[Openswan Users]

Brian Candler B.Candler at pobox.com
Tue May 16 14:20:22 CEST 2006

On Sun, May 14, 2006 at 09:39:36PM +0200, Paul Wouters wrote:
> On Sun, 14 May 2006, Brian Candler wrote:
> > On Sun, May 14, 2006 at 05:35:11PM +0200, Paul Wouters wrote:
> > > It is likely Microsoft
> > > and Cisco have done this. I am not sure about OSX. I'm pretty sure no open
> > > source software has fixed this before us.
> >
> > From testing eval units, I've found that the following commercial products
> > support multiple Microsoft L2TP/IPSEC clients sitting behind the same NAT
> > firewall:
> >
> > * Cisco IOS (not old versions, must have "set nat demux" feature)
> > * Juniper ERX
> But do they support two clients behind different NAT routers using the
> same internal IP address of (eg factory default linksys  ?

Yes, they both work correctly in this circumstance too. I have just tested
them with the following rig:                            212.x.x.x
   2K  ---------------------------------------- FW --------------> Internet          172.17.x.x        82.x.x.x
   XP  ---------------------- FW -------------- FW --------------> Internet

Both machines can bring up tunnels to the same terminator (ERX or IOS) at
the same time, and the machines can ping each other using their
L2TP-assigned endpoint addresses.

A final test which I want to do, but won't be able to build for the next day
or two, is:                               212.x.x.x
   2K  ---------------------------------------- FW --------------> Internet             172.17.x.x        82.x.x.x
   XP  ---------------------- FW ---+---------- FW --------------> Internet
                                    |                |
   XP  ---------------------- FW ---+

Here, the two XP machines will have both the same private IP *and* the same
public IP :-) But I doubt that's a situation which will ever occur in



More information about the Users mailing list