Multiple (NAT) PPTP, L2TP/IPsec to Same External IP



  • Hi,

    I have a question regarding NAT and VPN tunneling, specifically MS VPN tunneling-

    Person 1 at location "A" initiates a MS L2TP/IPsec connection to location "B", it connects, and remains connected while…
    Person 2 at location "A" initiates a MS L2TP/IPsec connection to location "B", it fails.
    Location "A" has a pfsense fw (v1.2.3)

    What would prevent that second connection from establishing??



  • Ok… I found the answer, so now Im curious if there's already a solution written...

    Having to do with the multiple VPN connections to the same external IP address, I'm curious whether there is already a fix for the "duplicate Call ID/Destination IP" issue???

    If nothing else, I'll troubleshoot this here and maybe save someone else the time and trouble down the road  :D

    Update: The info I found is specifically talking about PPTP, however because of the nature of the issue I would expect it to also apply to L2TP.


  • Rebel Alliance Developer Netgate

    That limit only applies to PPTP because PPTP uses GRE, which is the source of the problem.

    L2TP only uses a single TCP port (1701) so that doesn't apply. And even if it did, with IPsec+L2TP, the L2TP is wrapped up inside IPsec anyhow.

    The only limit with IPsec is in implementations that require a static source port of 500. These days if you have NAT-T with IPsec that shouldn't even matter.



  • @jimp:

    That limit only applies to PPTP because PPTP uses GRE, which is the source of the problem.

    L2TP only uses a single TCP port (1701) so that doesn't apply. And even if it did, with IPsec+L2TP, the L2TP is wrapped up inside IPsec anyhow.

    The only limit with IPsec is in implementations that require a static source port of 500. These days if you have NAT-T with IPsec that shouldn't even matter.

    What would be the cause then? It's acting the same way as the PPTP GRE issue…  If L2TP uses a single port, then how does NAT translate to more than one user?


  • Rebel Alliance Developer Netgate

    Not sure why, but l2tp uses the single destination port on the server site. These limits don't apply to the source port which is random.

    IPsec without NAT-T wants a static source and destination port of 500, which can have that limitation. The first person to connect gets the static source port of 500 to the remote VPN device, and the next person can't.

    You can try switching to manual outbound NAT and then remove the static port rule for 500, see if that helps.



  • @jimp:

    Not sure why, but l2tp uses the single destination port on the server site. These limits don't apply to the source port which is random.

    IPsec without NAT-T wants a static source and destination port of 500, which can have that limitation. The first person to connect gets the static source port of 500 to the remote VPN device, and the next person can't.

    You can try switching to manual outbound NAT and then remove the static port rule for 500, see if that helps.

    I'm already on Manual Nat… I upgraded to 2.01 since the first post on this thread and it's still the same issue, one can connect, others cannot. You seem to be fairly knowledgeable, any ideas as to what might be causing the subsequent attempts to fail?


  • Rebel Alliance Developer Netgate

    Not sure, though the only thing that comes to mind is the server being strict about static port. I don't use L2TP+IPsec anywhere so I'm not sure what those expect in terms of source/destination ports and the like.



  • Jimp,

    In order to pass L2TP over IPSec successfully, do I require rules in both Port Forwarding as well as Outbound, or just one of the two?


Locked