On 10/19/2022 3:06 AM, Mathew, Cherry G.* wrote:
Hello tech-net,
I had a user question about ipsec using racoon.
I have racoon running on a static IP, and I'm able to make sharedkey
connections to it from multiple clients behind NATs over different
ISPs. However, multiple clients behind the same NAT connecting over
NAT-D don't seem to be able to work.
The symptom I see is that the second connection times out the first one,
and the first in-band ppp interface (using xl2tpd) drops.
Hi,
AFAIK, NetBSD does not have kernel and packages to support the feature of multiple L2TP/IPSec VPN clients behind the same NAT.
This page explains why this does not work without special considerations, and also describes a way to work around the problem:
https://forum.mikrotik.com/viewtopic.php?p=652517
Some systems have patches to work around the problem, such as saref in the Linux kernel to distinguish the multiple clients behind the same NAT from each other, which also needs support from the L2TP implementation, I think. With NetBSD and L2TP packages from pkgsrc some patches to the kernel and L2TP packages are probably needed to support multiple L2TP/IPSec VPN clients behind the same NAT.