[vpn-help] NAT Traversal - Using same outbound port as inbound port

Matthew Grooms mgrooms at shrew.net
Wed Mar 24 11:34:06 CDT 2010

On 3/18/2010 11:20 AM, Ben Ellis wrote:
>   Myself and a colleague are behind a Draytek 2800 Vigor and are both
> running 64-bit windows (7 and Vista).
> We are connecting to a Cisco PIX using the latest Shrewsoft client (2.1.6).
> When we connect individually we have no problem, but if we both try to
> connect simultaneously (using different VPN Group Ids) one of us gets
> disconnected.
> However, everyone else using the Cisco client on 32-bit windows doesn’t
> have a problem.
> I noticed in the NAT Sessions that the shrewsoft software is attempting
> Nat-Traversal on OUTBOUND port 4500, whereas the Cisco client connects
> on a random outbound port. I suspect what is happening is when both
> clients try to connect using Nat-T with the same outbound port, the
> Draytek is dropping the NAT-Session for the first client in favour of
> the second for outbound traffic on 4500.
> Can I configure Shrewsoft VPN Client to use a different local endpoint
> port, while still connecting to the 4500 port on the destination endpoint?

This is not currently configurable. Why wouldn't the Draytek device just 
translate the source port to another port just like it should for any 
other UDP traffic? It sounds to me like it has some sort of VPN 
pass-through feature enabled which causes the source port to _not_ be 
translated. This will surely break multiple clients behind a single NAT 
device. Can you not disable this?


More information about the vpn-help mailing list