[Vpn-help] Multiple clients behind the same NAT gateway possible ?

[Mathieu Guillaume]

Matthew Grooms wrote:
> Mathieu Guillaume wrote:
>> Hi list.
>>
>> I'm running into a problem where I have several clients needed to
>> connect from behind the same NAT gateway, but only one can connect at a
>> time.
>> Is that an inherent limitation of IPSec+NAT-T, or is there something I
>> missed in the configuration ?
>>
>
> Matthieu,
>
> I do most of my testing with clients behind a NAT device and can
> confirm that multiple clients work with gateways that properly
> implement the RFC specification. What kind of gateway are you
> connecting to and are you sure NAT-T is being successfully negotiated
> by the client? You can check the latter by looking at the Network tab
> of the VPN Connect application after connecting which shows the
> "Transport Used".
>
> Thanks,
>
> -Matthew
It shows transport used as "NAT-T / IKE | ESP", so the NAT-T is working.
I don't know what the NAT gateway is, the tunnel endpoint is
racoon+setkey with the following racoon configuration:

remote anonymous {
        exchange_mode aggressive,main;
        my_identifier fqdn "some.name.com";
        proposal_check claim;
        generate_policy on;
        verify_cert on;
        nat_traversal on;
        dpd_delay 30;
        ike_frag on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

mode_cfg {
        conf_source local;
        network4 10.8.0.1;
        pool_size 200;
        netmask4 255.255.255.0;
        banner "/etc/racoon/racoon.motd";
}

sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}



-- 
Mathieu Guillaume <mat at voxmobili.com>