[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working

Pontus Wiberg pontus.wiberg at universumglobal.com
Mon Aug 25 10:51:45 EEST 2014 

Yeah, I pretty much just tested every option I could even think of there. I
have changed it around a lot, but this isn't working still.

uniqueids=no

conn roadwarrior
        left=10.1.31.5
        leftid=54.255.206.227
        authby=secret
        leftxauthserver=yes
        leftsubnet=10.1.31.0/24
        right=%any
        rightaddresspool=192.168.224.5-192.168.224.100
        rightxauthclient=yes
        leftmodecfgserver=yes
        rightmodecfgclient=yes
        modecfgpull=yes
        modecfgdns1=8.8.8.8
        xauthby=file
        pfs=no
        auto=add

Seems really simple but it still loses the ability to route to the first
client when a second one connects

BRs
Pontus


On 23 August 2014 00:10, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 22 Aug 2014, Pontus Wiberg wrote:
>
>  Finally my XAUTH configuration is working, however now I find myself
>> stuck on a NAT issue. I moved to Libreswan largely because of the
>> rightaddresspool options and because using XAUTH should support having
>> multiple clients behind the same NAT. Now I can't get that to
>> work though, I have two clients - I can connect the first successfully
>> with user "pontus", I can ping everything on the inside and it
>> works perfectly however as soon as one more client connects (user
>> "andre") .. all tunnels to that IP break, they do not disconnect but
>> there is no connectivity anywhere. Sometimes, although few, the new
>> client will stay connected and his tunnel will continue to work but
>> the old client will still be without connectivity.
>>
>
>          uniqueids=yes
>>
>> conn roadwarrior
>>         left=10.1.31.5
>>         leftid=54.255.206.227
>>         authby=secret
>>         leftxauthserver=yes
>>         leftsubnet=10.1.31.0/24
>>         right=%any
>>
>
> You cannot use uniqueids=yes with auth=secret
>
>          rightid=%any
>>
>
> Is that even legal? I think that right=%any and rightid=%any should be
> rejected.
>
> The unique id refers to the IPsec SA ID, not the xauth username.
>
> If you want to use PSK instead of X.509/RSA, use uniqueids=no.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140825/dbe1d6e2/attachment.html>

More information about the Swan mailing list