[Openswan Users] New request interferes with existing connections
Paul Wouters
paul at xelerance.com
Sat Apr 29 17:04:30 CEST 2006
On Sat, 29 Apr 2006, wangxx at jmu.edu wrote:
> Our VPN server is running "Linux Openswan U2.4.5/K2.6.9-
> 5.ELsmp (netkey)" and xl2tp-1.04.
>
> One box, running Windows XP professional, has a public IP
> address 134.126.34.133 and was already connected to the VPN
> server.
>
> Then, another host, which is running Windows 2000 and sitting
> behind a NAT whose public IP address is 69.251.186.224, tried
> to establish an IPsec connection to the same VPN server.
> (These two boxes use the same private key and digital
> certificate. Is this a bad practice?)
Yes of course that is bad. It is like sharing the front door key
with your neighbour.
> I saw the following logs in /var/log/messages for this moment:
>
> ---------- /var/log/messages BEGINS ----------
> Apr 29 08:54:12 localhost pluto[3088]: "roadwarrior"[4]
> 69.251.186.224 #3: I am sending my cert 83
> Apr 29 08:54:12 localhost pluto[3088]: "roadwarrior"[4]
> 69.251.186.224 #3: deleting connection "roadwarrior-l2tp-
> updatedwin" instance with peer 134.126.34.133
> {isakmp=#0/ipsec=#2} 84
openswan is disconnecting one of your servers because to openswan
it looks like this server just started a new connection from another
IP address. You can work around this setting uniqueids=no, but
then you will break all the roadwarriors that legitimately might
change IP addresses while travelling.
> Is this normal? How to have multiple connections
> simultaneously?
Give each one their own certificate/key.
Paul
More information about the Users
mailing list