Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: tech-net%NetBSD.org@localhost
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Kengo NAKAHARA <k-nakahara%iij.ad.jp@localhost>
Date: Thu, 20 Oct 2022 18:49:39 +0900

Hi,

On 2022/10/20 2:38, Chuck Zmudzinski wrote:

On 10/19/2022 3:06 AM, Mathew, Cherry G.* wrote:

Hello tech-net,

I had a user question about ipsec using racoon.

I have racoon running on a static IP, and I'm able to make sharedkey
connections to it from multiple clients behind NATs over different
ISPs. However, multiple clients behind the same NAT connecting over
NAT-D don't seem to be able to work.

The symptom I see is that the second connection times out the first one,
and the first in-band ppp interface (using xl2tpd) drops.


Hi,

AFAIK, NetBSD does not have kernel and packages to support the feature of multiple L2TP/IPSec VPN clients behind the same NAT.

This page explains why this does not work without special considerations, and also describes a way to work around the problem:

https://forum.mikrotik.com/viewtopic.php?p=652517

Some systems have patches to work around the problem, such as saref in the Linux kernel to distinguish the multiple clients behind the same NAT from each other, which also needs support from the L2TP implementation, I think. With NetBSD and L2TP packages from pkgsrc some patches to the kernel and L2TP packages are probably needed to support multiple L2TP/IPSec VPN clients behind the same NAT.


My co-workers implement extension for NetBSD kernel to support multiple
L2TP/IPSec VPN clients behind the same NAT.  However, the design is
different from SAref in Linux kernel, that is, it sends outer UDP source
port number and destination port number to userland daemon via socket.

We don't have xl2tpd extension because we don't use xl2tpd, but I can
commit that extension for NetBSD kernel.  If anyone is interested in
it, I will commit the kernel code.


Thanks,

--
//////////////////////////////////////////////////////////////////////
Internet Initiative Japan Inc.

Device Engineering Section,
Product Division,
Technology Unit

Kengo NAKAHARA <k-nakahara%iij.ad.jp@localhost>

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Chuck Zmudzinski

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index