[Openswan Users] Multiple connections on one interface?
Bill Fenwick
bill at atc-nycorp.com
Mon Feb 21 18:15:27 CET 2005
Hi, all
You can probably tell already that I'm an openswan newbie...
Our company has an old Debian Linux/FreeSWAN setup that's been used as a VPN
server for a few years, and it's been used to support the occasional "road
warrior" who takes a Windows laptop on the road and needs to connect to the
internal network, as well as the occasional home Windows machine user.
Hoping to replace this beast, I've set up Openswan 2.2.0 on a machine
running RedHat 9 and have attempted to connect from a few Windows XP
machines (SP2) running external to the company net (through a local ISP).
All seems reasonably well, except that I can't get more than one machine at
a time to connect. The first XP client connects (NAT-Traversal appears to
work fine), but no subsequent machine can do so until the first one
disconnects. Am I missing some hopefully obvious setting? Or do I need to
have multiple interfaces on the VPN server to support multiple connections?
The XP clients are using X.509 certificates and are using MS's built-in
L2TP/IPSec client. The RedHat machine is also running l2tpd 0.69.
192.76.a.b is our external net; 192.168.0.0/23 is the internal. "bill" and
"circe" are user machines, each with their own certificate. I am using PAP
and unix authentication so that users can log in with their unix passwords.
Config files from the RedHat server:
/etc/ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
#interfaces=%defaultroute
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192
.168.0.0/23
conn %default
keyingtries=3
pfs=no
compress=no
disablearrivalcheck=no
authby=rsasig
conn bill
leftcert=gateway.pem
leftsendcert=always
left=192.76.a.9
leftnexthop=192.76.a.1
leftrsasigkey=%cert
leftprotoport=17/1701
right=%any
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv
rightprotoport=17/1701
rightcert=bill.pem
auto=add
conn circe
leftcert=gateway.pem
leftsendcert=always
left=192.76.175.9
leftnexthop=192.76.175.1
leftrsasigkey=%cert
leftprotoport=17/1701
right=%any
rightrsasigkey=%cert
rightsubnet=vhost:%no,%priv
rightprotoport=17/1701
rightcert=bill.pem
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
/etc/l2tpd/l2tpd.conf:
[global]
listen-addr = 192.168.1.9
port = 1701
[lns default]
ip range = 192.168.1.30-192.168.1.40
local ip = 192.168.1.24
require pap = yes
refuse chap = yes
require authentication = yes
unix authentication = yes
name = VPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes
/etc/ppp/options.l2tpd:
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.2
ms-wins 192.168.1.3
netmask 255.255.254.0
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
Thanks for any help, and sorry if this is bone-numbingly obvious.
-----
Bill Fenwick
ATC-NY (formerly Odyssey Research Associates)
(607) 266-7115 (voice)
(607) 257-1972 (fax)
bill at atc-nycorp.com
More information about the Users
mailing list