[strongSwan] l2tp/ipsec - same private ip address behind two different peers

Sat Jan 31 23:57:52 CET 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tuarego,

The problem is caused by strongSwan being unable to differentiate
between different hosts behind a single IP.
The issue is fixed with the new plugin "connmark", which will be in the next release
and leverages conntrack with connmarks to differentiate the connections.
The git head for it is viewable here [1].

[1] http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/connmark

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 31.01.2015 um 23:41 schrieb tuarego da silva:
> Hi Noel,
> I tried =no and it seems to work... strange because I tried earlier and charon hanged up !!!
> I will try =never too.
> About two roadwarriors behind same NAT address, do you know if there is a solution ?
> Many thanks,
> Pedro.
>
>
> On Saturday, January 31, 2015 10:12 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>
>
> Hello Tuarego,
>
> Try uniqueids=never.
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 31.01.2015 um 22:58 schrieb tuarego da silva:
> > Hello all,
> > We have been using Strongswan to allow our users (students and teachers) to establish vpn sessions to our school. We choose to use IPSec/L2TP due windows and mac native clients... A few months ago we discovered that Strongswan does not support multiple clients behind same NAT address and was a big issue for us because we have students residences where many students try to connect at same time.
> > Now we discovered another issue that is, Strongswan does not allow that two users behind different NAT ip addresses but with same private ip address connect at same time.
> > In charon log we see:
> > Jan 31 17:51:22 16[IKE] deleting duplicate IKE_SA for peer '192.168.1.83' due to uniqueness policy
>
> > So before trying another solution for VPN we would like to ask if anybody knows if there is way to configure Strongswan in order to use transport mode (L2TP) and bypass this difficulties.
> > Best,
> > Pedro.
>
>
>
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUzV3tAAoJEDg5KY9j7GZYVggP/2y2I1R0vPFpGUGVMrLmzG/a
FTslnpz9YT2QfHepWk9soeZvoZQkpalo2psI7Qg7AmO2DJeICstBPukEwVS+TDad
Q/lxSVHvZN3i2e311vXyAhBY32edSBYunia+EcDgB0W4cPAevyErQPsHZd+yuOCn
fSHYRAee0VPi9lR3f2qXQ2CndU5reSPRT63W3NLEPjaOvYzx71suCxN8SyJUIgi1
7ywGyGQxqcJh8Ms5fqiCIPW0wQ/q7/NFqb+ZE4Jo3c4U96SUgB0HDRQkD0PNNkTb
NVhm8EzuNTHQvJfIU+GqWijj1FQHjS7LwFgF5G5A1TQVgqp0DZYw4Xubgz7gXzCv
UB3VFD3H3ZinUtc5naRyIhHiKnCku++u/qlgwAONJk1ms5cbpwhZADxDR37Ar/mi
Kt9hszkTilu4AnyxpbPyIDxhxgDLfBUniVTAPsXnVbAGazt0hnu1oeg64SQyyH3e
Cv/r2NRFvg4/KguljdzSZXNFQkXO0+ODD61T5mO9/NppOq7x9xc/RJXW1xm1HxYZ
RBHiMGd8qsDSZYMu599SQkcxDlg2nV78U4ITLrV6pmWTP+ulJK3fUDJX7bgYtImm
MNbAm63eDIF+R1d/p/dlf7zT3ntuVHgXms4s8twr0/x8ObX1WtaGR12fD+rM62Df
Nq8e5TC01wcbs3KuRyrM
=jA1o
-----END PGP SIGNATURE-----