From owner-freebsd-net@FreeBSD.ORG Thu May 12 00:55:13 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6141B1065675 for ; Thu, 12 May 2011 00:55:13 +0000 (UTC) (envelope-from rj@cyclaero.com) Received: from mo-p00-ob.rzone.de (mo-p00-ob.rzone.de [81.169.146.160]) by mx1.freebsd.org (Postfix) with ESMTP id EF6268FC13 for ; Thu, 12 May 2011 00:55:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1305161711; l=2418; s=domk; d=cyclaero.com; h=Mime-Version:To:Date:Subject:Content-Transfer-Encoding:Content-Type: From:X-RZG-CLASS-ID:X-RZG-AUTH; bh=Z5jMVIi1sd+VItCVvRFvMZhnAoA=; b=IOm515rFw8SROf8WUO+cl3+sIcXDBsSSsu3/U/42AvM2ksgcQdhgb8lpj4ZwbSLABn/ 7UUn6B9J8VprZroRXfy4tB5fK7ldOON6qOawHc4omJJjKEJ3IzEU0e5Kj0ULkfm3Qn/sN ffeMgGMkoFItsktajD+aMmPLi8nXoOShBP4= X-RZG-AUTH: :O2kGeEG7b/pS1E6gSHOyjPKyNsg/5l1He+DgCy9/8FSej6CwUyslcvR13AejfvgZQ88TEw== X-RZG-CLASS-ID: mo00 Received: from rolf.projectworld.net (189-54-106-151-nd.cpe.vivax.com.br [189.54.106.151]) by post.strato.de (mrclete mo21) (RZmta 25.18) with (AES128-SHA encrypted) ESMTPA id 607078n4BLEXDZ for ; Thu, 12 May 2011 02:43:39 +0200 (MEST) From: "Dr. Rolf Jansen" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Wed, 11 May 2011 21:43:35 -0300 Message-Id: <042051F4-D309-4317-BBE5-5DF9DEEB342C@cyclaero.com> To: freebsd-net@freebsd.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: multiple clients behind the same NAT connecting a L2TP/IPsec VPN server behind another NAT X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2011 00:55:13 -0000 I have setup a VPN-Server on my FreeBSD 8.2 Release i386 machine, using = the following requisites: - customized GENERIC Kernel builded with the following additional options and devices: IPSEC, IPSEC_FILTERTUNNEL, IPSEC_NAT_T, crypto, enc - ports/security/ipsec-tools (v0.8.0) compiled with NATT enabled and NATTF disabled - ports/net/mpd5 (v5.5) The server sits in the DMZ behind a SOHO router. Everything is working = fine so far. I can establish connections from multiple external clients = at the same time. Even connections from within a NAT'ed local network = via the internet to my L2TP/IPsec server do work. The only remaining problem is, that from behind the same NAT only one = client works well. As soon as a connection between a second client and = the server has been established, the communication of both break down. = The racoon log shows nothing noticeable here, and according to the log = both connections are established successfully, anyhow, the communication = is blocked. racoon is configured to generate unique policies. When a client disconnects from the server, racoon usually purges 2 = IPsec-SA shortly after. The interesting thing in the case of 2 clients = from the same NAT is, that it purges one IPsec-SA from the client just = disconnected, and 1 belonging to the client that is still connected. So, = it seems that the internal SA house holding of racoon got confused. I am investigating this already for some days, and finally I would like = to ask to the experts, whether this is perhaps an issue of the = ipsec-tools (racoon/setkey), and not with my setup. I am willing to = spent more time on this only if there is some chance that this can be = resolved. So, is there anybody out there, who can successfully establish VPN = connections from multiple clients behind the same NAT to a L2TP/IPsec = Server running ipsec-tools and mpd5? If yes, please may we discuss more in detail my setup? If no, I would be still grateful for some insights. BTW: Using only mpd5, I setup also a PPTP-VPN server running in parallel = to the L2TP/IPsec one. Multiple PPTP-VPN clients behind the same NAT = work perfectly well with my server - So, I tend to believe that it is = really an issue with the IPsec part and not with the L2TP (mpd5) part of = my setup. Many thanks in advance for any reply Best regards Rolf