Date: Tue, 15 Aug 2006 13:19:12 +0100 From: Brian Candler <B.Candler@pobox.com> To: Chuck Swiger <cswiger@mac.com> Cc: jeff@norristechs.net, freebsd-isp@freebsd.org Subject: Re: VPN through NAT? Message-ID: <20060815121912.GA89848@uk.tiscali.com> In-Reply-To: <DFFD05B9-3A23-403E-95D4-28DB53621643@mac.com> References: <200608141219.AA2031742@mail.norristechs.net> <DFFD05B9-3A23-403E-95D4-28DB53621643@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 14, 2006 at 11:53:04AM -0700, Chuck Swiger wrote: > If you have multiple clients trying to use the VPN from behind NAT, > note that you can only have one VPN endpoint per externally routable > IP This depends on the implementation of your IPSEC termination device. The tests I've done are using L2TP over IPSEC transport mode as the VPN access method. The following termination devices work properly, even with multiple clients behind the same NAT firewall, or multiple clients using the same local IP address (e.g. 192.168.1.1) but behind different NAT firewalls. * Cisco IOS (you need a recent version and "set nat demux") * Juniper ERX310 However, the following do not: * Juniper Netscreen * Linux (l2tpd) * FreeBSD (sl2tps) There's no fundamental reason why it can't work - the firewall simply NATs each stream to a different UDP source port. It's just that many IPSEC implementations don't take NAT-T into account when looking up SPIs in their SADB. Regards, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060815121912.GA89848>