OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • mobile IKE clients behind same NAT
« previous next »
  • Print
Pages: [1]

Author Topic: mobile IKE clients behind same NAT  (Read 634 times)

mg00

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
mobile IKE clients behind same NAT
« on: October 30, 2017, 03:11:57 pm »
Hello,

I seem to be having an issue with mobile IKE clients when they are behind same NAT.
When only one client is connected, everything seems to work perfectly, but when second client connects, no traffic to neither of them seems to come through.

The setup I have is:
- IKEv2
- EAP-RADIUS for client authentication
- AES256 + SHA256, DH group 2 in Phase 1
- Disabled Reauth and Rekey
- NAT Traversal - Force
- Phase 2 local network is 0.0.0.0/0
- Phase 2 KE is ESP, AES auto, SHA1 and SHA256, PFS off

It works very well with Win10 builtin VPN client (anyone setting up please remember to install server CA certificate for Phase 1, I have propagated it through AD).
Everything seems to be working OK when the clients' connections are coming from different IPs - authentication is done, all traffic goes through the tunnel and routes back.

The situation changes when clients are behind same NAT (their public IP is same). When second client connects, neither of the clients traffic works. It comes back to life when one disconnects.
I have some supposition that it might be correlated to having same source and destination in Security Associations. It comes from the fact that when I had clients behind same NAT but with load balancing through 2 different IPs, the traffic problem appeared only after third client connected.

On the VPN IPSec logfile I cannot see anything disturbing and clients seem to identify themselves with both NATed (external) as well as internal IP.

Has anyone tried setting up mobile IKE VPN for clients behind the same NAT? Am I missing something obvious?

Thanks in advance for any help.
Regards,
MG00
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 1852
  • Karma: 151
    • View Profile
Re: mobile IKE clients behind same NAT
« Reply #1 on: October 30, 2017, 03:29:43 pm »
The problem is that the firewall in front of the clients have to handle this correctly.
I had this already with IKEv1 years ago and was one of the reasons to switch to SSL VPN.

Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

xinnan

  • Full Member
  • ***
  • Posts: 125
  • Karma: 12
    • View Profile
Re: mobile IKE clients behind same NAT
« Reply #2 on: October 30, 2017, 03:51:44 pm »
Static port mapping on port 500 may help if you control the router/firewall.
Logged

mg00

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: mobile IKE clients behind same NAT
« Reply #3 on: October 30, 2017, 05:40:40 pm »
Thanks guys.
Although I don't control this environment, but at least I know how to talk to the admin on the other side.

Regards,
MG00
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • mobile IKE clients behind same NAT
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2