[Openswan Users] RE: 'Virtual IP xxx is already used by' issue

Mike.Peters at opengi.co.uk Mike.Peters at opengi.co.uk
Wed Jul 5 17:23:39 CEST 2006


> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com] 
> Sent: 05 July 2006 15:47
> To: Mike Peters
> Cc: users at openswan.org
> Subject: 'Virtual IP xxx is already used by' issue
> 
> On Wed, 5 Jul 2006, Mike.Peters at opengi.co.uk wrote:
> 
> > I have multiple roadwarrior clients, using WinXP and lsipsectool to
> > connect to an OpenSwan gateway. The clients are NAT'ed but 
> I am seeing
> > the following messages in the logs when some clients fail 
> to connect:
> >
> > Jul  4 19:33:03 openswangw pluto[9211]: "roadwarrior"[6] 
> XXX.XXX.XXX.XXX
> > #2915: Virtual IP 192.168.1.3/32 is already used by 'C=GB, ST=Here,
> > L=Mytown, O=AcmeLtd, OU=Engineers, CN=Me, E=me at example.com'
> >
> > Presumably this means that the client can't connect because 
> another user
> > is already connected with the same private IP address. Can 
> users behind
> > NAT'ed gateways not have the same private IP address - I 
> thought that
> > was the whole point of NAT? Or am I missing something in my
> > configuration?
> 
> This problem is a tad complex. The virtual IP handling code 
> had various bugs
> in them, that have not been fixed in the openswan-2.4.x code, 
> but have been
> fixed in our L2TP enhanced version of openswan, see:
> 
> http://lists.openswan.org/pipermail/users/2006-May/009487.html
> 
> Most of the bugs related to the Virtual IP handling though, have
> already been folded back into #public, which is the GIT version of our
> old "CVS HEAD", aka the unstable development bleeding edge. 
> No releases
> of Openswan-2.5.x (or perhaps we will call it Openswan-3.x) have been
> made yet. But I do not think the overlapip=yes option is there. See
> the above link why that is.
> 
I am not currently using L2TP. Will 2.5.x (or 3.x) allow this to work
without using L2TP or does the above imply that you must use L2TP for
multiple home users with duplicate IP addresses?

Also, was this working in older versions of OpenSwan (2.2.x)? The reason
I ask is that I wasn't sure if the issue has appeared due to upgrading
OpenSwan or whether it has just come to light due to an increased volume
of users.

Thanks

Mike Peters


More information about the Users mailing list