[Swan] Multiple devices behind single NAT IP

Mike C smith.not.western at gmail.com
Tue Jul 30 18:04:11 EEST 2013


On Tue, Jul 30, 2013 at 7:47 AM, Paul Wouters <pwouters at redhat.com> wrote:

> On Mon, 29 Jul 2013, Mike C wrote:
>
>  Is there a recommended approach to run multiple openswan clients behind
>> the same NAT IP? My scenario in particular is multiple 3G
>> devices behind the same ISP CG-NAT IP (unfortunately).
>>
>
> "Do not use IPsec transport mode with L2TP".
>
> Once you stick to tunnel mode with XAUTH (using rightaddresspool=) you
> should have no issues with multiple clients behind the same NAT or
> multiple clients using the same internal IP behind different NATs.


I am using tunnel mode already. No L2TP, just routers with 3G dongles
providing net-net VPNs between offices. I don't believe XAUTH would help in
this case?


 I find that the connection works for both only if I the tunnel for a
> single router first, then the next. So add @router2 to the server,
> connect it, then add @router3 and connect it. If I don't do this, the
> server tries to associate the packets with the wrong tunnel (logs
> for 3.3 libreswan on server showed this, not seeing any debug logs on 3.5
> but assume the same).
>

If the phase 1s (parent SA) aer similar, pluto will pick one of them,
> and might switch later. So it might look like it is picking the wrong
> one, but it is not.
>
>
>  conn routers-12
>>     left=69.x.x.x
>>     leftsubnet=192.168.55.0/24
>>     leftnexthop=%defaultroute
>>     leftsourceip=192.168.55.254
>>     leftid=@router1
>>     right=2.x.x.x
>>     rightsubnet=192.168.22.0/24
>>     rightid=@router2
>>     keyingtries=%forever
>>     forceencaps=yes
>>     nat_keepalive=yes
>>     dpddelay=30
>>     dpdtimeout=120
>>     dpdaction=restart_by_peer
>>     authby=secret
>>
>> conn routers-13
>>         left=69.x.x.x
>>         leftsubnet=192.168.55.0/24
>>         leftnexthop=%defaultroute
>>         leftsourceip=192.168.55.254
>>         leftid=@router1
>>         right=2.x.x.x
>>         rightsubnet=192.168.33.0/24
>>         rightid=@router3
>>         keyingtries=%forever
>>         forceencaps=yes
>>         nat_keepalive=yes
>>         dpddelay=30
>>         dpdtimeout=120
>>         dpdaction=restart_by_peer
>>         authby=secret
>>
>
> This configuration might work easier with aggrmode=yes or ikev2=propose.
> Then the rightid is sent in the very first packet.
>

Will give ikev2 a try and failing that aggrmode (would prefer to avoid if
possible).

Many thanks,

Mike


>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130730/6a34324e/attachment.html>


More information about the Swan mailing list