multiple clients behind the same NAT connecting a L2TP/IPsec VPN server behind another NAT

Dr. Rolf Jansen rj at cyclaero.com
Thu May 12 00:55:13 UTC 2011 

I have setup a VPN-Server on my FreeBSD 8.2 Release i386 machine, using the following requisites:

  - customized GENERIC Kernel builded with the following
    additional options and devices:
    IPSEC, IPSEC_FILTERTUNNEL, IPSEC_NAT_T, crypto, enc

  - ports/security/ipsec-tools (v0.8.0)
    compiled with NATT enabled and NATTF disabled

  - ports/net/mpd5 (v5.5)


The server sits in the DMZ behind a SOHO router. Everything is working fine so far. I can establish connections from multiple external clients at the same time. Even connections from within a NAT'ed local network via the internet to my L2TP/IPsec server do work.

The only remaining problem is, that from behind the same NAT only one client works well. As soon as a connection between a second client and the server has been established, the communication of both break down. The racoon log shows nothing noticeable here, and according to the log both connections are established successfully, anyhow, the communication is blocked.

racoon is configured to generate unique policies.

When a client disconnects from the server, racoon usually purges 2 IPsec-SA shortly after. The interesting thing in the case of 2 clients from the same NAT is, that it purges one IPsec-SA from the client just disconnected, and 1 belonging to the client that is still connected. So, it seems that the internal SA house holding of racoon got confused.

I am investigating this already for some days, and finally I would like to ask to the experts, whether this is perhaps an issue of the ipsec-tools (racoon/setkey), and not with my setup. I am willing to spent more time on this only if there is some chance that this can be resolved.

So, is there anybody out there, who can successfully establish VPN connections from multiple clients behind the same NAT to a L2TP/IPsec Server running ipsec-tools and mpd5?

If yes, please may we discuss more in detail my setup?

If no, I would be still grateful for some insights.


BTW: Using only mpd5, I setup also a PPTP-VPN server running in parallel to the L2TP/IPsec one. Multiple PPTP-VPN clients behind the same NAT work perfectly well with my server - So, I tend to believe that it is really an issue with the IPsec part and not with the L2TP (mpd5) part of my setup.

Many thanks in advance for any reply

Best regards

Rolf

More information about the freebsd-net mailing list