[Openswan dev] Multiple clients with same ID behind NAT

Paul Wouters paul at xelerance.com
Tue Oct 2 12:06:16 EDT 2007


On Tue, 2 Oct 2007, Venkat Yekkirala wrote:

> I have a setup where all the clients behind a NAT share
> the same ID and cert.

That's wrong. You *might* (very unlikely) get away with it
using uniqueids=no in config setup.

> The VPN Gateway on the other end
> has a public IP and X.509 certs are in use.

That certificate is different?

> I am running into problems with running more than
> one client behind NAT (dynamic IP). When I start
> multiple clients at the same time, only one completes.

That's because they all have the same ID, they ARE the same
client, and without uniqueids=no, openswan will disconnect
the "old session" if a client reconnects from elsewhere.

Your setup is broken. Any single client compromise would lead
to all clients being compromised. One untrusted client can
lead to compromise of all trusted clients. Giving everyone
the same key is just not a real security solution.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Dev mailing list