[Openswan Users]
Brian Candler
B.Candler at pobox.com
Tue May 16 14:20:22 CEST 2006
On Sun, May 14, 2006 at 09:39:36PM +0200, Paul Wouters wrote:
> On Sun, 14 May 2006, Brian Candler wrote:
>
> > On Sun, May 14, 2006 at 05:35:11PM +0200, Paul Wouters wrote:
> > > It is likely Microsoft
> > > and Cisco have done this. I am not sure about OSX. I'm pretty sure no open
> > > source software has fixed this before us.
> >
> > From testing eval units, I've found that the following commercial products
> > support multiple Microsoft L2TP/IPSEC clients sitting behind the same NAT
> > firewall:
> >
> > * Cisco IOS (not old versions, must have "set nat demux" feature)
> > * Juniper ERX
>
> But do they support two clients behind different NAT routers using the
> same internal IP address of (eg factory default linksys 192.168.1.101) ?
Yes, they both work correctly in this circumstance too. I have just tested
them with the following rig:
10.69.255.248/28 212.x.x.x
2K ---------------------------------------- FW --------------> Internet
10.69.255.248/28 172.17.x.x 82.x.x.x
XP ---------------------- FW -------------- FW --------------> Internet
Both machines can bring up tunnels to the same terminator (ERX or IOS) at
the same time, and the machines can ping each other using their
L2TP-assigned endpoint addresses.
A final test which I want to do, but won't be able to build for the next day
or two, is:
10.69.255.248 212.x.x.x
2K ---------------------------------------- FW --------------> Internet
10.69.255.248 172.17.x.x 82.x.x.x
XP ---------------------- FW ---+---------- FW --------------> Internet
|
10.69.255.248 |
XP ---------------------- FW ---+
Here, the two XP machines will have both the same private IP *and* the same
public IP :-) But I doubt that's a situation which will ever occur in
practice.
Regards,
Brian.
More information about the Users
mailing list