Jaime Vargas wrote: > As far as I know, there's a well-known issue with NAT-T that makes > impossible to connect simultaneously to a VPN using L2TP over IPSec > from two Windows clients which reside behind the same NAT box. Problem
Hi Jaime, > a) Is the cause of this issue established? > b) Is there any solution or workaround (involving Windows XP as the > clients and strongSwan + l2tpns + NETKEY at the server)? I *believe* that this is a known issue. The problem is that the L2TP-daemon on the linux side sends packets to the public IP address of the NAT box (which get secured by IPsec before they leave the machine). With two clients behind the same NAT box (and therefore behind the same public IP address) it is unclear on which Security Association those packets have to be send across. There are two overlapping entries in the Security Policy Database (SPD) and the kernel just does not know which one to choose. I'm not a 100% sure if this information is correct. But I do know that there are commercial software products out there which do not use L2TP but IKEv1 with mode config and virtual IPs and therefore do not suffer from those issues. The downside is that one license of the product I endorse costs about 100 Euros. > c) If not, is a solution for this in the works, or being considered? Windows 7 is reported to work ok with *IKEv2*. But I think that's irrelevant for your purposes. -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
