[Swan] [libreswan/libreswan] IPsec/XAuth reusing lease for multiple clients behind same NAT (#166)

Paul Wouters paul at nohats.ca
Mon Feb 12 15:19:11 UTC 2018


On Mon, 12 Feb 2018, MikeLund wrote:

> Hi, I've set up an IPsec/XAuth VPN using hwdsl2/setup-ipsec-vpn#314 (comment)
> 
> Problem is: when two users connect from behind the same NAT, the first client's networking stops working. My guess on the
> cause of this is what I've named this issue: clients that are behind the same NAT are given same the same VPN IP lease.

That is a known bug in the addresspool code when using authby=secret
where all clients either share the same ID. You would likely get a
different ID, if you configured the clients to use their (native) IP
as ID (which often is the default when using PSK). While that works
a little better, you still run into an issue with two clients behind
different NAT's re-using the same pre-NAT IP.

We hope to address this in libreswan 3.24.

Note if you use raw rsa keys or certifiates, all your clients will have
unique IDs and you won't have this problem. It is specific to
authby=secret

The underlying reason is that we are trying to hand the same lease back
to a re-connecting client so its open connections have a chance of
surviving on reconnect (eg via mobike when you switch between LTE/wifi).
Therefor, using unique ids is always preferred.

So even if we fix this issue, your authby=secret clients would just
always have to be given a new lease, since we cannot distinguish
between a reconnecting client and a new one if they share the same ID.

Paul


More information about the Swan mailing list