Re: multiple ipsec-nat-t clients behind same ip address

Sun, 03 Feb 2008 08:40:41 -0800 

3 feb 2008 kl. 11.33 skrev Markus Wernig:
Rephrasing: Is it possible to have multiple nat-t clients behind the same NAT address connect to the same OBSD ipsec gateway? How? 

Hi,


Yes it's possible, but isakmpd deletes all SAs from the same IP  
address on an initial contact message.


I posted a bug report about this a while ago, including a patch:
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=5562

It's for 4.1 but it's not closed yet so I assume it's also valid for  
4.2 and -current.


You can try this patch and recompile isakmpd:
http://bzero.se/patches/isakmpd-multi-nat-peers-patch.diff

        -martin


thx /markus

Markus Wernig wrote:

Hi all

I'm having some trouble with VPN clients (workstations) connecting  
to an

OBSD 4.2 VPN gateway.

All clients sit behind one natting gateway, and are natted to the  
same
egress ip address. They try to connect to another network behind  
the VPN
gateway. The first connect succeeds, and the client gets its  
connection
(i can track this with ipsecctl -s all on the VPN gateway). Traffic  
uses
nat-t (udp 4500) as destination, yet the connection gets source- 
natted

and the source port is changed to some unique value.
This works well. But as soon as the second client connects, the first

one is disconnected! The second connection is source-natted to the  
same

IP, but uses a different source port.
ipsecctl shows that both tuples for flows and sa get replaced by new

ones the moment the second client connects. tcpdump on the gateway  
shows

normal ipsec traffic during the first connection until the new one is

initiated. After this, no packet for the first connection is sent  
by the
gateway, but all belong to the second one (different SPIs and  
different

source port)
.
Now i'm a bit unsure. From my understanding, it should be possible to

have multiple nat-t clients use the same external ip address. Is  
there
any limitation that i'm not aware of? Do i need to configure  
something

on the gateway? It's set up for roadwarriors. Here's ipsec.conf:
ike passive esp tunnel \
       from any to a.b.c.d/24 \
       srcid vpn.gate.way
with a.b.c.d being the network the clients want to connect to and

vpn.gate.way the fqdn of the gateway, as it appears in its  
certificate.

Thx for any hint
/markus
























					Reply via email to