Setup:
* Central VPN hub, running strongswan
* remote development site. Dev site needs to pretend it is multiple production sites, therefore needs to run multiple devices each having VPN.
All machines in dev site are behind a single router that does NAT.
This setup worked fine, when we were using fortinet+ipsec for VPN. however, now we are trying to transition to linux+strongswan.
Works fine for single host. But as soon as we try to bring up a second host, there is some kind of conflict going on. Dropped packets for first one, and second one doesnt really work.
We can take the second box to a separate site and it works fine, so we know configs on both dev boxes are valid.
So… how can we make both boxes play nice behind a single NAT fw?
I tried adding
forceencaps=yes
to the client-side tunnel, but tcpdump indicates its still just using port 4500 as source, and I dont think its really doing anything different.
What should I do in this situation?
Linux strongSwan U5.9.12/K6.6.29-0-virt