[Openswan Users] 2 l2tp from same natted lan - 2.6.24

Christian Huldt christian at solvare.se
Fri Feb 12 06:51:13 EST 2010 

Hi,
We are trying to set up two l2tp connections to the same openswan  
server  from one NATed LAN using certificates.

This should work fine with 2.6.24, right?

Each computer (WinXP) connects fine with its certificate, but if the  
other is connected we get

Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]  
213.233.207.134 #53: the peer proposed: 83.115.27.196/32:17/1701 ->  
192.168.103.171/32:17/0
Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]  
213.233.207.134 #54: responding to Quick Mode proposal {msgid:bd7cd834}
Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]  
213.233.207.134 #54:     us: 83.115.27.196[C=SE, ST=Stockholm,  
L=Stockholm, O=Solvare, OU=support, CN=vpn.cedervallarkitekter.se, E=it at cedervallarkitekter.se 
,+S=C]:17/1701
Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]  
213.233.207.134 #54:   them: 213.233.207.134[C=SE, ST=Stockholm,  
L=Stockholm, O=Solvare, OU=support, CN=christian,  
E=christian at solvare.se,+S=C]:17/1701===192.168.103.171/32
Feb 12 12:37:41 vpn pluto[6465]: | NAT-OA: 4 tunnel: 1
Feb 12 12:37:41 vpn pluto[6465]: "roadwarrior-l2tp"[27]  
213.233.207.134 #54: cannot install eroute -- it is in use for  
"roadwarrior-l2tp"[26] 213.233.207.134 #52
Feb 12 12:37:42 vpn pluto[6465]: "roadwarrior-l2tp"[27]  
213.233.207.134 #54: discarding duplicate packet; already STATE_QUICK_R0
Feb 12 12:38:17 vpn pluto[6465]: last message repeated 4 times



# ipsec --version
Linux Openswan U2.6.24/K2.6.31-17-generic (netkey)
See `ipsec --copyright' for copyright information.

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	#plutodebug="all"
	#plutodebug="control private"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	protostack=netkey
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	virtual_private= 
%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.79.0/24

# Add connections here

conn %default
	authby = rsasig
	leftrsasigkey = %cert
	rightrsasigkey = %cert
	compress=no
	disablearrivalcheck=yes
	ikelifetime=240m
	keyexchange=ike
	keyingtries=3
	keylife=60m

#Disable Opportunistic Encryption
#include /etc/ipsec/ipsec.d/examples/no_oe.conf

conn roadwarrior-l2tp
         leftprotoport=17/1701
         rightprotoport=17/%any
	forceencaps = no
         pfs=no
	left=%defaultroute
         right=%any
         rightsubnet=vhost:%no,%priv
	rightca=%same
         auto=add
	leftcert = it.cedervallarkitekter.se-cert.pem


What did I mess up?

I assume(?) we could set up one connection for each client  
certificate, but as we are expecting at least 30 clients, it would be  
nice with a simple .conf


Christian Huldt
christian at solvare.se
+46704612207

More information about the Users mailing list