On 2018-06-01, J Vans <3...@startmail.com> wrote: > I am trying to route all of my ipv4 traffic through a particular server > using OpenIKED. I have it successfully set up so that each client can > connect, and the traffic passes through correctly, but it only works for > one client at a time. If Client A is connected by itself things work > just fine, but once I connect Client B, Client B works and client A no > longer is able to pass any traffic out. I restart IKED on Client A, and > Client B loses it's connection. > > I searched through misc and didn't find anyone talking about exactly > what I was trying to do, and a web search turned up one useful result > that claims using ikev2 I cannot do this without ipv6. > https://serverfault.com/questions/775238/two-road-warrior-clients-behind-the-same-nat-device-ikev2-strongswan-libreswa > The claim that nat can't differentiate between the traffic of each > client makes sense to me, but there is a lot I do not know.
The claim in that reply about needing IPv6 and NAT not working is nonsense, the port numbers are different. This is exactly what NAT-T fixes. > I know that traffic can be tagged by IKED and have tried routing by tag > in pf to no avail. However, it is possible I have not done this correctly. > > My questions are: > > 1. If I want multiple "road warrior" clients behind nat in IKED do I > need to implement ipv6? > > 2. Is there a different way to accomplish this besides ipv6? > > > I don't have a setup handy to test at the moment but I don't think there's anything special to do here. If you show your config (iked, pf, outline of network setup) maybe somebody will notice something?
