multiple site-to-site IPSEC VPN simultaneously under a NAT

[younghan73]

I want to configure multiple site-to-site IPSEC VPNs simultaneously under a NAT configuration.
I configured mediation server, m1, s1, m2, and s2 using Strongswan v5.8.4/

Currently IPSEC gateway m1 and m2 is located in same NAT router (ISP A). And IPSEC gateway s1 and s2 is located in same NAT router (ISP B).

If make the connection between m1 and s1, IPSEC site-to-site tunnel is created. So can pinging to 192.168.2.1 from m1.
In same time, if make the connection between m2 and s2, IPSEC tunnel is not created between m2 and s2.

Does it possible to establish the multiple site-to-site VPNs under same NAT router?

Could you check my configuration and log?

1. network diagram for multiple site-to-site VPNs
   

2. configuration for m1, s1, m2, s2 and mediation server
   2-1. m1 config
   m1 config
   root@m1:~# cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug = "all"
uniqueids = no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
dpdaction=restart
dpddelay=60s
left=%defaultroute

conn medsrv
leftid=m1@test.com
right=A.B.C.D
rightid=mediator@test.com
mediation=yes
auto=start

conn m1
leftid=m1@test.com
leftsubnet=192.168.1.0/24
right=%any
rightid=s1@test.com
rightsubnet=192.168.2.0/24
mediated_by=medsrv
auto=start
forceencaps=yes

root@m1:~# cat /etc/ipsec.secrets

ipsec.secrets - strongSwan IPsec secrets file

mediator@test.com : PSK "ipsecpassword"

m1@test.com : PSK "ipsecpassword"
s1@test.com : PSK "ipsecpassword"
me_m1@test.com : PSK "ipsecpassword"
me_s1@test.com : PSK "ipsecpassword"

root@m1:~#

2-2. s1 config
s1 config
root@s1:~# cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug = "all"
uniqueids = no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
dpdaction=restart
dpddelay=60s
left=%defaultroute

conn medsrv
leftid=s1@test.com
right=A.B.C.D
rightid=mediator@test.com
mediation=yes
auto=start

conn m1
leftid=s1@test.com
leftsubnet=192.168.2.0/24
right=%any
rightid=m1@test.com
rightsubnet=192.168.1.0/24
mediated_by=medsrv
auto=start
forceencaps=yes

root@s1:~# cat /etc/ipsec.secrets

ipsec.secrets - strongSwan IPsec secrets file

mediator@test.com : PSK "ipsecpassword"

m1@test.com : PSK "ipsecpassword"
s1@test.com : PSK "ipsecpassword"
me_m1@test.com : PSK "ipsecpassword"
me_s1@test.com : PSK "ipsecpassword"

root@s1:~#

2-3. m2 config
m2 config
root@m2:~# cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug = "all"
uniqueids = no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
dpdaction=restart
dpddelay=60s
left=%defaultroute

conn medsrv
leftid=m2@test.com
right=A.B.C.D
rightid=mediator@test.com
mediation=yes
auto=start

conn m2
leftid=m2@test.com
leftsubnet=192.168.1.0/24
right=%any
rightid=s2@test.com
rightsubnet=192.168.2.0/24
mediated_by=medsrv
auto=start
forceencaps=yes

root@m2:~# cat /etc/ipsec.secrets

ipsec.secrets - strongSwan IPsec secrets file

mediator@test.com : PSK "ipsecpassword"

m2@test.com : PSK "ipsecpassword"
s2@test.com : PSK "ipsecpassword"
me_m2@test.com : PSK "ipsecpassword"
me_s2@test.com : PSK "ipsecpassword"

root@m2:~#

2-4. s2 config
s2 config
root@s2:~# cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

config setup
charondebug = "all"
uniqueids = no

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
dpdaction=restart
dpddelay=60s
left=%defaultroute

conn medsrv
leftid=s2@test.com
right=A.B.C.D
rightid=mediator@test.com
mediation=yes
auto=start

conn m2
leftid=s2@test.com
leftsubnet=192.168.2.0/24
right=%any
rightid=m2@test.com
rightsubnet=192.168.1.0/24
mediated_by=medsrv
auto=start
forceencaps=yes

root@s2:~# cat /etc/ipsec.secrets

ipsec.secrets - strongSwan IPsec secrets file

mediator@test.com : PSK "ipsecpassword"

