[Swan] multiple users behind single nat
Paul Wouters
paul at nohats.ca
Thu May 29 03:43:14 EEST 2014
On Wed, 28 May 2014, Bob Miller wrote:
> One of my VPN setups found most of the remote users in a single room
> behind a single router today. Recently their system was upgraded from
> Openswan to Libreswan, and I though I had read that that multiple people
> could just connect from behind the same NAT device. But didn't work out
> when they tried it.
Are you saying it worked in the past ?
> They are using various versions of windows, from XP to 8, with the
> built-in l2tp/ipsec client, and the first guy to connect works fine
> until he disconnects, then all things are buggered till I restart ipsec.
Yes. It is a problem of IPsec transport mode with NAT.
> I got to poking around, I found one article that said I needed to use
> the SAref patch and KLIPS to make that work (all my firewalls have been
> built with netkey), but I found a few other articles that make me think
> configuring XAUTH is another way.
both are correct. The best solution _is_ to migrate to XAUTH/IPsec,
except that the windows users will need to download a (free) Windows
client that knows XAUTH, as Microsoft is unwilling to add support for it
(Windows and blackberry are the last OSes I know if that don't support
XAUTH). There is a nice free client called Shrew Soft VPN for Windows.
> I read the man page for ipsec.conf and the README.XAUTH files, among a
> bunch of other things from google, but I haven't been able to get it
> working yet and I am a bit confused about how the roles shift around; it
> seems xauth fills a lot of the functions I currently use xl2tpd for...
That's right. No more L2TP daemons required. All you need is a
configuration with libreswan similar to:
conn xauth-rsa
authby=rsasig
pfs=no
auto=add
rekey=no
left=193.110.157.148
leftcert=vpn.nohats.ca
#leftid=%fromcert
leftid=@vpn.nohats.ca
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=10.0.1.1-10.0.1.254
right=%any
rightid=%fromcert
rightrsasigkey=%cert
modecfgdns1=193.110.157.123
modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
# xauthby=pam
# xauthfail=soft
# ike_frag=force
This is one using Certificates, but you can also use PSK.
The key options are xauthby, rightaddresspool and xauthfail.
see "man ipsec.conf" for their documentation.
Paul
More information about the Swan
mailing list