<div dir="ltr">Yeah, I pretty much just tested every option I could even think of there. I have changed it around a lot, but this isn't working still. <div><br></div><div>uniqueids=no</div><div><br></div><div>conn roadwarrior<br>
</div><div><div> left=10.1.31.5</div><div> leftid=54.255.206.227</div><div> authby=secret</div><div> leftxauthserver=yes</div><div> leftsubnet=<a href="http://10.1.31.0/24">10.1.31.0/24</a></div>
<div> right=%any</div><div> rightaddresspool=192.168.224.5-192.168.224.100</div><div> rightxauthclient=yes</div><div> leftmodecfgserver=yes</div><div> rightmodecfgclient=yes</div><div> modecfgpull=yes</div>
<div> modecfgdns1=8.8.8.8</div><div> xauthby=file</div><div> pfs=no</div><div> auto=add</div></div><div class="gmail_extra"><br></div><div class="gmail_extra">Seems really simple but it still loses the ability to route to the first client when a second one connects</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">BRs</div><div class="gmail_extra">Pontus<br><div></div>
<br><br><div class="gmail_quote">On 23 August 2014 00:10, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On Fri, 22 Aug 2014, Pontus Wiberg wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Finally my XAUTH configuration is working, however now I find myself stuck on a NAT issue. I moved to Libreswan largely because of the<br>
rightaddresspool options and because using XAUTH should support having multiple clients behind the same NAT. Now I can't get that to<br>
work though, I have two clients - I can connect the first successfully with user "pontus", I can ping everything on the inside and it<br>
works perfectly however as soon as one more client connects (user "andre") .. all tunnels to that IP break, they do not disconnect but<br>
there is no connectivity anywhere. Sometimes, although few, the new client will stay connected and his tunnel will continue to work but<br>
the old client will still be without connectivity. <br>
</blockquote>
<br>
</div><div class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
uniqueids=yes<br>
<br>
conn roadwarrior<br>
left=10.1.31.5<br>
leftid=54.255.206.227<br>
authby=secret<br>
leftxauthserver=yes<br>
leftsubnet=<a href="http://10.1.31.0/24" target="_blank">10.1.31.0/24</a><br>
right=%any<br>
</blockquote>
<br></div>
You cannot use uniqueids=yes with auth=secret<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
rightid=%any<br>
</blockquote>
<br>
Is that even legal? I think that right=%any and rightid=%any should be<br>
rejected.<br>
<br>
The unique id refers to the IPsec SA ID, not the xauth username.<br>
<br>
If you want to use PSK instead of X.509/RSA, use uniqueids=no.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div></div>