m2@test.com : PSK "ipsecpassword"
s2@test.com : PSK "ipsecpassword"
me_m2@test.com : PSK "ipsecpassword"
me_s2@test.com : PSK "ipsecpassword"

root@s2:~#

2-5. mediation server config
mediation config
medsvr@medsvr:~$ cat /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

config setup
strictcrlpolicy=yes

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
dpdaction=clear
dpddelay=60s

conn medsrv
left=192.168.0.100
leftid=mediator@test.com
leftauth=psk
leftfirewall=yes
right=%any
rightauth=psk
mediation=yes
authby=secret
auto=add

medsvr@medsvr:~$ cat /etc/ipsec.secrets

ipsec.secrets - strongSwan IPsec secrets file

mediator@test.com : PSK "ipsecpassword"

m1@test.com : PSK "ipsecpassword"
s1@test.com : PSK "ipsecpassword"
m2@test.com : PSK "ipsecpassword"
s2@test.com : PSK "ipsecpassword"
me_m1@test.com : PSK "ipsecpassword"
me_s1@test.com : PSK "ipsecpassword"
me_m2@test.com : PSK "ipsecpassword"
me_s2@test.com : PSK "ipsecpassword"

3. log of m1, s1, m2 and s2
   3-1. m1 log
   m1 log: ipsec ok
   root@m1:~# ipsec start
   Starting strongSwan 5.8.4 IPsec [starter]...
   00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64)

removed due to IP information

root@m1:# ipsec status
Security Associations (3 up, 0 connecting):
m1[3]: ESTABLISHED 32 seconds ago, 192.168.11.1[m1@test.com]...125.X.Y.Z[s1@test.com]
m1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cf5cca53_i c0f0e3a2_o
m1{2}: 192.168.1.0/24 === 192.168.2.0/24
m1[2]: ESTABLISHED 32 seconds ago, 192.168.11.1[m1@test.com]...125.X.Y.Z[s1@test.com]
m1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: caa5d98a_i c42246cf_o
m1{1}: 192.168.1.0/24 === 192.168.2.0/24
medsrv[1]: ESTABLISHED 69 seconds ago, 192.168.51.2[m1@test.com]...106.A.B.C[mediator@test.com]
root@m1:#
root@m1:# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64):
uptime: 73 seconds, since May 12 18:13:08 2024
malloc: sbrk 2654208, mmap 0, used 969712, free 1684496
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 14
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkc
Listening IP addresses:
192.168.11.1
192.168.51.2
192.168.1.1
Connections:
medsrv: %any...dsnet.iptime.org IKEv2, dpddelay=60s
medsrv: local: [m1@test.com] uses pre-shared key authentication
medsrv: remote: [mediator@test.com] uses pre-shared key authentication
medsrv: child: dynamic === dynamic TUNNEL, dpdaction=restart
m1: %any...%any IKEv2, dpddelay=60s
m1: local: [m1@test.com] uses pre-shared key authentication
m1: remote: [s1@test.com] uses pre-shared key authentication
m1: child: 192.168.1.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
m1[3]: ESTABLISHED 35 seconds ago, 192.168.11.1[m1@test.com]...125.X.Y.Z[s1@test.com]
m1[3]: IKEv2 SPIs: 77dd27867044502b_i 28a8ec81440340fd_r*, pre-shared key reauthentication in 56 minutes
m1[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
m1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cf5cca53_i c0f0e3a2_o
m1{2}: AES_CBC_128/HMAC_SHA2_256_128, 34450 bytes_i (689 pkts, 0s ago), 13805816 bytes_o (12952 pkts, 0s ago), rekeying in 13 mis
m1{2}: 192.168.1.0/24 === 192.168.2.0/24
m1[2]: ESTABLISHED 35 seconds ago, 192.168.11.1[m1@test.com]...125.X.Y.Z[s1@test.com]
m1[2]: IKEv2 SPIs: 90a2cd5b4b2e8b80_i* bbdf6666c60b58ad_r, pre-shared key reauthentication in 50 minutes
m1[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
m1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: caa5d98a_i c42246cf_o
m1{1}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o (0 pkts, 15s ago), rekeying in 14 minutes
m1{1}: 192.168.1.0/24 === 192.168.2.0/24
medsrv[1]: ESTABLISHED 72 seconds ago, 192.168.51.2[m1@test.com]...106.A.B.C[mediator@test.com]
medsrv[1]: IKEv2 SPIs: ca4ce623491186e5_i* 53642942e420540a_r, pre-shared key reauthentication in 51 minutes
medsrv[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
root@m1:#

