Hello, Can multiple IPSEC VPN clients (road-warrior type & private IP addresses) connect to a VPN server from behind a NAT firewall? The reason I pose this is: We have a linux firewall (not VPN gateway). As long as a private internal IP address is NAT'ed to a unique external address on the outgoing interface of the firewall, things are normal. But if more than one VPN client from the private network gets masqueraded to the outgoing interface, authentication is not even possible. This is observed from TCPdump. Reason: Let the outgoing interface of the firewall be 28.29.30.31. Let there be 2 VPN clients: 192.168.17.20 and 192.168.17.40. Then the first client (say 192.168.17.20) which requests authentication from the remote VPN server (there is no VPN gateway at our end), sends a request from 192.168.17.20-port isakmp. The firewall on its behalf sends a request from 28.29.30.31-port isakmp and the remote VPN server responds correctly to 28.29.30.31-port isakmp and client is authenticated. The 2nd client sends a request from 192.168.17.40-port isakmp. The firewall cannot reuse port isakmp and instead sends a authentication request from 28.29.30.31-port 12 (say). The remote VPN server INCORRECTLY responds to 28.29.30.31-port isakmp where it should have responded to port 12 of our firewall !!! So the firewall passses on thepacket to the first VPN client (which is already authenticated). Is it part of VPN protocol for a VPN server to reply authentication requests to port isakmp? Or is it a configuration issue for the remote VPN server? Regards, TOny - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
