[Openswan Users] Multiple connections on one interface?

Bill Fenwick bill at atc-nycorp.com
Mon Feb 21 18:15:27 CET 2005 

Hi, all

You can probably tell already that I'm an openswan newbie...

Our company has an old Debian Linux/FreeSWAN setup that's been used as a VPN
server for a few years, and it's been used to support the occasional "road
warrior" who takes a Windows laptop on the road and needs to connect to the
internal network, as well as the occasional home Windows machine user.

Hoping to replace this beast, I've set up Openswan 2.2.0 on a machine
running RedHat 9 and have attempted to connect from a few Windows XP
machines (SP2) running external to the company net (through a local ISP).

All seems reasonably well, except that I can't get more than one machine at
a time to connect.  The first XP client connects (NAT-Traversal appears to
work fine), but no subsequent machine can do so until the first one
disconnects.  Am I missing some hopefully obvious setting?  Or do I need to
have multiple interfaces on the VPN server to support multiple connections?
The XP clients are using X.509 certificates and are using MS's built-in
L2TP/IPSec client.  The RedHat machine is also running l2tpd 0.69.

192.76.a.b is our external net; 192.168.0.0/23 is the internal. "bill" and
"circe" are user machines, each with their own certificate.  I am using PAP
and unix authentication so that users can log in with their unix passwords.

Config files from the RedHat server:

/etc/ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
        #interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.0.0/23

conn %default
        keyingtries=3
        pfs=no
        compress=no
        disablearrivalcheck=no
        authby=rsasig

conn bill
        leftcert=gateway.pem
        leftsendcert=always
        left=192.76.a.9
        leftnexthop=192.76.a.1
        leftrsasigkey=%cert
        leftprotoport=17/1701
        right=%any
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        rightcert=bill.pem
        auto=add

conn circe
        leftcert=gateway.pem
        leftsendcert=always
        left=192.76.175.9
        leftnexthop=192.76.175.1
        leftrsasigkey=%cert
        leftprotoport=17/1701
        right=%any
        rightrsasigkey=%cert
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/1701
        rightcert=bill.pem
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


/etc/l2tpd/l2tpd.conf:

[global]
listen-addr = 192.168.1.9
port = 1701

[lns default]
ip range = 192.168.1.30-192.168.1.40
local ip = 192.168.1.24
require pap = yes
refuse chap = yes
require authentication = yes
unix authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


/etc/ppp/options.l2tpd:

ipcp-accept-local
ipcp-accept-remote
ms-dns  192.168.1.2
ms-wins 192.168.1.3
netmask 255.255.254.0
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000


Thanks for any help, and sorry if this is bone-numbingly obvious.

-----
Bill Fenwick
ATC-NY (formerly Odyssey Research Associates)
(607) 266-7115 (voice)
(607) 257-1972 (fax)
bill at atc-nycorp.com

More information about the Users mailing list