> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Martin Hedenfalk > Sent: Friday, August 17, 2007 09:22 AM > To: OpenBSD > Subject: IPsec problems with multiple clients behind same NAT > > > Hello misc, > > I'm having problems with two IPsec tunnels from two different peers > behind the same NAT, to the same responder. All hosts are running > OpenBSD 4.1, including the NAT:ing gateway. One peer can connect just > fine, but when the other tries to establish a tunnel (with a different > tunneled network), the first SA is just deleted. The two peers are now > continuously "competing". I get a lot of INVALID_COOKIE messages from > isakmpd. > > It's the same problem as reported in this post: > http://archives.neohapsis.com/archives/openbsd/2007-05/0628.html > However, the "Shared-SADB" parameter mentioned doesn't have any > effect for me. > > I've sort of tracked this down to a call to sa_delete() in > ipsec_handle_leftover_payload() in src/sbin/isakmpd/ipsec.c. This > function calls sa_lookup_by_peer() which apparently matches both of my > SAs. I disabled the sa_delete() loop and now both of my SAs stay up > fine, but I'm not really sure what I've done. > > Does anyone (developer?) have any thoughts about this? > > TIA > /Martin >
Ok... my IPSEC foo is really not all that powerful so if anyone out there finds me to be completely wrong, please point and laugh, but here is the problem you are having as far as I understand it. IPSec does not create more than one VPN tunnel coming from the same IP address. With your IPSec server being behind the NAT, every connection that comes to it looks (to the IPSec server) as coming from the IP address of the NAT firewall. So, it isn't all that surprising that it is dropping one connection as soon as the next comes in. Now, as to how to fix this... You are probably going to need someone with a little more experience setting this up to help you. I'm sure I could do it if I needed to (given enough time) but I'd have to do a crap load of reading to figure it out, and well... you can read... and I don't have the time. No offence intended. As for possible issues with the fix that you have created for yourself by disabling the sa_delete() loop. Golly gee mister, I donno. As a personal policy I don't muck around in OpenBSD's code because quite frankly I aint all that smart. Hope this helped at least a little. s
