[strongSwan] Multiple Windows 10 'Road Warriors'

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jun 11 19:52:28 CEST 2019 

Hello Andreas,

Set forceencaps=true and make sure IPsecPassthrough on the FritzBox is disabled.

Kind regards

Noel

Am 11.06.19 um 15:20 schrieb Andreas Thiele:
>
> Hi,
>
>  
>
> I have several customers which I want to grant access to different subnets. For these customers I create certificates. So basically many customers can connect and have access to their devices. If a certificate gets lost I can create a new certificate and remove the old one from the allowed connections. This already works but I have a problem:
>
>  
>
> If a customer is behind a router (FRITZ!BOX 7490 for my test - I guess a very typical situation), only one Windows 10 workstation can connect to the VPN. A second cannot connect even if a different certificate is used. When the first disconnects, the second has to wait for abt. 10 minutes, then it can connect. I am no expert and just a few months ago, I nearly didn’t know anything about VPN and not much about network technology at all.
>
>  
>
> Here is my otherwise working configuration:
>
>  
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>  
>
> config setup
>
>         charondebug="ike 2, cfg 2, chd 2"
>
>  
>
> conn windows
>
>         fragmentation=yes
>
>         left=%any
>
>         leftcert=nx03Cert.der
>
>         leftid="C=DE, O=strongSwan, CN=xxxxxx.com"
>
>         leftfirewall=yes
>
>         leftauth=pubkey
>
>         keyexchange=ikev2
>
>         right=%any
>
>         auto=add
>
>  
>
> # individual customers are added here.
>
>  
>
> conn baseMob
>
>         # base engineering
>
>         also=windows
>
>         leftsubnet=10.2.255.0/24
>
>         rightid="C=DE, O=strongSwan, CN=CLIENT_XXX"
>
>         rightsourceip=10.3.255.0/28
>
>  
>
> include /var/lib/strongswan/ipsec.conf.inc
>
>  
>
> I am thankful for any help or hint on how to improve things.
>
>  
>
>  
>
> Best Wishes
>
>  
>
> Andreas
>
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190611/a3cdf7cd/attachment-0001.sig>

More information about the Users mailing list