[Openswan Users] Road Warrior setup and multi-access with same account

Brian Mastenbrook brian at mastenbrook.net
Thu Mar 15 21:28:40 EDT 2012

On Mar 15, 2012, at 7:29 PM, Paul Wouters wrote:

>> I'm wondering if it's OK to use the same set of details
>> when connecting from my Mac, Win7 PC and iPhone, sometimes appearing to
>> come from the same (NAT'd) IP.  Seems to work OK but sometimes a
>> connection seems to get left half open and I can no longer re-connect
>> using the same device (i.e. iPhone won't work but works fine from Win7
>> or Mac OS X box).
> That is a separate issue. For that to properly work you need SAref
> tracking, which requires a kernel patch and currently only KLIPS
> supports in in "mast" mode. For more details see:

Is this really the case? I'm able to have multiple road warriors behind a single NAT with the regular NETKEY stack in the stock Ubuntu Lucid kernel. I don't seem to have any issues with this configuration. The clients can all communicate with each other and the server correctly. What am I doing "wrong"?

The issue described by the OP here sounds more like an issue I solved by enabling DPD on the server, since Apple iOS seems to require DPD to clear out the SA when the VPN is turned off on the client. I've also only tested this with NAT-T encapsulation; the OP may want to try forceencaps to see if it helps.

Brian Mastenbrook
brian at mastenbrook.net

More information about the Users mailing list