Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-02-2017, 04:28 PM   #1
LQ Newbie
Registered: Feb 2004
Posts: 17

Rep: Reputation: 0
L2TP / Libreswan IPSEC vpn server multiple clients from behind same NAT IP

Hi All,

I have a L2TP/Libreswan IPSEC server running well, I am using this in a hub & spoke format as I have a few Mikrotik endpoints that can dynamically change IP addresses and are or could be using a double nat, I also need routing between the sites, and support for a couple of road warriors.

However I am aware there are limitations of L2TP & IPSEC from behind a nat with multiple clients using the same public IP address.

I was wondering if anybody has a workaround for this I know there is Softether that works very well as it supports multiple clients from behind a nat however it seams that you have to run Secure Nat with a dhcp server for it to work properly and there client software on laptops or vpn server software for offices obviousley Id like to stick to one device being Mikrotik doing everything for the network.

I wondering if anyone has done this before and what did you use.


Old 11-02-2017, 08:17 PM   #2
Ser Olmy
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,315

Rep: Reputation: Disabled
When you say you need routing between the sites, do you mean dynamic routing like OSPF, or will static routing do?

IPsec (and hence L2TP) works fine from behind NAT as long as both parties support the IPsec NAT-T extension. But there's a problem with IPsec/L2TP and dynamic IPs, which has to do with a design limitation in the IKEv1 protocol used by IPsec.

IPsec can authenticate clients using certificates or preshared keys (PSKs), and in the latter case one may specify an IP address, a FQDN or a (possibly fictitious) e-mail address as a client identifier. In a dynamic IP scenario, using an e-mail address as a username sounds like an excellent idea. As long as the server has a fixed IP and the client is initiating the connection, IPsec itself should work just fine.

Unfortunately, with IKEv1, the user ID itself is transmitted using encryption negotiated using the PSK. This leads to a chicken-and-egg problem: the receiving end cannot identify the client without decrypting the incoming packet, which cannot be decrypted without the right PSK, which cannot be selected without first establishing the client's identity. Unless you can tie the client to a specific IP (or at very least a subnet), the server won't know which PSK to use, and the authentication fails.

If you want to stick with L2TP, you have two options:
  1. Use certificates instead of PSKs for clients with dynamic IPs
  2. Use the same PSK for all clients with a non-IP user ID
  3. Switch to IKEv2
Using certificates means setting up your own Certification Authority and installing both the root certificate and a client certificate on every Microtik router and laptop. Not a huge task, but a bit of a hassle if you've never done this before.

Having the same PSK on every router behind a dynamic IP may or may not be acceptable from a security point of view, depending on your environment. This is expecially true when you have road warriors using laptops, since the loss of a laptop means you have to change the PSK on all remaining devices.

Switching to IKEv2 (which libreswan supports) would solve all your problems, since it transmits the user ID using an encrypted channel that doesn't rely on the PSK. Unfortunately, many older routers and most L2TP clients do not support IKEv2.

For your site-to-site connections, you could dispense with L2TP and just use GRE tunnels over IPsec with IKEv2. That would eliminate the dynamic IP issue and you wouldn't have to invest in a CA infrastructure. You could even use dynamic routing as long as both endpoints allow dynamic routing over tunnel interfaces, which for some strange reason some devices (*cough* ZyXEL *cough*) refuse to do, but your Mikrotik routers might not have this restriction.

For your road warriors, I would not hesitate to recommend SoftEther/SSTP. SSTP is just PPP over HTTP over SSL/TLS, which means you'd simply have to obtain a single (free) SSL certificate for your server. As a bonus, SSTP VPN traffic looks like HTTPS, which mostly eliminates issues with firewall traversal in corporate environments.

Last edited by Ser Olmy; 11-02-2017 at 08:27 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up L2TP over IPSec VPN server under CentOS 5.3 fantasygoat Linux - Networking 6 01-12-2016 04:41 AM
L2TP/IPsec VPN connection with client behind NAT poorlittlelinuxuser Linux - Newbie 2 09-16-2012 10:41 PM
IPSec L2TP VPN server on Ubuntu for iPhone Apollo77 Linux - Networking 27 12-03-2010 10:27 AM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 06:18 PM
IPSEC/L2TP VPN Server on Fedora Core 3 using Kernel 2.6 petwalrus Linux - Networking 3 04-21-2005 11:55 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:18 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration