[Swan] IPSec+XAUTH Multiple Clients behind same NAT not working
Antonio Silva
asilva at wirelessmundi.com
Wed Jun 8 15:02:18 UTC 2016
Hi,
did you manage to solve your problem?
I'm having the same problem...
I follow the wiiki example:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
Regards,
António
On 08/25/2014 09:51 AM, Pontus Wiberg wrote:
> Yeah, I pretty much just tested every option I could even think of
> there. I have changed it around a lot, but this isn't working still.
>
> uniqueids=no
>
> conn roadwarrior
> left=10.1.31.5
> leftid=54.255.206.227
> authby=secret
> leftxauthserver=yes
> leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
> right=%any
> rightaddresspool=192.168.224.5-192.168.224.100
> rightxauthclient=yes
> leftmodecfgserver=yes
> rightmodecfgclient=yes
> modecfgpull=yes
> modecfgdns1=8.8.8.8
> xauthby=file
> pfs=no
> auto=add
>
> Seems really simple but it still loses the ability to route to the
> first client when a second one connects
>
> BRs
> Pontus
>
>
> On 23 August 2014 00:10, Paul Wouters <paul at nohats.ca
> <mailto:paul at nohats.ca>> wrote:
>
> On Fri, 22 Aug 2014, Pontus Wiberg wrote:
>
> Finally my XAUTH configuration is working, however now I find
> myself stuck on a NAT issue. I moved to Libreswan largely
> because of the
> rightaddresspool options and because using XAUTH should
> support having multiple clients behind the same NAT. Now I
> can't get that to
> work though, I have two clients - I can connect the first
> successfully with user "pontus", I can ping everything on the
> inside and it
> works perfectly however as soon as one more client connects
> (user "andre") .. all tunnels to that IP break, they do not
> disconnect but
> there is no connectivity anywhere. Sometimes, although few,
> the new client will stay connected and his tunnel will
> continue to work but
> the old client will still be without connectivity.
>
>
> uniqueids=yes
>
> conn roadwarrior
> left=10.1.31.5
> leftid=54.255.206.227
> authby=secret
> leftxauthserver=yes
> leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
> right=%any
>
>
> You cannot use uniqueids=yes with auth=secret
>
> rightid=%any
>
>
> Is that even legal? I think that right=%any and rightid=%any should be
> rejected.
>
> The unique id refers to the IPsec SA ID, not the xauth username.
>
> If you want to use PSK instead of X.509/RSA, use uniqueids=no.
>
> Paul
>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160608/c17b9c1e/attachment.html>
More information about the Swan
mailing list