[Openswan Users] Windows roadwarriors - duplicate Private IP addresses

Mike.Peters at opengi.co.uk Mike.Peters at opengi.co.uk
Wed Jul 5 11:45:59 CEST 2006 

I have multiple roadwarrior clients, using WinXP and lsipsectool to
connect to an OpenSwan gateway. The clients are NAT'ed but I am seeing
the following messages in the logs when some clients fail to connect:

Jul  4 19:33:03 openswangw pluto[9211]: "roadwarrior"[6] XXX.XXX.XXX.XXX
#2915: Virtual IP 192.168.1.3/32 is already used by 'C=GB, ST=Here,
L=Mytown, O=AcmeLtd, OU=Engineers, CN=Me, E=me at example.com'

Presumably this means that the client can't connect because another user
is already connected with the same private IP address. Can users behind
NAT'ed gateways not have the same private IP address - I thought that
was the whole point of NAT? Or am I missing something in my
configuration? 

My ipsec.conf file for the connection is:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        #klipsdebug=all
        #plutodebug="control parsing"
        #plutodebug=all
        # Certificate Revocation List handling
        crlcheckinterval=600
        strictcrlpolicy=yes
        # Change rp_filter setting, default = 0 (switch off)
        #rp_filter=%unchanged
        # Switch on NAT-Traversal (if patch is installed)
        interfaces=%defaultroute
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
2.0.0.0/8,%v4:!2.4.2.7/32

# default settings for connections
conn %default
        # Default: %forever (try forever)
        keyingtries=3
        compress=no
        disablearrivalcheck=no
        authby=rsasig
        # Sig keys (default: %dnsondemand)
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        # Lifetimes, defaults are 1h/8hrs
        ikelifetime=20m
        keylife=1h
        #rekeymargin=8m

conn roadwarrior
        forceencaps=yes
   	  left=XX.XX.XX.XX
   	  leftcert=acmevpn.pem
        rightsubnet=vhost:%no,%priv
        leftsubnet=0.0.0.0/0
	  right=%any
   	  auto=add
   	  pfs=yes

I've tried with forceencaps=yes and no but no difference. Ipsec verify
shows:

Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16.13-4-smp (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'curl' command for CRL fetching                    [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support
[DISABLED]

Thanks

Mike Peters

More information about the Users mailing list