Re: [strongSwan] Multiple vpn clients behind NAT support
Hi Martin, If that is not an option for you, you might have a look at the connmark plugin [2], which allows you to use Conntrack and Netfilter marks to bind connections to specific SAs. This is all not that trivial, though. [2]https://wiki.strongswan.org/projects/strongswan/wiki/Connmark Windows ipsec/l2tp clients always select port 1701 as source port for the l2tp packets. I don't know how the CONNMARK target can restore the correct Netfilter mark in the OUTPUT mangle chain when the tuple (src, dst, sport, dport) is identical for all Windows clients behind the same NAT router. I guess the Connmark plugin works with a high probability for clients selecting a random source port, but not for multiple windows clients. Regards, Volker ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Multiple vpn clients behind NAT support
Hi, > From behind NAT only one client is able to connect at a time. If one remote > access vpn in up second vpn connection is failed connect. The Windows L2TP/IPsec client uses transport mode to secure L2TP. A gateway can't distinguish two clients behind the same NAT without some tricks, as they both have the same external IP address. Given that Windows 7 supports IKEv2 and real IPsec, I highly recommend to consider switching to that superior protocol [1]. If that is not an option for you, you might have a look at the connmark plugin [2], which allows you to use Conntrack and Netfilter marks to bind connections to specific SAs. This is all not that trivial, though. Regards Martin [1]https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 [2]https://wiki.strongswan.org/projects/strongswan/wiki/Connmark ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Multiple vpn clients behind NAT support
Hi all,
I have the below scenario.
|--win vpn client1
VirtualRouter(VpnServer) ---Firewall/NAT |
|---win vpn client2
I am using strong verson 4.5.2
# ipsec --version
Linux strongSwan U4.5.2/K3.2.0-4-686-pae
*problem:*
>From behind NAT only one client is able to connect at a time. If one remote
access vpn in up second vpn connection is failed connect.
Is there way to connect multiple vpn client behind nat to to vpn server ?
Is it supported in strongswan ?
>From google search it seems it is not supported. But want the confirmation
from you guys.
Below are the logs:
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[5] 10.147.52.222 #7:
NAT-Traversal: Result using RFC 3947: peer is NATed
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[5] 10.147.52.222 #7: Peer
ID is ID_IPV4_ADDR: '10.1.1.196'
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222 #7:
deleting connection "L2TP_PSK" instance with peer 10.147.52.222
{isakmp=#0/ipsec=#0}
Jun 26 06:59:54 r-314-VM pluto[23641]: | NAT-T: new mapping
10.147.52.222:500/1024)
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sent MR3, ISAKMP SA established
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #8:
NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #8:
responding to Quick Mode
*Jun 26 06:59:54 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024
#8: cannot install eroute -- it is in use for
"L2TP_PSK"[4] 10.147.52.222:4500 #6 Jun 26
06:59:55 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024
#7: Quick Mode I1 message is unacceptable
because it uses a previously used Message ID 0x0100 (perhaps this is a
duplicated packet)*
Jun 26 06:59:55 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 06:59:56 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x0100 (perhaps this is a duplicated packet)
Jun 26 06:59:56 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 06:59:59 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x0100 (perhaps this is a duplicated packet)
Jun 26 06:59:59 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:01 r-314-VM CRON[28456]: pam_unix(cron:session): session
opened for user root by (uid=0)
Jun 26 07:00:01 r-314-VM CRON[28456]: pam_unix(cron:session): session
closed for user root
Jun 26 07:00:06 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x0100 (perhaps this is a duplicated packet)
Jun 26 07:00:06 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:21 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x0100 (perhaps this is a duplicated packet)
Jun 26 07:00:21 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:36 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x0100 (perhaps this is a duplicated packet)
Jun 26 07:00:36 r-314-VM pluto[23641]: "L2TP_PSK"[6] 10.147.52.222:1024 #7:
sending encrypted notification INVALID_MESSAGE_ID to 10.147.52.222:1024
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a510001]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
received Vendor ID payload [MS NT5 ISAKMPOAKLEY 0009]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
received Vendor ID payload [RFC 3947]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [FRAGMENTATION]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 26 07:00:51 r-314-VM pluto[23641]: packet from 10.147.52.222:500:
ignoring Vendor ID payload [IKE CGA version 1]
Jun 26
