Hi,
did you manage to solve your problem?
I'm having the same problem...
I follow the wiiki example:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
Regards,
António
On 08/25/2014 09:51 AM, Pontus Wiberg wrote:
Yeah, I pretty much just tested every option I could even think of
there. I have changed it around a lot, but this isn't working still.
uniqueids=no
conn roadwarrior
left=10.1.31.5
leftid=54.255.206.227
authby=secret
leftxauthserver=yes
leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
right=%any
rightaddresspool=192.168.224.5-192.168.224.100
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
modecfgdns1=8.8.8.8
xauthby=file
pfs=no
auto=add
Seems really simple but it still loses the ability to route to the
first client when a second one connects
BRs
Pontus
On 23 August 2014 00:10, Paul Wouters <[email protected]
<mailto:[email protected]>> wrote:
On Fri, 22 Aug 2014, Pontus Wiberg wrote:
Finally my XAUTH configuration is working, however now I find
myself stuck on a NAT issue. I moved to Libreswan largely
because of the
rightaddresspool options and because using XAUTH should
support having multiple clients behind the same NAT. Now I
can't get that to
work though, I have two clients - I can connect the first
successfully with user "pontus", I can ping everything on the
inside and it
works perfectly however as soon as one more client connects
(user "andre") .. all tunnels to that IP break, they do not
disconnect but
there is no connectivity anywhere. Sometimes, although few,
the new client will stay connected and his tunnel will
continue to work but
the old client will still be without connectivity.
uniqueids=yes
conn roadwarrior
left=10.1.31.5
leftid=54.255.206.227
authby=secret
leftxauthserver=yes
leftsubnet=10.1.31.0/24 <http://10.1.31.0/24>
right=%any
You cannot use uniqueids=yes with auth=secret
rightid=%any
Is that even legal? I think that right=%any and rightid=%any should be
rejected.
The unique id refers to the IPsec SA ID, not the xauth username.
If you want to use PSK instead of X.509/RSA, use uniqueids=no.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan