On Fri, 22 Aug 2014, Pontus Wiberg wrote:
Finally my XAUTH configuration is working, however now I find myself stuck on a NAT issue. I moved to Libreswan largely because of the rightaddresspool options and because using XAUTH should support having multiple clients behind the same NAT. Now I can't get that to work though, I have two clients - I can connect the first successfully with user "pontus", I can ping everything on the inside and it works perfectly however as soon as one more client connects (user "andre") .. all tunnels to that IP break, they do not disconnect but there is no connectivity anywhere. Sometimes, although few, the new client will stay connected and his tunnel will continue to work but the old client will still be without connectivity.
uniqueids=yes conn roadwarrior left=10.1.31.5 leftid=54.255.206.227 authby=secret leftxauthserver=yes leftsubnet=10.1.31.0/24 right=%any
You cannot use uniqueids=yes with auth=secret
rightid=%any
Is that even legal? I think that right=%any and rightid=%any should be rejected. The unique id refers to the IPsec SA ID, not the xauth username. If you want to use PSK instead of X.509/RSA, use uniqueids=no. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
