This is a topic that I find mixed information on. Is it possible to have two IPSec road warriors that are behind the same NAT, even with an ASA as the VPN endpoint? I have been trying with Libreswan w\ XAUTH+PSK and IKEV2+certs to no avail. I am starting to wonder if this is an IPSec limitation.
IPSec - Is it possible to have remote access clients (road warriors) all behind the same NAT device?
Asked
Active
Viewed 487 times
0
-
Why is this tagged with [tag:strongswan] when you used Libreswan? If you actually used strongSwan, thanks to NAT Traversal it should definitely be possible to use multiple road warriors behind the same NAT. – ecdsa May 12 '16 at 07:18
-
@ecdsa - There is no Libreswan tag and it's basically the same thing. Sorry for the confusion. I've found that NAT-T allows me to traverse a NAT by encapsulating in UDP 4500, however multiple clients behind the same NAT causes issues – WCCPGuy9898 May 12 '16 at 18:11
-
1The two projects are actually quite different. And multiple clients behind the same NAT should work fine with NAT-T unless your NAT device does something strange (or you use transport mode), as e.g. in [this strongSwan example](https://www.strongswan.org/testing/testresults/ikev2/nat-rw) showing two hosts behind the same NAT. You should provide more information on the issues you are seeing (e.g. where and which packets are dropped or don't reach the right host). – ecdsa May 13 '16 at 05:12