[Swan] multiple users behind single nat

Paul Wouters paul at nohats.ca
Thu May 29 03:43:14 EEST 2014 

On Wed, 28 May 2014, Bob Miller wrote:

> One of my VPN setups found most of the remote users in a single room
> behind a single router today.  Recently their system was upgraded from
> Openswan to Libreswan, and I though I had read that that multiple people
> could just connect from behind the same NAT device.  But didn't work out
> when they tried it.

Are you saying it worked in the past ?

> They are using various versions of windows, from XP to 8, with the
> built-in l2tp/ipsec client, and the first guy to connect works fine
> until he disconnects, then all things are buggered till I restart ipsec.

Yes. It is a problem of IPsec transport mode with NAT.

> I got to poking around, I found one article that said I needed to use
> the SAref patch and KLIPS to make that work (all my firewalls have been
> built with netkey), but I found a few other articles that make me think
> configuring XAUTH is another way.

both are correct. The best solution _is_ to migrate to XAUTH/IPsec,
except that the windows users will need to download a (free) Windows
client that knows XAUTH, as Microsoft is unwilling to add support for it
(Windows and blackberry are the last OSes I know if that don't support
XAUTH). There is a nice free client called Shrew Soft VPN for Windows.

> I read the man page for ipsec.conf and the README.XAUTH files, among a
> bunch of other things from google, but I haven't been able to get it
> working yet and I am a bit confused about how the roles shift around; it
> seems xauth fills a lot of the functions I currently use xl2tpd for...

That's right. No more L2TP daemons required. All you need is a
configuration with libreswan similar to:

conn xauth-rsa
     authby=rsasig
     pfs=no
     auto=add
     rekey=no
     left=193.110.157.148
     leftcert=vpn.nohats.ca
     #leftid=%fromcert
     leftid=@vpn.nohats.ca
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     rightaddresspool=10.0.1.1-10.0.1.254
     right=%any
     rightid=%fromcert
     rightrsasigkey=%cert
     modecfgdns1=193.110.157.123
     modecfgdns2=8.8.8.8
     leftxauthserver=yes
     rightxauthclient=yes
     leftmodecfgserver=yes
     rightmodecfgclient=yes
     modecfgpull=yes
     xauthby=alwaysok
     # xauthby=pam
     # xauthfail=soft
     # ike_frag=force

This is one using Certificates, but you can also use PSK.

The key options are xauthby, rightaddresspool and xauthfail.
see "man ipsec.conf" for their documentation.

Paul

More information about the Swan mailing list