[Openswan Users] More than one user behind NAT device

[Paul Wouters]

On Tue, 25 Oct 2011, Linden Varley wrote:

> I have two users behind a NAT router trying to connect to an OpenSwan server. After they have both connected, the original user can no longer establish an ipsec connection. I need to reset the ADSL Router (NAT device) in order for the user to connect again.

> 
> xl2tpd.conf
> [global]
> ipsec saref = yes

> ipsec.conf
> 
> config setup
>         nat_traversal=yes
>         oe=off
>         interfaces="%defaultroute"
>         protostack=mast
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4
>  
> 
> conn L2TP-PSK-NAT
>         rightsubnet=vhost:%priv
>         also=L2TP-PSK-noNAT
> 
> conn L2TP-PSK-noNAT
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         rekey=no
>         ikelifetime=8h
>         keylife=1h
>         type=transport
>         left=<externalIP>
>         right=%any
>         rightprotoport=17/%any
>         dpddelay=30
>         dpdtimeout=120
>         dpdaction=clear
>         overlapip=yes
>         sareftrack=yes
> 
> I’m running Debian 6.0.3 with a SAref patched 2.6.32 kernel.
> 
> ipsec verify shows
> 
> Kernel: IPsec SAref kernel support      [OK]
> Kernel: IPsec SAref Bind kernel support [OK]

Does xl2tpd at boot confirms saref is found?

Note we had to renumber the socket options for newer kernels, so you need to ensure you are using
the same number in the kernel SAref patch, openswan and xl2tpd. It is either 22/23 (old) or 30/31 (new)
The numbers got updated in xl2tpd 1.3.1 and openswan 2.6.36. Since the kernel started using 22,
you might think you got support while you don't (since the setsockopt might succeed)

In xl2tpd 1.3.1 you can set the number using 'sarf refinfo =' so you can support older and newer kernels.
For openswan it is still a compile time option right now. check include/ipsec_saref.h

Paul