[Vpn-help] Multiple clients behind the same NAT gateway possible ?
Mathieu Guillaume
mat at voxmobili.com
Fri Oct 31 04:15:21 CDT 2008
Matthew Grooms wrote:
> Mathieu Guillaume wrote:
>> Hi list.
>>
>> I'm running into a problem where I have several clients needed to
>> connect from behind the same NAT gateway, but only one can connect at a
>> time.
>> Is that an inherent limitation of IPSec+NAT-T, or is there something I
>> missed in the configuration ?
>>
>
> Matthieu,
>
> I do most of my testing with clients behind a NAT device and can
> confirm that multiple clients work with gateways that properly
> implement the RFC specification. What kind of gateway are you
> connecting to and are you sure NAT-T is being successfully negotiated
> by the client? You can check the latter by looking at the Network tab
> of the VPN Connect application after connecting which shows the
> "Transport Used".
>
> Thanks,
>
> -Matthew
It shows transport used as "NAT-T / IKE | ESP", so the NAT-T is working.
I don't know what the NAT gateway is, the tunnel endpoint is
racoon+setkey with the following racoon configuration:
remote anonymous {
exchange_mode aggressive,main;
my_identifier fqdn "some.name.com";
proposal_check claim;
generate_policy on;
verify_cert on;
nat_traversal on;
dpd_delay 30;
ike_frag on;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
mode_cfg {
conf_source local;
network4 10.8.0.1;
pool_size 200;
netmask4 255.255.255.0;
banner "/etc/racoon/racoon.motd";
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
--
Mathieu Guillaume <mat at voxmobili.com>
More information about the vpn-help
mailing list