[Vpn-help] Multiple clients behind the same NAT gateway possible ?

Matthew Grooms mgrooms at shrew.net
Fri Oct 31 12:38:42 CDT 2008 

Mathieu Guillaume wrote:
> 
>>
>> I do most of my testing with clients behind a NAT device and can
>> confirm that multiple clients work with gateways that properly
>> implement the RFC specification. What kind of gateway are you
>> connecting to and are you sure NAT-T is being successfully negotiated
>> by the client? You can check the latter by looking at the Network tab
>> of the VPN Connect application after connecting which shows the
>> "Transport Used".
>>
>> Thanks,
>>
>> -Matthew
> It shows transport used as "NAT-T / IKE | ESP", so the NAT-T is working.
> I don't know what the NAT gateway is, the tunnel endpoint is
> racoon+setkey with the following racoon configuration:
> 

Here is some general trouble shooting information for the list. If the 
following is true ...

A) Clients are successfully negotiating NAT-T with the gateway
B) Multiple clients can connect from behind different NAT firewalls
C) Multiple clients can't connect from behind the same NAT firewall

... then the client software is no the problem. Beyond implementing the 
NAT-T protocol extensions correctly, it has no knowledge or bearing with 
respect to other clients that may be communicating with the same gateway 
simultaneously. In other words, each connection is discrete ( relative 
to the UDP encapsulation port ) and the NAT firewall and VPN gateway are 
responsible for not getting them confused with each other.

Here are a couple of things to check ...

1) Can multiple clients connect from behind a different NAT firewall
2) Does the NAT firewall have IPsec Pass-through enabled
3) Does a firewall protect the VPN gateway
4) Does the VPN gateway have known issues with multiple NAT clients

If (1) is true, you should check if your NAT firewall has a firmware or 
software update available.

If (2) is true, you probably need to disable IPsec pass-through. This 
feature is a legacy method of getting one ( and only one ) client that 
does not support NAT-T to work from behind a NAT device. It typically 
does this by detecting IKE/IPsec traffic and forwarding all IPsec 
related communications to a single host behind the NAT. In other words, 
if one host attempts to connect to the gateway, the firewall sees IKE ( 
UDP port 500 ) traffic and immediately creates dynamic rules to forward 
all incoming IKE/NAT-T/ESP/AH/IPcomp traffic back to the host that 
initiated the communications.

If (3) is true, the rule set MUST allow allow communications to the IKE 
& NAT-T UDP ports ( 500 & 4500 ) from *any* UDP port and not just the 
same ports. In other words, the client will always try to communicate 
from 500 -> 500 & 4500 -> 4500. But the NAT will translate the source 
port to a different value if the source port is already in use. If the 
firewall protecting the gateway only allows 500 -> 500 & 4500 -> 4500, 
the first client behind a single NAT device will probably be able to 
connect properly ( map1 X -> X ) but the second won't ( map2 ? -> X ) 
because there is already a NAT mapping to the same destination.

As for (4), I would hit up the ipsec-tools-devel mailing list. There 
have been other reports about racoon running on some *nix platforms 
where multiple hosts behind a NAT have issues. Yvan was working on some 
PF_KEY cleanups for the source code which, I believe, are intended to 
fix this issue.

I know its a lot of if/then information, but I hope this helps.

Thanks,

-Matthew

More information about the vpn-help mailing list