Project

General

Profile

Issue #259

Connect from different location with same NAT IP

Added by Kris Jobs about 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Affected version:
5.0.1
Resolution:
Invalid

Description

Two iOS clients with different user name (same psk), they both have the same NAT IP (10.1.1.9) under different pubic IP (different locations), every time if they both try to connect to the server, the last one will kick off the first connected one. I tried uniqueids=no or uniqueids=never, but not work.

History

#1 Updated by Tobias Brunner about 8 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner

With "user name" you mean XAuth user name? Are you in fact using 5.0.1? And could you attach the gateway log?

#2 Updated by Kris Jobs about 8 years ago

Yes, it is Xauth user name, 5.0.1 and 5.0.2dr3 both have this issue by my test.

Log like below, 192.168.1.117 is the same NAT IP.

Dec  5 13:42:42 11[IKE] XAuth authentication of 'test' successful
Dec  5 13:42:42 11[ENC] generating TRANSACTION request 927493047 [ HASH CP ]
Dec  5 13:42:42 11[NET] sending packet: from 16.17.92.29[4500] to 117.4.139.26[4500]
Dec  5 13:42:43 13[IKE] sending DPD request
Dec  5 13:42:43 13[ENC] generating INFORMATIONAL_V1 request 3979433146 [ HASH N(DPD) ]
Dec  5 13:42:43 13[NET] sending packet: from 16.17.92.29[4500] to 221.219.146.207[4500]
Dec  5 13:42:43 07[NET] received packet: from 117.4.139.26[4500] to 16.17.92.29[4500]
Dec  5 13:42:43 07[ENC] parsed TRANSACTION response 927493047 [ HASH CP ]
Dec  5 13:42:43 07[IKE] IKE_SA psk-apple[5] established between 16.17.92.29[16.17.92.29]...117.4.139.26[192.168.1.117]
Dec  5 13:42:43 07[IKE] scheduling reauthentication in 85422s
Dec  5 13:42:43 07[IKE] maximum IKE_SA lifetime 86022s
Dec  5 13:42:43 07[CFG] detected duplicate IKE_SA for '192.168.1.117', triggering delete for old IKE_SA
Dec  5 13:42:43 14[NET] received packet: from 117.4.139.26[4500] to 16.17.92.29[4500]
Dec  5 13:42:43 10[IKE] closing CHILD_SA psk-apple{1} with SPIs cfea22d2_i (3138 bytes) 018ad58a_o (4531 bytes) and TS 0.0.0.0/0 === 10.8.6.17/32 
Dec  5 13:42:43 14[ENC] unknown attribute type (28683)
Dec  5 13:42:43 14[ENC] parsed TRANSACTION request 991455421 [ HASH CP ]
Dec  5 13:42:43 14[IKE] peer requested virtual IP %any
Dec  5 13:42:43 10[IKE] sending DELETE for ESP CHILD_SA with SPI cfea22d2
Dec  5 13:42:43 10[ENC] generating INFORMATIONAL_V1 request 4039867424 [ HASH D ]
Dec  5 13:42:43 10[NET] sending packet: from 16.17.92.29[4500] to 221.219.146.207[4500]
Dec  5 13:42:43 10[IKE] deleting IKE_SA psk-apple[4] between 16.17.92.29[16.17.92.29]...221.219.146.207[192.168.1.117]
Dec  5 13:42:43 10[IKE] sending DELETE for IKE_SA psk-apple[4]
Dec  5 13:42:43 10[CFG] sending RADIUS Accounting-Request to server 'primary'

#3 Updated by Tobias Brunner about 8 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Invalid
Dec  5 13:42:43 07[CFG] detected duplicate IKE_SA for '192.168.1.117', triggering delete for old IKE_SA

This message is generated by the duplicheck plugin, which uses the IKE identities (in your case the IP addresses) not the XAuth user names to detect duplicates (independent of how uniqueids is configured). It also has a very specific purpose (make sure you read the documentation). Anyway, disabling the plugin (either by not building it at all or by disabling it via charon.plugins.duplicheck.enable=no in strongswan.conf) should fix the problem.

#4 Updated by Andreas Steffen over 7 years ago

  • Tracker changed from Bug to Issue

Also available in: Atom PDF