VPN IPSec – Connecting Multiple Remote Users with L2TP IPSec VPN

ipsecvpn

Can someone explain to me, why isn't possible to connect 2 or more clients to a VPN server when the users are behind the same public IP (NAT/PAT).

What I mean is: if there is already a user connected to the VPN, when another user in the same network (same public ip) tries to connect to the same VPN the first connection goes down.

If PAT/NAT-T changes the private IP to the public one, and the source port to another source port but keeps track of it, to associate the original source port to the NATed one, I see no reason for it not to work. After a quick search I've found many people on the internet with the same question and problem, but I never found a good explanation about it.

Thanks!

Best Answer

This depends on the type of VPN used; there are VPN systems working using:

TCP
UDP
Special protocols (such as GRE)

For VPN systems working with TCP and/or UDP there is no technical reason for such a restriction.

"Special protocols" however are often not understood by the NAT router. In this case two things may happen:

The NAT router will deny routing the unknown packet type completely

(Even if there is only one computer...)
Because the NAT router does not know the protocol it is not able to find out the (equivalent of the) "port number" of the packet. It does not even know if the protocol used has an equivalent of "port numbers" at all!

(There are protocols which do not have "port numbers".)

This means that the only information the NAT can extract from packets sent from the VPN server to the client is the IP address of the server.

When two different computers behind the NAT connect to the same VPN server the NAT has no possibility to find out which of the two computers is the receiver of this packet.

Isn't there any explanation or real example of what happens to the packets to understand it better?

Let's look on an UDP transfer through a NAT:

Two computers behind the NAT send some UDP packets to the same computer in the internet; let's say they use the same source and destination port numbers
The NAT receives the packet and checks the packet type: It's UDP. This means that the port numbers are found in the first 4 bytes of the packet
The NAT replaces the source addresses of both packets by its own "global" address; it also replaces the source port numbers
The NAT also "remembers" (in its RAM) that it replaced the source port number in the first packet by the port number A and the source port number in the second packet by the port number B
The packet is now sent to the server in the internet
The server answers with a response which is also a UDP packet
If the destination port number in the packet is A the packet must be forwarded to the first computer; if it is B it must be forwarded to the second computer

Now suppose the computers do not send UDP packets but "XYZ" packets:

UDP and TCP packets have "port numbers"; however other protocols (like the original GRE) need not necessarily know the concept of "port numbers" at all
For UDP and TCP packets the port numbers are stored in the first 4 bytes of the packet; other protocols (like the new version of GRE) store the port numbers somewhere else
If the NAT does not know the protocol "XYZ" it cannot know ...
- ... if "XYZ" packets contain port numbers at all and if yes ...
- ... where in the packet the port number is stored.
Therefore the NAT is not able to get any information about the port number of the "XYZ" packet.
Therefore the NAT is not able to distinguish between "XYZ" packets sent from the server to the first computer and packets sent to the second computer.

Many (especially older) VPN systems use a combination of UDP and GRE packets; in this case the NAT will have problems with GRE packets.

With ESP ...

Seen from the NAT's perspective ESP is just another protocol like GRE or "XYZ".

... if there is only 1 computer connecting to the VPN and no ports associated to it?

In this case NATs of different manufacturers may behave differently:

Some NATs may simply not allow such a protocol. In this case using ESP, GRE, "XYZ" etc. through a NAT is simply impossible.

Other NATs might "remember" that a computer has been sending packets of a certain protocol (e.g. ESP) to a certain server and assume that all incoming packets of that type (ESP) from that server are intended for that computer.

This will of course no longer work if two computers are sending packets:

... when another user in the same network ... tries to connect to the same VPN the first connection goes down.

By the way: As far as I understand correctly the "SPI" field of the ESP header can be used to distinguish between different VPN connections.

So a NAT which knows the ESP protocol can allow multiple ESP connections at the same time:

It would use the "SPI" field instead of the port number to distinguish between packets intended for different computers.

Related Solutions

Vpn – ASA 5505 remote access VPN – Connection established, but no internet/access to internal subnet

In order for the client to be able to connect to resources outside of the VPN tunnel, a split tunnel must be configured. This will allow the adapter to inherit routes outside of it's own route table as well as allow the traffic out. Adding routes upon connect is only part of the issue.

Here is a link with instructions for the ADM and CLI http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Why it works from our side when I use 1.1.1.10 and I get error using 1.1.1.9 in NAT table?

You have a problem with the 1.1.1.9 configuration as an external NAT IP on the Mikrotik. The outside interface of the Mikrotik is a /30; you're using 1.1.1.9/30 as the default gateway and an outside NAT IP on the Mikrotik. If you're going to use 1.1.1.9/30 on the Mikrotik, you need 1.1.1.10 as a default-gateway.

As it stands, you're currently using 1.1.1.9 as both default-gateway and external NAT IP.

Current Routing table:

Dst. address   | Gateway      | Distance | Pref. source   |
0.0.0.0/0      | 1.1.1.9      | 2        | -              |

Current NAT table:

Action     | Chain  | Source Addr    | Dst Address   | Proto    | Dst Port | Out Intf   |
masquerade | srcnat | -              | -             | -        | -        | ether1     |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 1723     | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 47 (GRE) | -        | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 5006     | -          |
masquerade | srcnat | 192.168.1.0/24 | 192.168.1.230 | -        | -        | -          |

What's a little confusing is the diagram, which says the ISP-A's router is in transparent "modem state". Please be sure that the IP addressing scheme you're using on the Mikrotik is consistent with ISP-A's expectations. If the router is transparent, I'm not entirely sure you should have an IP address on it.

Best Answer

Related Solutions

Vpn – ASA 5505 remote access VPN – Connection established, but no internet/access to internal subnet

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Related Topic