[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    Re: [Openswan Users] Muliple Nat traversal Road Warriors with same addresses
From:       Paul Wouters <paul () xelerance ! com>
Date:       2010-07-14 16:02:18
Message-ID: alpine.LFD.1.10.1007141159270.22331 () newtla ! xelerance ! com
[Download RAW message or body]

On Wed, 14 Jul 2010, Larry Brown wrote:

> I have a single Road Warrior successfully connecting to a Openswan
> gateway and communicating to the subnet behind the gateway securely.
> That roadwarrior is behind a firewall allowing all outbound port traffic
> and using NAT.  So my roadwarrior has an IP address of 192.168.1.12.
>
> When I get packets from the roadwarrior and when I send packets to that
> roadwarrior they are addressed from/to 192.168.1.12.  When another
> roadwarrior happens to be behind someone else's firewall and happens to
> get 192.168.1.12 I expect I will have a problem.  How can I overcome
> this problem with Openswan and IPSEC without using L2tp/ppp or can I?

You will need the "SAref tracking" feature for that. That will allow packets
to be marked with an saref number so you can have two 192.168.1.12's that
are still clearly seperate from each other.

Currently, this works providing you use:

- openswan 2.6.27+ (2.6.28dr3 recommended)
- KLIPS IPsec stack
- SAREF patches to the kernel (see openswan-2.6.x/patches/kernel/2.6.34/)
- xl2tpd with "ipsec saref" option enabled
- protostack=mast in ipsec.conf
- overlapip=yes in ipsec.conf

No additional client configuration is required. It works with Windows, OSX, iphones,
Linux, etc. as client.

Paul

[prev in list] [next in list] [prev in thread] [next in thread]