connecting over
> NAT-D don't seem to be able to work.
> 
> The symptom I see is that the second connection times out the first one,
> and the first in-band ppp interface (using xl2tpd) drops.
> 
> Before posting configs, logs etc, I wanted to ask if we are able to
> support multiple clients (say behind a residential ISP router NAT)
> creating independant l2tp/ipsec transport connections (eg: from multiple
> phone devices etc.)


I've been there. If I remember properly, it did work from my home
(where the NAT router is NetBSD/ipf) but not from another house (where
the NAT router is the ISP-provided one).

I'm not sure I remeber properly the details but I think it was an issue with
port numbers: while NetBSD's NAT doesn't special case UDP port 4500 (and
remap it to something different for each client),
the ISP-provided one did, and remapped 4500 to 4500 on the public
interface. So the server sees both clients packets from the same IP
and the same UDP port (4500) and confuses them.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--