IP Filter FAQ

V. IP FILTER AND VPN

1. I can only initiate x number of VPN connections to/from my NAT'd boxes! Why?
2. I'm having more VPN problems... ESP packets and UDP packets are not being mapped to the same IP ddress.

1. I can only initiate x number of VPN connections to/from my NAT'd boxes! Why?

   First, are you using portmap in your ipnat (see III-6)? If not, then you will be limited to the number of external IP addresses you have to NAT to PER DESTINATION (see below for more info).
   However, some implementations of VPN will require a unique source address, and thus you will still only be able to have a number of NAT'd VPN sessions equal to the number of external IP address you have to NAT to PER DESTINATION (even if you use portmap).
   In other words, if you have 10.0.0.0/8 internal and you have only one external IP address 1.2.3.4, then you have only one VPN connection TO EACH VPN DESTINATION, so you could have hundreds of VPN sessions as long as they were to different destinations.
   But, if you have 10.0.0.0/8 internal and you have x.x.x.x/26 then you have have 64 VPN connections PER destination with as many destinations as you want.
   

2. I'm having more VPN problems... ESP packets and UDP packets are not being mapped to the same IP ddress.

   From Darren: This will be because both packets match different rules. Matching the same rule packets will get the same address. I will include the ipsec proxy in 3.4.21 which will help with this.