[Openswan Users] two tunnel from two clients behind the same IP
(NAT Router) won't work, is that right?
Trevor Hennion
trevor-os at thennion.demon.co.uk
Tue Apr 12 16:42:03 CEST 2005
On Tuesday 12 Apr 2005 12:22, foren titze wrote:
> Hello Users,
>
> our two roadwarrrior laptops are behind the same IP in Poland and they can
> not establish a tunnel at the same time to our linux vpn gateway.
>
> I get this errormessage by ipsec:
> __________
> Apr 12 12:45:50 linux-vpn pluto[7467]: "sse"[12] 62.111.243.xxx:1025 #499:
> sent MR3, ISAKMP SA established
> Apr 12 12:45:50 linux-vpn pluto[7467]: "sse"[12] 62.111.243.xxx:1025 #500:
> responding to Quick Mode
> Apr 12 12:45:50 linux-vpn pluto[7467]: "sse"[12] 62.111.243.xxx:1025 #500:
> cannot install eroute -- it is in use for "ski"[128] 62.111.243.xxx:4500
> #498 ___________
>
> I use openswan 1.0.9 with kernel 2.4.28
>
> thanks
Hi,
The VPN gateway needs to construct a unique route for each system. If you only
have one IP address for your roadwarrior laptops, only one can connect. If
you have the one routeable address, but some private addresses with a NAT
router, then - on the VPN gateway - use a separate conn section for each
roadwarrior, with a different rightsubnet definition - ie:
#Roadwarrior 1
conn road1
right=%any
left=<IP of VPN gateway> # could be in conn %default
leftsubnet=...
rightsubnet=192.168.20.1/32
rightid=".."
auto=add
#Roadwarrior 2
conn road2
right=%any
left=...
leftsubnet=...
rightsubnet=192.168.20.2/32 #Roadwarrior 2
rightid="..."
auto=add
HTH
Regards
Trevor Hennion
http://www.infocentrality.co.uk
More information about the Users
mailing list