[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working
Paul Wouters
paul at nohats.ca
Sat Aug 23 01:10:16 EEST 2014
On Fri, 22 Aug 2014, Pontus Wiberg wrote:
> Finally my XAUTH configuration is working, however now I find myself stuck on a NAT issue. I moved to Libreswan largely because of the
> rightaddresspool options and because using XAUTH should support having multiple clients behind the same NAT. Now I can't get that to
> work though, I have two clients - I can connect the first successfully with user "pontus", I can ping everything on the inside and it
> works perfectly however as soon as one more client connects (user "andre") .. all tunnels to that IP break, they do not disconnect but
> there is no connectivity anywhere. Sometimes, although few, the new client will stay connected and his tunnel will continue to work but
> the old client will still be without connectivity.
> uniqueids=yes
>
> conn roadwarrior
> left=10.1.31.5
> leftid=54.255.206.227
> authby=secret
> leftxauthserver=yes
> leftsubnet=10.1.31.0/24
> right=%any
You cannot use uniqueids=yes with auth=secret
> rightid=%any
Is that even legal? I think that right=%any and rightid=%any should be
rejected.
The unique id refers to the IPsec SA ID, not the xauth username.
If you want to use PSK instead of X.509/RSA, use uniqueids=no.
Paul
More information about the Swan
mailing list