IPSec + L2TP + NAT-Traversal does not work for multiple clients behind same nat

centos6 ipsec openswan xl2tpd

I have recently configured a VPN server hosted in AWS EC2. Details: Centos 6.4, openswan, xl2tpd, NAT-traversal. The configuration works great for a scenario when only one user connects form a given public IP address behind NAT. But when there are multiple clients behind same NAT, every new client connection drops old one. Looking at logs I can make a conclusion that l2tp treats all connections from the same nat as one.

Am I missing something? Is there a solution?

Your help is much appreciated.


Solution 1:

IPSEC is very sensitive to NATted clients. You need to read about how to enable NAT traversal features on both clients and server. Out of the box it may detect only the public IP of the NATted clients and then kick out an older connection.

Second thing to check, very important in fact, you may need certificates for each client. Simple preshared key is not enough to establish identity for multiple clients, in case you use this until now.

That said, I gave up on IPSEC and moved to OpenVPN or tinc setups which use SSL and can traverse NAT more easily. The configuration of IPSEC can make you cry, even if it is still a very good encryption/authentication method.

Related

RAID-5 or RAID-6 - is RAID-5 really that bad? [duplicate]
Outbound Packets Dropping / Timeouts - Only with Azure
How can I automatically restart my Docker containers with container auto-delete?
How do I replace a disk marked as removed from a linux md raid-5 array?
Need help understanding Windows DNS, DHCP and dynamic PTRs
Using AD as a general purpose directory [closed]
Require TLS on RDP for all connections
Is there any alternate to logrotate for apache logs?
Should I use a login banner and if so, what should it say?
Postfix sends to FQDN Hostname instead of Domain Name
SonicWall "gotchas"?
How can I make bash to log shell commands to syslog?