[Openswan Users] Openswan 2.4.5 NAT-T and multiple conns

[Paul Wouters]

On Sun, 16 Apr 2006, Radek Antoniuk wrote:

> I'm just wondering.
> I've just created a successful setup with
> - openswan 2.4.5
> - freeradius
> - l2tpns (debian way :) )
> - nat-t
>
> Works nice, but I'm just thinking...
> When I start the tunnel from a remote network and the tunnel sets up
> successfully, I'm loosing a normal (not ipsec) connection from the whole
> remote network I'm connecting to.

You are behind the same NAT'ed IP? The problem with openswan-2.4 is that once
the IPsec connection is up between two IP's, no plaintext traffic is allowed
between the two. So another device behind the same NAT will stop working.

A work around for this is to add this connection to the server's end:

conn letmypacketsgo
        type=passthrough
        left=yourpublicip
        leftnexthop=yourpublicgw
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=ignore

This will allow unencrypted despite an IPsec SA association.

In openswan 2.5 (or 3.0) this is no longer needed, but you will need
to use the "saref tracking" option of xl2tpd. Or port it to l2tpns.
It also requires openswan 2.5/3.0 which is not yet finished for release.

> So, supposingly, I have 2 machines in that remote network that I want to
> connect to the same IPSEC gateway, this will be impossible, only the first one
> will work.

Without saref tracking, this is indeed impossible.

> I'm just wondering, if this supposed to be like this or I have misconfigured
> sth or don't know about some implementation details?

The problem arises from not knowing which of of the two+ tunnels reply packets
have to be send back to, since both have the same outer IP address. Extra
tracking in the kernel is needed. This solution is currently being developed.
We are still looking for co-sponsors for this.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155