[Openswan Users] uniqueids invalid when two roadworriers behind NAT device

wei minghu weiminghu at gmail.com
Wed Apr 26 16:29:21 CEST 2006


I found the uniqueids in ipsec.conf don't work when more than one
roadworriers behind NAT. The remote client is lsipsectool, OS is Windows XP

The code about this problem is in ISAKMP_SA_established():

            if (d->kind >= CK_PERMANENT
            && same_id(&c->spd.that.id, &d->spd.that.id)
            && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
                release_connection(d, FALSE);

Because the IP address after NAT is not changed, so openswan think it come
from the same client, this caused the uniqueids invalid.

I found there a  patch in bugs.xelerance.com from Herbert Xu:

@@ -3340,8 +3340,10 @@
      struct connection *next = d->ac_next; /* might move underneath us */

      if (d->kind >= CK_PERMANENT
+      && same_id(&c->spd.this.id, &d->spd.this.id)
      && same_id(&c->spd.that.id, &d->spd.that.id)
-     && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
+     && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr)
+  || (c->spd.that.host_port != d->spd.that.host_port)))
   release_connection(d, FALSE);

I test it, but can't work too. because both oe the host_port are 500.

I don't have any good ways for this. Can you give me some suggestions.

Thanks and regards.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060426/7a017c0c/attachment.htm

More information about the Users mailing list