3-2. s1 log
s1 log: ipsec ok
root@s1:~# ipsec start
Starting strongSwan 5.8.4 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64)

removed due to IP information

root@s1:# ipsec status
Security Associations (3 up, 0 connecting):
m1[3]: ESTABLISHED 16 seconds ago, 10.60.40.170[s1@test.com]...106.AA.BB.CC[m1@test.com]
m1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c42246cf_i caa5d98a_o
m1{2}: 192.168.2.0/24 === 192.168.1.0/24
m1[2]: ESTABLISHED 15 seconds ago, 10.60.40.170[s1@test.com]...106.AA.BB.CC[m1@test.com]
m1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0f0e3a2_i cf5cca53_o
m1{1}: 192.168.2.0/24 === 192.168.1.0/24
medsrv[1]: ESTABLISHED 17 seconds ago, 10.60.40.170[s1@test.com]...106.A.B.C[mediator@test.com]
root@s1:#
root@s1:#
root@s1:# ipsec statusall06[IKE] sending keep alive to 106.A.B.D[4500]

Status of IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64):
uptime: 24 seconds, since May 12 18:13:44 2024
malloc: sbrk 2781184, mmap 0, used 957856, free 1823328
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 15
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkc
Listening IP addresses:
10.60.40.170
192.168.2.1
Connections:
medsrv: %any...dsnet.iptime.org IKEv2, dpddelay=60s
medsrv: local: [s1@test.com] uses pre-shared key authentication
medsrv: remote: [mediator@test.com] uses pre-shared key authentication
medsrv: child: dynamic === dynamic TUNNEL, dpdaction=restart
m1: %any...%any IKEv2, dpddelay=60s
m1: local: [s1@test.com] uses pre-shared key authentication
m1: remote: [m1@test.com] uses pre-shared key authentication
m1: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
m1[3]: ESTABLISHED 23 seconds ago, 10.60.40.170[s1@test.com]...106.X.Y.Z[m1@test.com]
m1[3]: IKEv2 SPIs: 90a2cd5b4b2e8b80_i bbdf6666c60b58ad_r*, pre-shared key reauthentication in 53 minutes
m1[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
m1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c42246cf_i caa5d98a_o
m1{2}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o (0 pkts, 3s ago), rekeying in 14 minutes
m1{2}: 192.168.2.0/24 === 192.168.1.0/24
m1[2]: ESTABLISHED 22 seconds ago, 10.60.40.170[s1@test.com]...106.X.Y.Z[m1@test.com]
m1[2]: IKEv2 SPIs: 77dd27867044502b_i* 28a8ec81440340fd_r, pre-shared key reauthentication in 53 minutes
m1[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
m1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c0f0e3a2_i cf5cca53_o
m1{1}: AES_CBC_128/HMAC_SHA2_256_128, 8917140 bytes_i (8366 pkts, 0s ago), 21950 bytes_o (439 pkts, 0s ago), rekeying in 15 minus
m1{1}: 192.168.2.0/24 === 192.168.1.0/24
medsrv[1]: ESTABLISHED 24 seconds ago, 10.60.40.170[s1@test.com]...106.A.B.C[mediator@test.com]
medsrv[1]: IKEv2 SPIs: 1c632c411513a2ef_i* ae4d353a69e628e1_r, pre-shared key reauthentication in 53 minutes
medsrv[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
root@s1:~#

3-3. m2 log
m2 log: ipsec not ok
root@m2:~# ipsec start
Starting strongSwan 5.8.4 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64)

