[Openswan Users] "Virtual IP x.x.x.x is already used" - connection cached?
Nels Lindquist
nlindq at maei.ca
Tue Jul 3 16:59:39 EDT 2007
I'm using OpenSWAN 2.4.8, and I'm being stung by the Virtual IP handling
issue, though not in the way that I understood it.
My impression was that it's not currently possible to have multiple L2TP
users behind a single NAT firewall simultaneously, but that it was
possible to do so serially.
However, when User A disconnects their L2TP session, the tunnel is torn
down and the kernel SAD entry is flushed, but the kernel SPD (Security
Policy Database) entry remains cached.
When User B attempts to connect, they get an error, and the "Virtual IP
x.x.x.x is already used" message shows up in the log.
If I do "ipsec auto --replace [l2tpd-connection-definition]" then User B
can connect, but User A now can't connect after User B disconnects.
On the OpenSWAN side, it's a standard L2TP roadwarrior connection, with
dpdaction=clear defined.
Is there some other configuration directive I need to convince OpenSWAN
to remove the SPD entry when the tunnel is torn down?
Thanks very much!
Nels Lindquist
More information about the Users
mailing list