[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working
Pontus Wiberg
pontus.wiberg at universumglobal.com
Mon Aug 25 10:51:45 EEST 2014
Yeah, I pretty much just tested every option I could even think of there. I
have changed it around a lot, but this isn't working still.
uniqueids=no
conn roadwarrior
left=10.1.31.5
leftid=54.255.206.227
authby=secret
leftxauthserver=yes
leftsubnet=10.1.31.0/24
right=%any
rightaddresspool=192.168.224.5-192.168.224.100
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
modecfgdns1=8.8.8.8
xauthby=file
pfs=no
auto=add
Seems really simple but it still loses the ability to route to the first
client when a second one connects
BRs
Pontus
On 23 August 2014 00:10, Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 22 Aug 2014, Pontus Wiberg wrote:
>
> Finally my XAUTH configuration is working, however now I find myself
>> stuck on a NAT issue. I moved to Libreswan largely because of the
>> rightaddresspool options and because using XAUTH should support having
>> multiple clients behind the same NAT. Now I can't get that to
>> work though, I have two clients - I can connect the first successfully
>> with user "pontus", I can ping everything on the inside and it
>> works perfectly however as soon as one more client connects (user
>> "andre") .. all tunnels to that IP break, they do not disconnect but
>> there is no connectivity anywhere. Sometimes, although few, the new
>> client will stay connected and his tunnel will continue to work but
>> the old client will still be without connectivity.
>>
>
> uniqueids=yes
>>
>> conn roadwarrior
>> left=10.1.31.5
>> leftid=54.255.206.227
>> authby=secret
>> leftxauthserver=yes
>> leftsubnet=10.1.31.0/24
>> right=%any
>>
>
> You cannot use uniqueids=yes with auth=secret
>
> rightid=%any
>>
>
> Is that even legal? I think that right=%any and rightid=%any should be
> rejected.
>
> The unique id refers to the IPsec SA ID, not the xauth username.
>
> If you want to use PSK instead of X.509/RSA, use uniqueids=no.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140825/dbe1d6e2/attachment.html>
More information about the Swan
mailing list