Multiple L2TP/IPSEC clients dropping over Starlink

saburtwo · September 5, 2024, 3:24pm

Hi

So I have installed many Starlinks over the past year and I install a MT router for remote maintenance/traffic separation etc
I have configured each client router to be an L2TP IPSEC client and everything worked great until recently.

I seem to remember this being an inherent issue with IPSEC when behind a nat and there are mutliple tunnels to the same destination sourced from the same public IP but I could be mistaken. Having disabled the authentication for one of the 2 clients on the same public IP, the connection remains up for the other.

My question is, assuming GRE L2TP PPTP etc are dropped at spacex nat routers, what secure protocol would you choose to use instead to maintain a tunnel?

Thanks

sindy · September 5, 2024, 5:03pm

The explanation why this happens and the solution if you insist on L2TP/IPsec is here; further in the discussion there are some suggestions what else to use, but in my case, I use SSTP clients on the remote Mikrotiks to manage them remotely. Be aware that using SSTP without at least a server-side certificate is not secure.

Other than that, Starlink will let through any tunneling protocol (IPIP, GRE, …) if encapsulated into IPsec, but you have to do the encapsulation manually, using tunnel mode of IPsec SAs rather than transport one.

saburtwo · September 5, 2024, 5:25pm

Hi

Thank you for your reply and very detailed explanation. I think I’ll migrate the connections to SSTP like you suggested.

Thanks again