removed due to IP information

root@m2:#
root@m2:# ipsec status
Security Associations (2 up, 0 connecting):
m2[2]: CREATED, %any[%any]...%any[%any]
medsrv[1]: ESTABLISHED 35 seconds ago, 192.168.51.4[m2@test.com]...106.A.B.C[mediator@test.com]
root@m2:# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64):
uptime: 37 seconds, since May 12 18:14:47 2024
malloc: sbrk 2654208, mmap 0, used 903008, free 1751200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 23
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkc
Listening IP addresses:
192.168.11.1
192.168.51.4
192.168.1.1
Connections:
medsrv: %any...dsnet.iptime.org IKEv2, dpddelay=60s
medsrv: local: [m2@test.com] uses pre-shared key authentication
medsrv: remote: [mediator@test.com] uses pre-shared key authentication
medsrv: child: dynamic === dynamic TUNNEL, dpdaction=restart
m2: %any...%any IKEv2, dpddelay=60s
m2: local: [m2@test.com] uses pre-shared key authentication
m2: remote: [s2@test.com] uses pre-shared key authentication
m2: child: 192.168.1.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
m2[2]: CREATED, %any[%any]...%any[%any]
m2[2]: IKEv2 SPIs: 73fc0558a292256f_i* 0000000000000000_r
m2[2]: Tasks queued: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG IKE_AUTH_LIFETIME IKE_MOBIKE IKE
medsrv[1]: ESTABLISHED 37 seconds ago, 192.168.51.4[m2@test.com]...106.A.B.C[mediator@test.com]
medsrv[1]: IKEv2 SPIs: e0e332067b81b38f_i* 965fae25360fe4a3_r, pre-shared key reauthentication in 53 minutes
medsrv[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
root@m2:#

3-4. s2 log
s2 log: ipsec not ok
root@s2:~# ipsec start
Starting strongSwan 5.8.4 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64)

removed due to IP information

root@s2:#
root@s2:# ipsec status
Security Associations (2 up, 0 connecting):
m2[2]: CREATED, %any[%any]...%any[%any]
medsrv[1]: ESTABLISHED 10 seconds ago, 10.60.40.62[s2@test.com]...106.A.B.C[mediator@test.com]
root@s2:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.4, Linux 6.1.46, aarch64):
uptime: 11 seconds, since May 12 18:15:06 2024
malloc: sbrk 2654208, mmap 0, used 906144, free 1748064
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 21
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkc
Listening IP addresses:
10.60.40.62
192.168.2.1
Connections:
medsrv: %any...dsnet.iptime.org IKEv2, dpddelay=60s
medsrv: local: [s2@test.com] uses pre-shared key authentication
medsrv: remote: [mediator@test.com] uses pre-shared key authentication
medsrv: child: dynamic === dynamic TUNNEL, dpdaction=restart
m2: %any...%any IKEv2, dpddelay=60s
m2: local: [s2@test.com] uses pre-shared key authentication
m2: remote: [m2@test.com] uses pre-shared key authentication
m2: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
m2[2]: CREATED, %any[%any]...%any[%any]
m2[2]: IKEv2 SPIs: be3769456067575a_i* 0000000000000000_r
m2[2]: Tasks queued: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG IKE_AUTH_LIFETIME IKE_MOBIKE IKE
medsrv[1]: ESTABLISHED 11 seconds ago, 10.60.40.62[s2@test.com]...106.A.B.C[mediator@test.com]
medsrv[1]: IKEv2 SPIs: be17fdb663944d64_i* c4d0c0f1720ce99e_r, pre-shared key reauthentication in 51 minutes
medsrv[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519

Thanks in advnaced!
YoungHan

[tobiasbrunner]

If you are not talking about establishing multiple SAs between the same two hosts, then this should work fine in theory. However, some NATs behave strangely when they have to create multiple mappings for the same source port (4500). They might switch to randomly allocating new mappings after such a conflict occurs, which can prevent the current implementation of the mediation protocol to fail. Not sure if choosing a random source port (set charon.port_nat_t to 0 in strongswan.conf) could prevent that.

[younghan73]

Hi tobiasbrunner,
First of all, thanks for reply.
I want to make multiple VPN tunnel by IPSEC gateway pair (m1-s1, m2-s2) under same NAT router as my picture.
In current test environments, I doubt the firewall of my office. So I requested one more ISP line without firewall.
If I received one more ISP line, I will test again.
Anyway I wonder that using of 4500 port by multiple IPSEC gateway (m1, m2 and s1, s2) under single NAT router.
I want to know that does have anybody who use multiple IPSEC VPN tunnel under same NAT router.
Thanks!

[younghan73]

I changed other ISP line without firewall.
Anyway strongswan support multiple site-to-site IPSEC VPN simultaneously under two NAT point.
Thanks a lot!

[younghan73]

strongswan support multiple site-to-site IPSEC VPN simultaneously under two NAT point.
Thanks a lot!