I have a strongswan implementation and am running into an issue where when there are two users behind the same NAT, the second one "kicks off" the first one. I was able to resolve the issue using:
- Machine Certificates.
- EAP-MSCHAPv2 with unique usernames.
The problem with EAP is that hte usernames have to be unique. "Bob" and "Bill" work fine behind a NAT, however two devices logged in as "Bob" kick each other off (the second device works but the first one stops pinging out). Each user is assigned a unique virtual address from a pool
This is a problem because I want to provision hundreds of devices with a generic username\password. I'm sure PSK could also be used but last time I've tried PSK, two devices with the same PSK would boot each other off.
I prefer to use IKEv2 but can do IKEv1\L2TP if I need to. I would think that this is possible because Strongswan can just figure out how to re-encrypt the return packets using the SPI.
