[Openswan Users] Muliple Nat traversal Road Warriors with same addresses

Paul Wouters paul at xelerance.com
Wed Jul 14 12:02:18 EDT 2010

On Wed, 14 Jul 2010, Larry Brown wrote:

> I have a single Road Warrior successfully connecting to a Openswan
> gateway and communicating to the subnet behind the gateway securely.
> That roadwarrior is behind a firewall allowing all outbound port traffic
> and using NAT.  So my roadwarrior has an IP address of
> When I get packets from the roadwarrior and when I send packets to that
> roadwarrior they are addressed from/to  When another
> roadwarrior happens to be behind someone else's firewall and happens to
> get I expect I will have a problem.  How can I overcome
> this problem with Openswan and IPSEC without using L2tp/ppp or can I?

You will need the "SAref tracking" feature for that. That will allow packets
to be marked with an saref number so you can have two's that
are still clearly seperate from each other.

Currently, this works providing you use:

- openswan 2.6.27+ (2.6.28dr3 recommended)
- KLIPS IPsec stack
- SAREF patches to the kernel (see openswan-2.6.x/patches/kernel/2.6.34/)
- xl2tpd with "ipsec saref" option enabled
- protostack=mast in ipsec.conf
- overlapip=yes in ipsec.conf

No additional client configuration is required. It works with Windows, OSX, iphones,
Linux, etc. as client.


More information about the Users mailing list