[Openswan Users] New request interferes with existing connections

Paul Wouters paul at xelerance.com
Sat Apr 29 17:04:30 CEST 2006

On Sat, 29 Apr 2006, wangxx at jmu.edu wrote:

> Our VPN server is running "Linux Openswan U2.4.5/K2.6.9-
> 5.ELsmp (netkey)" and xl2tp-1.04.
> One box, running Windows XP professional, has a public IP
> address and was already connected to the VPN
> server.
> Then, another host, which is running Windows 2000 and sitting
> behind a NAT whose public IP address is, tried
> to establish an IPsec connection to the same VPN server.
> (These two boxes use the same private key and digital
> certificate. Is this a bad practice?)

Yes of course that is bad. It is like sharing the front door key
with your neighbour.

> I saw the following logs in /var/log/messages for this moment:
> ---------- /var/log/messages BEGINS ----------
> Apr 29 08:54:12 localhost pluto[3088]: "roadwarrior"[4]
> #3: I am sending my cert     83
> Apr 29 08:54:12 localhost pluto[3088]: "roadwarrior"[4]
> #3: deleting connection "roadwarrior-l2tp-
> updatedwin" instance with peer
> {isakmp=#0/ipsec=#2}     84

openswan is disconnecting one of your servers because to openswan
it looks like this server just started a new connection from another
IP address. You can work around this setting uniqueids=no, but
then you will break all the roadwarriors that legitimately might
change IP addresses while travelling.

> Is this normal? How to have multiple connections
> simultaneously?

Give each one their own certificate/key.


More information about the Users mailing list