[Openswan Users] two tunnel from two clients behind the same IP (NAT Router) won't work, is that right?

Trevor Hennion trevor-os at thennion.demon.co.uk
Tue Apr 12 16:42:03 CEST 2005


On Tuesday 12 Apr 2005 12:22, foren titze wrote:
> Hello Users,
>
> our two roadwarrrior laptops are behind the same IP in Poland and they can
> not establish a tunnel at the same time to our linux vpn gateway.
>
> I get this errormessage by ipsec:
> __________
> Apr 12 12:45:50 linux-vpn pluto[7467]: "sse"[12] 62.111.243.xxx:1025 #499:
> sent MR3, ISAKMP SA established
> Apr 12 12:45:50 linux-vpn pluto[7467]: "sse"[12] 62.111.243.xxx:1025 #500:
> responding to Quick Mode
> Apr 12 12:45:50 linux-vpn pluto[7467]: "sse"[12] 62.111.243.xxx:1025 #500:
> cannot install eroute -- it is in use for "ski"[128] 62.111.243.xxx:4500
> #498 ___________
>
> I use openswan 1.0.9 with kernel 2.4.28
>
> thanks

Hi,

The VPN gateway needs to construct a unique route for each system. If you only 
have one IP address for your roadwarrior laptops, only one can connect. If 
you have the one routeable address, but some private addresses with a NAT 
router, then - on the VPN gateway - use a separate conn section for each 
roadwarrior, with a different rightsubnet definition - ie:   

#Roadwarrior 1
conn road1
	right=%any
	left=<IP of VPN gateway> # could be in conn %default
	leftsubnet=...
	rightsubnet=192.168.20.1/32 
	rightid=".."
	auto=add

#Roadwarrior 2
conn road2
	right=%any 
	left=...      
	leftsubnet=...
	rightsubnet=192.168.20.2/32   #Roadwarrior 2
	rightid="..."
	auto=add


HTH

Regards
Trevor Hennion
http://www.infocentrality.co.uk


More information about the Users mailing list