Can someone explain to me, why isn't possible to connect 2 or more clients to a VPN server when the users are behind the same public IP (NAT/PAT).
What I mean is: if there is already a user connected to the VPN, when another user in the same network (same public ip) tries to connect to the same VPN the first connection goes down.
If PAT/NAT-T changes the private IP to the public one, and the source port to another source port but keeps track of it, to associate the original source port to the NATed one, I see no reason for it not to work. After a quick search I've found many people on the internet with the same question and problem, but I never found a good explanation about it.
Thanks!
Best Answer
This depends on the type of VPN used; there are VPN systems working using:
For VPN systems working with TCP and/or UDP there is no technical reason for such a restriction.
"Special protocols" however are often not understood by the NAT router. In this case two things may happen:
The NAT router will deny routing the unknown packet type completely
(Even if there is only one computer...)
Because the NAT router does not know the protocol it is not able to find out the (equivalent of the) "port number" of the packet. It does not even know if the protocol used has an equivalent of "port numbers" at all!
(There are protocols which do not have "port numbers".)
This means that the only information the NAT can extract from packets sent from the VPN server to the client is the IP address of the server.
When two different computers behind the NAT connect to the same VPN server the NAT has no possibility to find out which of the two computers is the receiver of this packet.
Let's look on an UDP transfer through a NAT:
Now suppose the computers do not send UDP packets but "XYZ" packets:
Many (especially older) VPN systems use a combination of UDP and GRE packets; in this case the NAT will have problems with GRE packets.
Seen from the NAT's perspective ESP is just another protocol like GRE or "XYZ".
In this case NATs of different manufacturers may behave differently:
Some NATs may simply not allow such a protocol. In this case using ESP, GRE, "XYZ" etc. through a NAT is simply impossible.
Other NATs might "remember" that a computer has been sending packets of a certain protocol (e.g. ESP) to a certain server and assume that all incoming packets of that type (ESP) from that server are intended for that computer.
This will of course no longer work if two computers are sending packets:
By the way: As far as I understand correctly the "SPI" field of the ESP header can be used to distinguish between different VPN connections.
So a NAT which knows the ESP protocol can allow multiple ESP connections at the same time:
It would use the "SPI" field instead of the port number to distinguish between packets intended for different computers.