Re: [Swan] IPSec+XAUTH Multiple Clients behind same NAT not working

Wed, 08 Jun 2016 08:25:03 -0700 

Hi,

did you manage to solve your problem?

I'm having the same problem...
I follow the wiiki example: https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH 


Regards,

António

On 08/25/2014 09:51 AM, Pontus Wiberg wrote:
Yeah, I pretty much just tested every option I could even think of there. I have changed it around a lot, but this isn't working still. 

uniqueids=no

conn roadwarrior
        left=10.1.31.5
        leftid=54.255.206.227
        authby=secret
        leftxauthserver=yes
        leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
        right=%any
        rightaddresspool=192.168.224.5-192.168.224.100
        rightxauthclient=yes
        leftmodecfgserver=yes
        rightmodecfgclient=yes
        modecfgpull=yes
        modecfgdns1=8.8.8.8
        xauthby=file
        pfs=no
        auto=add
Seems really simple but it still loses the ability to route to the first client when a second one connects 

BRs
Pontus
On 23 August 2014 00:10, Paul Wouters <[email protected] <mailto:[email protected]>> wrote: 

    On Fri, 22 Aug 2014, Pontus Wiberg wrote:

        Finally my XAUTH configuration is working, however now I find
        myself stuck on a NAT issue. I moved to Libreswan largely
        because of the
        rightaddresspool options and because using XAUTH should
        support having multiple clients behind the same NAT. Now I
        can't get that to
        work though, I have two clients - I can connect the first
        successfully with user "pontus", I can ping everything on the
        inside and it
        works perfectly however as soon as one more client connects
        (user "andre") .. all tunnels to that IP break, they do not
        disconnect but
        there is no connectivity anywhere. Sometimes, although few,
        the new client will stay connected and his tunnel will
        continue to work but
        the old client will still be without connectivity.


                uniqueids=yes

        conn roadwarrior
                left=10.1.31.5
                leftid=54.255.206.227
                authby=secret
                leftxauthserver=yes
                leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
                right=%any


    You cannot use uniqueids=yes with auth=secret

                rightid=%any


    Is that even legal? I think that right=%any and rightid=%any should be
    rejected.

    The unique id refers to the IPsec SA ID, not the xauth username.

    If you want to use PSK instead of X.509/RSA, use uniqueids=no.

    Paul




_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan



_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to