[Openswan Users] Road Warrior setup and multi-access with same account

[Paul Wouters]

On Thu, 15 Mar 2012, Brian Mastenbrook wrote:

>> That is a separate issue. For that to properly work you need SAref
>> tracking, which requires a kernel patch and currently only KLIPS
>> supports in in "mast" mode. For more details see:
>
> Is this really the case? I'm able to have multiple road warriors behind a single NAT with the regular NETKEY stack in the stock Ubuntu Lucid kernel. I don't seem to have any issues with this configuration. The clients can all communicate with each other and the server correctly. What am I doing "wrong"?

That works with netkey, but if two people are on the same internal ip
behind different NAT routers, it will not work. At least, last I
checked.

> The issue described by the OP here sounds more like an issue I solved by enabling DPD on the server, since Apple iOS seems to require DPD to clear out the SA when the VPN is turned off on the client. I've also only tested this with NAT-T encapsulation; the OP may want to try forceencaps to see if it helps.

Some NAT-T fixes are pending that will be in the upcoming 2.6.38
release, which should make interop with android and iphone versions
better, especially in the mixed NAT and noNAT cases.

Paul