Re: racoon, IKEv1 and multiple ipsec clients behind NAT

[Gert Doering <gert%greenie.muc.de@localhost>]

Hi,

On Wed, Oct 19, 2022 at 07:06:39AM +0000, Mathew, Cherry G.* wrote:
> I have racoon running on a static IP, and I'm able to make sharedkey
> connections to it from multiple clients behind NATs over different
> ISPs. However, multiple clients behind the same NAT connecting over
> NAT-D don't seem to be able to work.

Going off a tangent, IPSEC has a long history of conflicting with
NATs (like, carrier-grade NATs on IPv4 starved ISPs, etc.).

There's two ways to avoid that - use IPv6 on both ends (this is not
a joke, one of my large customers did so a few weeks ago, because
they had IPSEC+carrier-grade-NAT issues to no end, and now ~70% of
their users come in using IPv6 transport and all works nicely), or
use a more NAT-friendly VPN protocol.

Depending on your needs, OpenVPN or Wirecard might be an option.

(I will, of course, advocate OpenVPN, but I'm slightly biased :-) )

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost