On 8/17/07, stuart van Zee <[EMAIL PROTECTED]> wrote: (snip original message) > > Ok... my IPSEC foo is really not all that powerful so if anyone out there > finds me to be completely wrong, please point and laugh, but here is the > problem you are having as far as I understand it. > > IPSec does not create more than one VPN tunnel coming from the same IP > address. With your IPSec server being behind the NAT, every connection > that comes to it looks (to the IPSec server) as coming from the IP address > of the NAT firewall. So, it isn't all that surprising that it is dropping > one connection as soon as the next comes in.
Hi Stuart, Well, I do think it is a bit surprising that it won't distinguish between connections from the same IP but with different udpencap ports. > Now, as to how to fix this... You are probably going to need someone with > a little more experience setting this up to help you. I'm sure I could do > it if I needed to (given enough time) but I'd have to do a crap load of > reading to figure it out, and well... you can read... and I don't have the > time. No offence intended. > > As for possible issues with the fix that you have created for yourself by > disabling the sa_delete() loop. Golly gee mister, I donno. As a personal > policy I don't muck around in OpenBSD's code because quite frankly I aint > all that smart. Well, it's just code :-) I added a debug printf around the suspected code: Aug 17 16:12:18 bzero isakmpd[30231]: XXX: looking for a matching peer to 83.176.211.105:57628 Aug 17 16:12:18 bzero isakmpd[30231]: XXX: found matching peer 83.176.211.105:60903 Aug 17 16:12:18 bzero isakmpd[30231]: ipsec_handle_leftover_payload: INITIAL-CONTACT made us delete SA 0x896c2b00 The SA lookup function calls net_addrcmp(3). From the manpage: "... if each socket address structure's sa_len and sa_family fields match, the protocol-specific data (the sa_data field) is compared" But only the sin_addr (for INET family, and similar for INET6) is compared, not the port. Why? I'm now testing with the following patch: http://bzero.se/patches/isakmpd-multi-nat-peers-patch.diff (the first two hunks are just debug logging) > Hope this helped at least a little. Thank you for your reply! /Martin