[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working

[Paul Wouters]

On Fri, 22 Aug 2014, Pontus Wiberg wrote:

> Finally my XAUTH configuration is working, however now I find myself stuck on a NAT issue. I moved to Libreswan largely because of the
> rightaddresspool options and because using XAUTH should support having multiple clients behind the same NAT. Now I can't get that to
> work though, I have two clients - I can connect the first successfully with user "pontus", I can ping everything on the inside and it
> works perfectly however as soon as one more client connects (user "andre") .. all tunnels to that IP break, they do not disconnect but
> there is no connectivity anywhere. Sometimes, although few, the new client will stay connected and his tunnel will continue to work but
> the old client will still be without connectivity. 

>         uniqueids=yes
> 
> conn roadwarrior
>         left=10.1.31.5
>         leftid=54.255.206.227
>         authby=secret
>         leftxauthserver=yes
>         leftsubnet=10.1.31.0/24
>         right=%any

You cannot use uniqueids=yes with auth=secret

>         rightid=%any

Is that even legal? I think that right=%any and rightid=%any should be
rejected.

The unique id refers to the IPsec SA ID, not the xauth username.

If you want to use PSK instead of X.509/RSA, use uniqueids=no.

Paul