Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: tech-net%NetBSD.org@localhost
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Chuck Zmudzinski <frchuckz%gmail.com@localhost>
Date: Wed, 19 Oct 2022 13:38:29 -0400

On 10/19/2022 3:06 AM, Mathew, Cherry G.* wrote:
> Hello tech-net,
>
> I had a user question about ipsec using racoon.
>
> I have racoon running on a static IP, and I'm able to make sharedkey
> connections to it from multiple clients behind NATs over different
> ISPs. However, multiple clients behind the same NAT connecting over
> NAT-D don't seem to be able to work.
>
> The symptom I see is that the second connection times out the first one,
> and the first in-band ppp interface (using xl2tpd) drops.

Hi,

AFAIK, NetBSD does not have kernel and packages to support the feature of multiple L2TP/IPSec VPN clients behind the same NAT.

This page explains why this does not work without special considerations, and also describes a way to work around the problem:

https://forum.mikrotik.com/viewtopic.php?p=652517

Some systems have patches to work around the problem, such as saref in the Linux kernel to distinguish the multiple clients behind the same NAT from each other, which also needs support from the L2TP implementation, I think. With NetBSD and L2TP packages from pkgsrc some patches to the kernel and L2TP packages are probably needed to support multiple L2TP/IPSec VPN clients behind the same NAT.

Cheers,

Chuck

Follow-Ups:
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Kengo NAKAHARA

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index