I’ve only realised this one when i was using my laptop, then tried to connect to the same resource from my mobile phone.
Symptoms
Road warrior client #1 cannot access any information down the VPN tunnel after road warrior client #2 connects. Road warrior client #2 may be able to communicate OK.
Cause
A rogue statement in ipsec.conf is applying the wrong subnet filter to road warrior connections. This can be confirmed by running “strongswan status”.
[root@PC ~]# strongswan status
Security Associations (2 up, 0 connecting):
rw-eap[48]: ESTABLISHED 106 seconds ago, 192.nnn.nnn.nnn[3.samelms.co.uk]...46.233.nnn.nnn[My_Laptop]
rw-eap{198}: INSTALLED, TUNNEL, reqid 37, ESP in UDP SPIs:
rw-eap{198}: 0.0.0.0/0 === 192.168.6.0/24
rw-eap[47]: ESTABLISHED 4 minutes ago, 192.nnn.nnn.nnn[3.samelms.co.uk]...85.255.nnn.nnn[My_Mobile]
rw-eap{197}: INSTALLED, TUNNEL, reqid 37, ESP in UDP SPIs:
rw-eap{197}: 0.0.0.0/0 === 192.168.6.0/24
See the 192.168.6.0/24 represents a whole subnet behind the client. This is wrong, it should be my.ip.v4.address/32
Resolution
Hash the following statement from ipsec.conf
rightsubnet=192.168.6.0/24
And restart strongswan. Strongswan Status should now look something like
[root@PC ~]# strongswan status
Security Associations (2 up, 0 connecting):
rw-eap[3]: ESTABLISHED 103 seconds ago, 192.nnn.nnn.nnn[3.samelms.co.uk]…85.255.nnn.nnn[My_Mobile]
rw-eap{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
rw-eap{3}: 0.0.0.0/0 === 192.168.6.11/32
rw-eap[2]: ESTABLISHED 2 minutes ago, 192.nnn.nnn.nnn[3.samelms.co.uk]…46.233.nnn.nnn[My_Laptop]
rw-eap{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:
rw-eap{2}: 0.0.0.0/0 === 192.168.6.12/32
This can be confirmed by accessing resources on the host network from each of the road warriors simultaneously.