From owner-freebsd-isp@FreeBSD.ORG  Tue Aug 15 12:19:50 2006
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DAE8716A4DF
	for <freebsd-isp@freebsd.org>; Tue, 15 Aug 2006 12:19:50 +0000 (UTC)
	(envelope-from b.candler@pobox.com)
Received: from rune.pobox.com (rune.pobox.com [208.210.124.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8F60743D6E
	for <freebsd-isp@freebsd.org>; Tue, 15 Aug 2006 12:19:17 +0000 (GMT)
	(envelope-from b.candler@pobox.com)
Received: from rune (localhost [127.0.0.1])
	by rune.pobox.com (Postfix) with ESMTP id 9CDA67C3B4;
	Tue, 15 Aug 2006 08:19:38 -0400 (EDT)
Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com
	[212.74.113.67])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 3A3887C255;
	Tue, 15 Aug 2006 08:19:36 -0400 (EDT)
Received: from lists by mappit.local.linnet.org with local (Exim 4.61
	(FreeBSD)) (envelope-from <b.candler@pobox.com>)
	id 1GCxt2-000NNN-JR; Tue, 15 Aug 2006 13:19:12 +0100
Date: Tue, 15 Aug 2006 13:19:12 +0100
From: Brian Candler <B.Candler@pobox.com>
To: Chuck Swiger <cswiger@mac.com>
Message-ID: <20060815121912.GA89848@uk.tiscali.com>
References: <200608141219.AA2031742@mail.norristechs.net>
	<DFFD05B9-3A23-403E-95D4-28DB53621643@mac.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DFFD05B9-3A23-403E-95D4-28DB53621643@mac.com>
User-Agent: Mutt/1.4.2.1i
Cc: jeff@norristechs.net, freebsd-isp@freebsd.org
Subject: Re: VPN through NAT?
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2006 12:19:51 -0000

On Mon, Aug 14, 2006 at 11:53:04AM -0700, Chuck Swiger wrote:
> If you have multiple clients trying to use the VPN from behind NAT,  
> note that you can only have one VPN endpoint per externally routable  
> IP

This depends on the implementation of your IPSEC termination device.

The tests I've done are using L2TP over IPSEC transport mode as the VPN
access method.

The following termination devices work properly, even with multiple clients
behind the same NAT firewall, or multiple clients using the same local IP
address (e.g. 192.168.1.1) but behind different NAT firewalls.

* Cisco IOS (you need a recent version and "set nat demux")
* Juniper ERX310

However, the following do not:

* Juniper Netscreen
* Linux (l2tpd)
* FreeBSD (sl2tps)

There's no fundamental reason why it can't work - the firewall simply NATs
each stream to a different UDP source port. It's just that many IPSEC
implementations don't take NAT-T into account when looking up SPIs in their
SADB.

Regards,

Brian.