Re: racoon, IKEv1 and multiple ipsec clients behind NAT

["Mathew, Cherry G." <c%bow.st@localhost>]

On October 19, 2022 5:56:11 PM UTC, Gert Doering <gert%greenie.muc.de@localhost> wrote:
>Hi,
>
>On Wed, Oct 19, 2022 at 07:06:39AM +0000, Mathew, Cherry G.* wrote:
>> I have racoon running on a static IP, and I'm able to make sharedkey
>> connections to it from multiple clients behind NATs over different
>> ISPs. However, multiple clients behind the same NAT connecting over
>> NAT-D don't seem to be able to work.
>
>Going off a tangent, IPSEC has a long history of conflicting with
>NATs (like, carrier-grade NATs on IPv4 starved ISPs, etc.).
>
>There's two ways to avoid that - use IPv6 on both ends (this is not
>a joke, one of my large customers did so a few weeks ago, because
>they had IPSEC+carrier-grade-NAT issues to no end, and now ~70% of
>their users come in using IPv6 transport and all works nicely), or
>use a more NAT-friendly VPN protocol.
>
>Depending on your needs, OpenVPN or Wirecard might be an option.
>
>(I will, of course, advocate OpenVPN, but I'm slightly biased :-) )
>

In the end I went with l2tp(4) over OpenVPN over tor.

The l2tp end points dont seem to pass across broadcasts (dhcp). They do see multicast - eg: mdns though.

I'm not sure if this is a bug or a feature. Going to try to see if putting a VLAN overlay on top of the L2 segments will solve the broadcast/dhcp problem. 

Any thoughts / ideas on this would help.

Many thanks,

Cherry