OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: mg00 on October 30, 2017, 03:11:57 pm

Title: mobile IKE clients behind same NAT
Post by: mg00 on October 30, 2017, 03:11:57 pm
Hello,

I seem to be having an issue with mobile IKE clients when they are behind same NAT.
When only one client is connected, everything seems to work perfectly, but when second client connects, no traffic to neither of them seems to come through.

The setup I have is:
- IKEv2
- EAP-RADIUS for client authentication
- AES256 + SHA256, DH group 2 in Phase 1
- Disabled Reauth and Rekey
- NAT Traversal - Force
- Phase 2 local network is 0.0.0.0/0
- Phase 2 KE is ESP, AES auto, SHA1 and SHA256, PFS off

It works very well with Win10 builtin VPN client (anyone setting up please remember to install server CA certificate for Phase 1, I have propagated it through AD).
Everything seems to be working OK when the clients' connections are coming from different IPs - authentication is done, all traffic goes through the tunnel and routes back.

The situation changes when clients are behind same NAT (their public IP is same). When second client connects, neither of the clients traffic works. It comes back to life when one disconnects.
I have some supposition that it might be correlated to having same source and destination in Security Associations. It comes from the fact that when I had clients behind same NAT but with load balancing through 2 different IPs, the traffic problem appeared only after third client connected.

On the VPN IPSec logfile I cannot see anything disturbing and clients seem to identify themselves with both NATed (external) as well as internal IP.

Has anyone tried setting up mobile IKE VPN for clients behind the same NAT? Am I missing something obvious?

Thanks in advance for any help.
Regards,
MG00
Title: Re: mobile IKE clients behind same NAT
Post by: mimugmail on October 30, 2017, 03:29:43 pm
The problem is that the firewall in front of the clients have to handle this correctly.
I had this already with IKEv1 years ago and was one of the reasons to switch to SSL VPN.

Title: Re: mobile IKE clients behind same NAT
Post by: xinnan on October 30, 2017, 03:51:44 pm
Static port mapping on port 500 may help if you control the router/firewall.
Title: Re: mobile IKE clients behind same NAT
Post by: mg00 on October 30, 2017, 05:40:40 pm
Thanks guys.
Although I don't control this environment, but at least I know how to talk to the admin on the other side.

Regards,
MG00