<div dir="ltr"><div><div><div><div><div><div>Hi,<br><br></div>Is there a recommended approach to run multiple openswan clients behind the same NAT IP? My scenario in particular is multiple 3G devices behind the same ISP CG-NAT IP (unfortunately).<br>
<br></div>I found a reference to something possibly related about NAT roadwarriors and a big change to support them in Openswan 3.0 (this was back in 2006: <a href="http://comments.gmane.org/gmane.network.openswan.user/8707">http://comments.gmane.org/gmane.network.openswan.user/8707</a> ). <br>
<br>I've been testing today with libreswan 3.3 on the clients and 3.5 on the server. It appears that multiple ipsec devices behind a single NAT IP doesn't work well. Maybe it shouldn't work at all?<br><br></div>
My environment: VPNs are using PSKs and symbolic peer ids. Connections are initiated by the client side only. <br><br></div></div>Server:<br>Linux Libreswan 3.5 (netkey) on 3.9.3-x86-linode (also tested with 3.3).<br>@router1: 69.x.x.x WAN, <a href="http://192.168.55.254/24">192.168.55.254/24</a> LAN<br>
<br>Clients:<br>Linux Libreswan 3.3 (netkey) on 3.9.5-301.fc19.x86_64<br></div><div>@router2: 10.211.55.40 WAN, <a href="http://192.168.22.254/24">192.168.22.254/24</a> LAN<br>@router3: 10.211.55.41 WAN, <a href="http://192.168.33.254/24">192.168.33.254/24</a> LAN<br>
</div><div>Upstream IP for both: 2.x.x.x.<br></div><div><br></div><div>I find that the connection works for both only if I the tunnel for a single router first, then the next. So add @router2 to the server, connect it, then add @router3 and connect it. If I don't do this, the server tries to associate the packets with the wrong tunnel (logs for 3.3 libreswan on server showed this, not seeing any debug logs on 3.5 but assume the same).<br>
<br></div><div>Server conf file (I can provide the full ipsec.conf for each end if useful):<br><br>config setup<br> protostack=netkey<br> dumpdir=/var/run/pluto/<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a><br>
uniqueids=yes<br><br>conn routers-12<br> left=69.x.x.x<br> leftsubnet=<a href="http://192.168.55.0/24">192.168.55.0/24</a><br> leftnexthop=%defaultroute<br> leftsourceip=192.168.55.254<br> leftid=@router1<br>
right=2.x.x.x<br> rightsubnet=<a href="http://192.168.22.0/24">192.168.22.0/24</a><br> rightid=@router2<br> keyingtries=%forever<br> forceencaps=yes<br> nat_keepalive=yes<br> dpddelay=30<br> dpdtimeout=120<br>
dpdaction=restart_by_peer<br> authby=secret<br><br>conn routers-13<br> left=69.x.x.x<br> leftsubnet=<a href="http://192.168.55.0/24">192.168.55.0/24</a><br> leftnexthop=%defaultroute<br> leftsourceip=192.168.55.254<br>
leftid=@router1<br> right=2.x.x.x<br> rightsubnet=<a href="http://192.168.33.0/24">192.168.33.0/24</a><br> rightid=@router3<br> keyingtries=%forever<br> forceencaps=yes<br> nat_keepalive=yes<br>
dpddelay=30<br> dpdtimeout=120<br> dpdaction=restart_by_peer<br> authby=secret <br></div><div><br></div>Kind Regards,<br><br>Mike<br><div><div><div><div><br><br></div></div></div></div></div>