Messages

1

17.7 Legacy Series / Re: mobile IKE clients behind same NAT

« on: October 30, 2017, 05:40:40 pm »

Thanks guys.
Although I don't control this environment, but at least I know how to talk to the admin on the other side.

Regards,
MG00

2

17.7 Legacy Series / mobile IKE clients behind same NAT

« on: October 30, 2017, 03:11:57 pm »

Hello,

I seem to be having an issue with mobile IKE clients when they are behind same NAT.
When only one client is connected, everything seems to work perfectly, but when second client connects, no traffic to neither of them seems to come through.

The setup I have is:
- IKEv2
- EAP-RADIUS for client authentication
- AES256 + SHA256, DH group 2 in Phase 1
- Disabled Reauth and Rekey
- NAT Traversal - Force
- Phase 2 local network is 0.0.0.0/0
- Phase 2 KE is ESP, AES auto, SHA1 and SHA256, PFS off

It works very well with Win10 builtin VPN client (anyone setting up please remember to install server CA certificate for Phase 1, I have propagated it through AD).
Everything seems to be working OK when the clients' connections are coming from different IPs - authentication is done, all traffic goes through the tunnel and routes back.

The situation changes when clients are behind same NAT (their public IP is same). When second client connects, neither of the clients traffic works. It comes back to life when one disconnects.
I have some supposition that it might be correlated to having same source and destination in Security Associations. It comes from the fact that when I had clients behind same NAT but with load balancing through 2 different IPs, the traffic problem appeared only after third client connected.

On the VPN IPSec logfile I cannot see anything disturbing and clients seem to identify themselves with both NATed (external) as well as internal IP.

Has anyone tried setting up mobile IKE VPN for clients behind the same NAT? Am I missing something obvious?

Thanks in advance for any help.
Regards,
MG00