[Openswan Users] Bug: Duelling tunnels in openswan-2.4.9-r1

[Paul Wouters]

On Mon, 22 Oct 2007, Roland Plüss wrote:

> > this setup is wrong though. Two different laptops should use two different
> > identifiers. You should have two conn's on the server side.
> >
> The wiki though says you can use the same connection for multiple road
> warriors so you don't have to create a new connection definition for
> each machine. How else are you supposed to have a scalable setup where
> you don't know which machines connect ( hence you want the same VPN data
> to be send to all machines without worrying about personalized files )?

the proper way is to assign all roadwarriors an X.509 certificate and they
will all have a unique id (the DN of the certificate) and their own RSA key,
and it uses one roadwarrior conn.

PreShared Secrets (PSK) are a bad idea to use for multiple clients, because
one compromised client leads to all clients being compromised.

> > What do you intend to do when both are behind the same NAT router? They
> > will have the same IP.
> >
> They are not behind a NAT router. Every machine has it's own unique IP.

For now :)

> > It's your setup that is flawed. Perhaps gentoo changed the default for
> > uniqueids= in the config setup section? The default is "yes", which
> > breaks your setup.
> >
> Could be possible. I'll check this one out.

with uniqueids=no, openswan should not disconnect multiple occurances of
the same client id connecting.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155