How can I setup multiple VPN sessions  under  masquerade  NAT on iptables?

Posted on 2009-12-20
Last Modified: 2013-11-16
I used cent OS 5.2 as my Linux gatway that has iptables installed and there are many clients access though this server in oder to access Internet connection.
Here is how it connected
             Cleints ==> Gateway==> Internet

My problems is when first cleint access to vpn server on the Internet. It worked fine
but when second client access to same or another VPN server? It didn't work.
My Linuxbox is runing on centos 5.2 kernel  2.6.18-92.el5, iptables 1.4.3
here is my masquarade nat rule

Any Idea please suggestion me? Thank
Question by:neo_cpe
    LVL 39

    Expert Comment

    I am not sure what VPN solution you use, probably IPSEC.
    IPSEC is defined by using udp messages FROM port 500 TO port 500 exclusively. So with masquerading this will work for the first connection available.

    IPSEC has been enhanced to handle this, this is called NATT more. then all packets are sent to port 4500 without assumptions about the source port.
    ==> the packets can be MASQUERADED.
    The solution is either you provide the tunnels from your gateway.... or you activate NATT mode.
    LVL 39

    Expert Comment

    BTW IPSEC is implemented by KAME/RACOON or one of FreeSwan or its forks OpenSwan or StrongSwan)

    Author Comment

    Thank you for your comment. I would link to use  both PPDP and IPSEC after I searched releated articles on the Internet.  I found that the problem might come from linux kernel bug and It need to be patch.
     He had the same problem with me >>

    However, I don't know how to use path-o-megic to path both kernal and iptables. Any suggestion please help me.

    Accepted Solution

    Now I found the solution from google already by using these command
    /sbin/modprobe ip_nat_pptp
    /sbin/modprobe ip_conntrack_pptp
    Due to kernel 2.6 already solved the problem but you have to add 2 modules
    to iptables.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now