tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: racoon, IKEv1 and multiple ipsec clients behind NAT



On Thu, 20 Oct 2022 at 12:19, Mathew, Cherry G. <c%bow.st@localhost> wrote:
> >Each client will (probably) generate unique client->server and
> >server->client SPIs (identifiers). The server knows these values so
> >should be able to DTRT. On the other hand the NAT is clueless as to
> >who has which inbound SPI so likely just forwards the the packets to
> >the most recent ESP sender.
> >
>
> This is my best guess too, but unfortunately I have no way to test because the clients are phones.
>
> Would this behavior be theoretically be identical regardless of client type ? (ie; if i added a third client running NetBSD+ raccoon as client)

Yes, it's IP all the way down.  Getting a NetBSD client involved would
definitely make life easier

> >(of course I could be completely wrong, I refuse to read IKEv1 specs)
>
> What is the the latest hot stuff ? Wireguard ? I dont see wireguard VPN client options for phones though....

I asked around, apparently the buzzwords to look for are IKEv2 and EAP-MSCHAPv2.

Andrew


Home | Main Index | Thread Index | Old Index