[Swan] Multiple devices behind single NAT IP
Mike C
smith.not.western at gmail.com
Tue Jul 30 18:04:11 EEST 2013
On Tue, Jul 30, 2013 at 7:47 AM, Paul Wouters <pwouters at redhat.com> wrote:
> On Mon, 29 Jul 2013, Mike C wrote:
>
> Is there a recommended approach to run multiple openswan clients behind
>> the same NAT IP? My scenario in particular is multiple 3G
>> devices behind the same ISP CG-NAT IP (unfortunately).
>>
>
> "Do not use IPsec transport mode with L2TP".
>
> Once you stick to tunnel mode with XAUTH (using rightaddresspool=) you
> should have no issues with multiple clients behind the same NAT or
> multiple clients using the same internal IP behind different NATs.
I am using tunnel mode already. No L2TP, just routers with 3G dongles
providing net-net VPNs between offices. I don't believe XAUTH would help in
this case?
I find that the connection works for both only if I the tunnel for a
> single router first, then the next. So add @router2 to the server,
> connect it, then add @router3 and connect it. If I don't do this, the
> server tries to associate the packets with the wrong tunnel (logs
> for 3.3 libreswan on server showed this, not seeing any debug logs on 3.5
> but assume the same).
>
If the phase 1s (parent SA) aer similar, pluto will pick one of them,
> and might switch later. So it might look like it is picking the wrong
> one, but it is not.
>
>
> conn routers-12
>> left=69.x.x.x
>> leftsubnet=192.168.55.0/24
>> leftnexthop=%defaultroute
>> leftsourceip=192.168.55.254
>> leftid=@router1
>> right=2.x.x.x
>> rightsubnet=192.168.22.0/24
>> rightid=@router2
>> keyingtries=%forever
>> forceencaps=yes
>> nat_keepalive=yes
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=restart_by_peer
>> authby=secret
>>
>> conn routers-13
>> left=69.x.x.x
>> leftsubnet=192.168.55.0/24
>> leftnexthop=%defaultroute
>> leftsourceip=192.168.55.254
>> leftid=@router1
>> right=2.x.x.x
>> rightsubnet=192.168.33.0/24
>> rightid=@router3
>> keyingtries=%forever
>> forceencaps=yes
>> nat_keepalive=yes
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=restart_by_peer
>> authby=secret
>>
>
> This configuration might work easier with aggrmode=yes or ikev2=propose.
> Then the rightid is sent in the very first packet.
>
Will give ikev2 a try and failing that aggrmode (would prefer to avoid if
possible).
Many thanks,
Mike
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130730/6a34324e/attachment.html>
More information about the Swan
mailing list