tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: racoon, IKEv1 and multiple ipsec clients behind NAT
On 10/19/2022 3:06 AM, Mathew, Cherry G.* wrote:
> Hello tech-net,
>
> I had a user question about ipsec using racoon.
>
> I have racoon running on a static IP, and I'm able to make sharedkey
> connections to it from multiple clients behind NATs over different
> ISPs. However, multiple clients behind the same NAT connecting over
> NAT-D don't seem to be able to work.
>
> The symptom I see is that the second connection times out the first one,
> and the first in-band ppp interface (using xl2tpd) drops.
Hi,
AFAIK, NetBSD does not have kernel and packages to support the feature of multiple L2TP/IPSec VPN clients behind the same NAT.
This page explains why this does not work without special considerations, and also describes a way to work around the problem:
https://forum.mikrotik.com/viewtopic.php?p=652517
Some systems have patches to work around the problem, such as saref in the Linux kernel to distinguish the multiple clients behind the same NAT from each other, which also needs support from the L2TP implementation, I think. With NetBSD and L2TP packages from pkgsrc some patches to the kernel and L2TP packages are probably needed to support multiple L2TP/IPSec VPN clients behind the same NAT.
Cheers,
Chuck
Home |
Main Index |
Thread Index |
Old Index