[strongSwan] l2tp/ipsec - same private ip address behind two different peers
noel at familie-kuntze.de
Sat Jan 31 23:57:52 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
The problem is caused by strongSwan being unable to differentiate
between different hosts behind a single IP.
The issue is fixed with the new plugin "connmark", which will be in the next release
and leverages conntrack with connmarks to differentiate the connections.
The git head for it is viewable here .
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 31.01.2015 um 23:41 schrieb tuarego da silva:
> Hi Noel,
> I tried =no and it seems to work... strange because I tried earlier and charon hanged up !!!
> I will try =never too.
> About two roadwarriors behind same NAT address, do you know if there is a solution ?
> Many thanks,
> On Saturday, January 31, 2015 10:12 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> Hello Tuarego,
> Try uniqueids=never.
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 31.01.2015 um 22:58 schrieb tuarego da silva:
> > Hello all,
> > We have been using Strongswan to allow our users (students and teachers) to establish vpn sessions to our school. We choose to use IPSec/L2TP due windows and mac native clients... A few months ago we discovered that Strongswan does not support multiple clients behind same NAT address and was a big issue for us because we have students residences where many students try to connect at same time.
> > Now we discovered another issue that is, Strongswan does not allow that two users behind different NAT ip addresses but with same private ip address connect at same time.
> > In charon log we see:
> > Jan 31 17:51:22 16[IKE] deleting duplicate IKE_SA for peer '192.168.1.83' due to uniqueness policy
> > So before trying another solution for VPN we would like to ask if anybody knows if there is way to configure Strongswan in order to use transport mode (L2TP) and bypass this difficulties.
> > Best,
> > Pedro.
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users