[Swan] Multiple devices behind single NAT IP
Paul Wouters
pwouters at redhat.com
Tue Jul 30 09:47:06 EEST 2013
On Mon, 29 Jul 2013, Mike C wrote:
> Is there a recommended approach to run multiple openswan clients behind the same NAT IP? My scenario in particular is multiple 3G
> devices behind the same ISP CG-NAT IP (unfortunately).
"Do not use IPsec transport mode with L2TP".
Once you stick to tunnel mode with XAUTH (using rightaddresspool=) you
should have no issues with multiple clients behind the same NAT or
multiple clients using the same internal IP behind different NATs.
> I find that the connection works for both only if I the tunnel for a single router first, then the next. So add @router2 to the server,
> connect it, then add @router3 and connect it. If I don't do this, the server tries to associate the packets with the wrong tunnel (logs
> for 3.3 libreswan on server showed this, not seeing any debug logs on 3.5 but assume the same).
If the phase 1s (parent SA) aer similar, pluto will pick one of them,
and might switch later. So it might look like it is picking the wrong
one, but it is not.
> conn routers-12
> left=69.x.x.x
> leftsubnet=192.168.55.0/24
> leftnexthop=%defaultroute
> leftsourceip=192.168.55.254
> leftid=@router1
> right=2.x.x.x
> rightsubnet=192.168.22.0/24
> rightid=@router2
> keyingtries=%forever
> forceencaps=yes
> nat_keepalive=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart_by_peer
> authby=secret
>
> conn routers-13
> left=69.x.x.x
> leftsubnet=192.168.55.0/24
> leftnexthop=%defaultroute
> leftsourceip=192.168.55.254
> leftid=@router1
> right=2.x.x.x
> rightsubnet=192.168.33.0/24
> rightid=@router3
> keyingtries=%forever
> forceencaps=yes
> nat_keepalive=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart_by_peer
> authby=secret
This configuration might work easier with aggrmode=yes or ikev2=propose.
Then the rightid is sent in the very first packet.
Paul
More information about the Swan
mailing list