[Openswan Users] "Virtual IP x.x.x.x is already used" - connection cached?

Nels Lindquist nlindq at maei.ca
Tue Jul 3 16:59:39 EDT 2007

I'm using OpenSWAN 2.4.8, and I'm being stung by the Virtual IP handling
issue, though not in the way that I understood it.

My impression was that it's not currently possible to have multiple L2TP
users behind a single NAT firewall simultaneously, but that it was
possible to do so serially.

However, when User A disconnects their L2TP session, the tunnel is torn
down and the kernel SAD entry is flushed, but the kernel SPD (Security
Policy Database) entry remains cached.

When User B attempts to connect, they get an error, and the "Virtual IP
x.x.x.x is already used" message shows up in the log.

If I do "ipsec auto --replace [l2tpd-connection-definition]" then User B
can connect, but User A now can't connect after User B disconnects.

On the OpenSWAN side, it's a standard L2TP roadwarrior connection, with
dpdaction=clear defined.

Is there some other configuration directive I need to convince OpenSWAN
to remove the SPD entry when the tunnel is torn down?

Thanks very much!

Nels Lindquist

More information about the Users mailing list