[Openswan Users] Road Warrior setup and multi-access with same account
j.m.farnsworth at gmail.com
Fri Mar 16 12:08:31 EDT 2012
I found that I could have multiple Mac/iOS devices behind the same NAT,
I could even add 1 windows client but as soon as I added a second
windows client or an Android client I would get problems. I figured
that Mac/iOS were playing nicely because they were using random floating
ports, thus uniquely identifying themselves, while Windows clients all
used the same port. Adding the second client started the confusion. As
Paul said, the solution was to use KLIPS with SAref tracking.
On 16/03/2012 01:28, Brian Mastenbrook wrote:
> On Mar 15, 2012, at 7:29 PM, Paul Wouters wrote:
>>> I'm wondering if it's OK to use the same set of details
>>> when connecting from my Mac, Win7 PC and iPhone, sometimes appearing to
>>> come from the same (NAT'd) IP. Seems to work OK but sometimes a
>>> connection seems to get left half open and I can no longer re-connect
>>> using the same device (i.e. iPhone won't work but works fine from Win7
>>> or Mac OS X box).
>> That is a separate issue. For that to properly work you need SAref
>> tracking, which requires a kernel patch and currently only KLIPS
>> supports in in "mast" mode. For more details see:
> Is this really the case? I'm able to have multiple road warriors behind a single NAT with the regular NETKEY stack in the stock Ubuntu Lucid kernel. I don't seem to have any issues with this configuration. The clients can all communicate with each other and the server correctly. What am I doing "wrong"?
> The issue described by the OP here sounds more like an issue I solved by enabling DPD on the server, since Apple iOS seems to require DPD to clear out the SA when the VPN is turned off on the client. I've also only tested this with NAT-T encapsulation; the OP may want to try forceencaps to see if it helps.
> Brian Mastenbrook
> brian at mastenbrook.net
> Users at lists.openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users