[Swan] Multiple devices behind single NAT IP
Mike C
smith.not.western at gmail.com
Mon Aug 5 12:05:56 EEST 2013
On Tue, Jul 30, 2013 at 5:14 PM, Paul Wouters <pwouters at redhat.com> wrote:
> On Tue, 30 Jul 2013, Mike C wrote:
>
> I am using tunnel mode already. No L2TP, just routers with 3G dongles
>> providing net-net VPNs between offices. I don't believe XAUTH
>> would help in this case?
>>
>
> Correct, then you don't need it. But then I'm not entirely sure why your
> connections would be failing?
>
(Reposting without attached logs, apologies didn't realise the size)
Sorry for the delay; I've now tested both IKEv1 and IKEv2 and neither seems
to like the setup. The last connection added to the server-side using the
same source can connect, the first one can't. I tested specifying the IP
for both connections as %any, and as the IP the clients are coming from,
both approaches had the same behavior. If I define a different source IP
for the last added connection, then the first one can connect fine.
Using IKEv1 aggrmode=yes both come up, but for some reason traffic isn't
reaching the other end. Even if I only define a single tunnel and bring it
up, no traffic makes it. So not sure what is happening there, although at
least at the start both tunnels come up.
Is there a way to force connection identification to be performed only
after the peer IDs are sent in IKEv1 main mode? Or IKEv2, but would like to
stick to IKEv1 to reduce impact on clients. Based on the above for main
mode, does this appear to be a bug, could it be fixed or is it not possible
to support such an approach?
In case it's of use see http://pastebin.com/dVFQbcTt with the full
plutodebug=all output. In both cases, I'm trying to bring 'routers-13',
having added it first to the server followed by 'routers-12'.
Regards,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130805/f8bbb755/attachment.html>
More information about the Swan
mailing list