[Vpn-help] Multiple clients behind the same NAT gateway possible ?
Matthew Grooms
mgrooms at shrew.net
Fri Oct 31 12:38:42 CDT 2008
Mathieu Guillaume wrote:
>
>>
>> I do most of my testing with clients behind a NAT device and can
>> confirm that multiple clients work with gateways that properly
>> implement the RFC specification. What kind of gateway are you
>> connecting to and are you sure NAT-T is being successfully negotiated
>> by the client? You can check the latter by looking at the Network tab
>> of the VPN Connect application after connecting which shows the
>> "Transport Used".
>>
>> Thanks,
>>
>> -Matthew
> It shows transport used as "NAT-T / IKE | ESP", so the NAT-T is working.
> I don't know what the NAT gateway is, the tunnel endpoint is
> racoon+setkey with the following racoon configuration:
>
Here is some general trouble shooting information for the list. If the
following is true ...
A) Clients are successfully negotiating NAT-T with the gateway
B) Multiple clients can connect from behind different NAT firewalls
C) Multiple clients can't connect from behind the same NAT firewall
... then the client software is no the problem. Beyond implementing the
NAT-T protocol extensions correctly, it has no knowledge or bearing with
respect to other clients that may be communicating with the same gateway
simultaneously. In other words, each connection is discrete ( relative
to the UDP encapsulation port ) and the NAT firewall and VPN gateway are
responsible for not getting them confused with each other.
Here are a couple of things to check ...
1) Can multiple clients connect from behind a different NAT firewall
2) Does the NAT firewall have IPsec Pass-through enabled
3) Does a firewall protect the VPN gateway
4) Does the VPN gateway have known issues with multiple NAT clients
If (1) is true, you should check if your NAT firewall has a firmware or
software update available.
If (2) is true, you probably need to disable IPsec pass-through. This
feature is a legacy method of getting one ( and only one ) client that
does not support NAT-T to work from behind a NAT device. It typically
does this by detecting IKE/IPsec traffic and forwarding all IPsec
related communications to a single host behind the NAT. In other words,
if one host attempts to connect to the gateway, the firewall sees IKE (
UDP port 500 ) traffic and immediately creates dynamic rules to forward
all incoming IKE/NAT-T/ESP/AH/IPcomp traffic back to the host that
initiated the communications.
If (3) is true, the rule set MUST allow allow communications to the IKE
& NAT-T UDP ports ( 500 & 4500 ) from *any* UDP port and not just the
same ports. In other words, the client will always try to communicate
from 500 -> 500 & 4500 -> 4500. But the NAT will translate the source
port to a different value if the source port is already in use. If the
firewall protecting the gateway only allows 500 -> 500 & 4500 -> 4500,
the first client behind a single NAT device will probably be able to
connect properly ( map1 X -> X ) but the second won't ( map2 ? -> X )
because there is already a NAT mapping to the same destination.
As for (4), I would hit up the ipsec-tools-devel mailing list. There
have been other reports about racoon running on some *nix platforms
where multiple hosts behind a NAT have issues. Yvan was working on some
PF_KEY cleanups for the source code which, I believe, are intended to
fix this issue.
I know its a lot of if/then information, but I hope this helps.
Thanks,
-Matthew
More information about the vpn-help
mailing list