Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: "Mathew, Cherry G." <c%bow.st@localhost>
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Sat, 22 Oct 2022 16:58:19 -0400

On Thu, 20 Oct 2022 at 12:19, Mathew, Cherry G. <c%bow.st@localhost> wrote:
> >Each client will (probably) generate unique client->server and
> >server->client SPIs (identifiers). The server knows these values so
> >should be able to DTRT. On the other hand the NAT is clueless as to
> >who has which inbound SPI so likely just forwards the the packets to
> >the most recent ESP sender.
> >
>
> This is my best guess too, but unfortunately I have no way to test because the clients are phones.
>
> Would this behavior be theoretically be identical regardless of client type ? (ie; if i added a third client running NetBSD+ raccoon as client)

Yes, it's IP all the way down.  Getting a NetBSD client involved would
definitely make life easier

> >(of course I could be completely wrong, I refuse to read IKEv1 specs)
>
> What is the the latest hot stuff ? Wireguard ? I dont see wireguard VPN client options for phones though....

I asked around, apparently the buzzwords to look for are IKEv2 and EAP-MSCHAPv2.

Andrew

Follow-Ups:
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Chuck Zmudzinski

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Manuel Bouyer
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Andrew Cagney

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index