Project

General

Profile

Issue #801

Number of simultaneous connections limited to 5 only

Added by Boris Yurchenko over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Andreas Steffen
Category:
configuration
Affected version:
5.1.1
Resolution:
No change required

Description

Hi,

I have a service that relies on StrongSwan. In my scenario several users would connect to the VPN server simultaneously. Yet, from "ipsec status" I see that only the first 5 people get connected, and for the rest the status message keeps telling they are associated, but the tunnel is not installed (unless someone disconnects and a "free slot" for connection becomes available
Is this a misconfiguration issue or is it intended to work so?

In my ipsec.conf file I have enabled the parameter "uniqueids=never", yet this is of no effect.

History

#1 Updated by Noel Kuntze over 10 years ago

Hello Boris,

Do you mind posting your ipsec.conf, strongswan.conf anf log file, if you keep one?

Regards,
Noel Kuntze

#2 Updated by Boris Yurchenko over 10 years ago

ipsec.conf

config setup
   strictcrlpolicy=no
   uniqueids=never

conn %default
   ikelifetime=24h
   keylife=24h
   keyexchange=ikev2
   dpdaction=clear
   dpdtimeout=3600s
   dpddelay=3600s
   compress=yes

conn rem
   rekey=no
   leftsubnet=0.0.0.0/0
   leftauth=psk
   leftid=xxx.xxx.xxx.xxx
   right=%any
   rightsourceip=192.168.79.0/29
   rightauth=eap-mschapv2
   rightsendcert=never
   eap_identity=%any
   auto=add

conn side
   rekey=no
   leftsubnet=0.0.0.0/0
   leftauth=psk
   leftid=xxx.xxx.xxx.xxx
   right=%any
   rightsourceip=192.168.77.0/29
   rightauth=psk
   rightsendcert=never
   eap_identity=%any
   auto=add

So, for both connections "rem" and "side" the situation is the same, though different authentication methods are used. For "rem", a single username and password combination is used for all users, in case of "side" no username is actually needed.

strongswan.conf

charon {
   threads = 16
   dns1 = 8.8.4.4
   dns2 = 8.8.8.8
}

pluto {
}

libstrongswan {
}

Unfortunately, I never enabled logging. But if you need to, I might cope with that.

#3 Updated by Andreas Steffen over 10 years ago

  • Status changed from New to Feedback
  • Assignee set to Andreas Steffen

The directive

rightsourceip=192.168.79.0/29

creates a pool of 6 virtual IP addresses (192.168.79.1 .. 192.168.79.7). Therefore not more than six hosts can connect. If you want more concurrent connections then you must increase the size of the address pool, e.g. to 192.168.79.0/24.

Regards

Andreas

#4 Updated by Boris Yurchenko over 10 years ago

Uhhhh... That was a silly mistake of mine. Thanks a lot for your support!

#5 Updated by Tobias Brunner over 10 years ago

  • Subject changed from Numner of simultaneous connections limited to 5 only to Number of simultaneous connections limited to 5 only
  • Category set to configuration
  • Status changed from Feedback to Closed
  • Resolution set to No change required