[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working

Antonio Silva asilva at wirelessmundi.com
Wed Jun 8 15:02:18 UTC 2016


Hi,

did you manage to solve your problem?

I'm having the same problem...

I follow the wiiki example: 
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH


Regards,

António

On 08/25/2014 09:51 AM, Pontus Wiberg wrote:
> Yeah, I pretty much just tested every option I could even think of 
> there. I have changed it around a lot, but this isn't working still.
>
> uniqueids=no
>
> conn roadwarrior
>         left=10.1.31.5
>         leftid=54.255.206.227
>         authby=secret
>         leftxauthserver=yes
>         leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
>         right=%any
>         rightaddresspool=192.168.224.5-192.168.224.100
>         rightxauthclient=yes
>         leftmodecfgserver=yes
>         rightmodecfgclient=yes
>         modecfgpull=yes
>         modecfgdns1=8.8.8.8
>         xauthby=file
>         pfs=no
>         auto=add
>
> Seems really simple but it still loses the ability to route to the 
> first client when a second one connects
>
> BRs
> Pontus
>
>
> On 23 August 2014 00:10, Paul Wouters <paul at nohats.ca 
> <mailto:paul at nohats.ca>> wrote:
>
>     On Fri, 22 Aug 2014, Pontus Wiberg wrote:
>
>         Finally my XAUTH configuration is working, however now I find
>         myself stuck on a NAT issue. I moved to Libreswan largely
>         because of the
>         rightaddresspool options and because using XAUTH should
>         support having multiple clients behind the same NAT. Now I
>         can't get that to
>         work though, I have two clients - I can connect the first
>         successfully with user "pontus", I can ping everything on the
>         inside and it
>         works perfectly however as soon as one more client connects
>         (user "andre") .. all tunnels to that IP break, they do not
>         disconnect but
>         there is no connectivity anywhere. Sometimes, although few,
>         the new client will stay connected and his tunnel will
>         continue to work but
>         the old client will still be without connectivity.
>
>
>                 uniqueids=yes
>
>         conn roadwarrior
>                 left=10.1.31.5
>                 leftid=54.255.206.227
>                 authby=secret
>                 leftxauthserver=yes
>                 leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
>                 right=%any
>
>
>     You cannot use uniqueids=yes with auth=secret
>
>                 rightid=%any
>
>
>     Is that even legal? I think that right=%any and rightid=%any should be
>     rejected.
>
>     The unique id refers to the IPsec SA ID, not the xauth username.
>
>     If you want to use PSK instead of X.509/RSA, use uniqueids=no.
>
>     Paul
>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160608/c17b9c1e/attachment.html>


More information about the Swan mailing list