Hi All: Currently, 2 private clients behind NAT GateWay cannot communicate(connect) to public server simultaneously.
1. at first, without configuring "overlapid=yes", pluto.log report "cannot install eroute, it is in use for XXXX" for the 2nd startup client. Only 1st client can communicate with public sever in all time. No matter how many times I restart IPsec on 2nd machine, pluto.log on public server report "cannot install eroute, it is in use for XXXX". 2. Get some clue from http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat I configured "overlapid=yes" on server side. And added 2 IPTables rule on NAT-GW: # 10.0.146.196 is public server; 192.168.161.xxx is private client. iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK --set-mark 35 iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 44 2nd client kick out 1st client. While 2nd client can communicate with server, 1st client can NOT communicate any more. If I restart IPSec on 1st client, it kick 2nd client out.... 3. Since https://download.libreswan.org/CHANGES writes "this resolves multiple clients behind same NAT router issue" in v3.19. And my libreswan is 3.20. So I speculate my configuration is wrong ???? So can you please tell me how to configure it correctly? 4. My System information: =============================== Libreswan: 3.20 (netkey) on 3.10.0-693.el7.x86_64 Red Hat Enterprise Linux Server 7.4 (Maipo) iptables: 1.4.21 IPSec configuration on public server for 1st private client: =============================== conn 196to44 ike=aes256-md5;modp1536 authby=secret aggrmode=no ikelifetime=14409s ikev2=yes phase2=esp type=transport pfs=yes rekey=yes rekeymargin=540s phase2alg=3des,aes256-md5;modp1536 salifetime=3600s # local leftid=10.0.146.196 left=10.0.146.196 # remote rightid=192.168.161.44 right=10.0.161.34 rightsubnet=192.168.161.0/24 rightsourceip=192.168.161.44 overlapip=yes ## Misc auto=start IPSec configuration on public server for 1st private client: =============================== conn 196to35 ike=aes256-md5;modp1536 authby=secret aggrmode=no ikelifetime=14409s ikev2=yes phase2=esp type=transport pfs=yes rekey=yes rekeymargin=540s phase2alg=3des,aes256-md5;modp1536 salifetime=3600s # local leftid=10.0.146.196 left=10.0.146.196 # remote rightid=192.168.161.35 right=10.0.161.34 rightsubnet=192.168.161.0/24 rightsourceip=192.168.161.35 overlapip=yes ## Misc auto=start IPSec configuration on 1st private client: =============================== conn ipv4tran44 ike=aes256-md5;modp1536 authby=secret aggrmode=no ikelifetime=14409s ikev2=yes phase2=esp type=transport pfs=yes rekey=yes rekeymargin=540s phase2alg=3des,aes256-md5;modp1536 salifetime=3600s # local leftid=192.168.161.44 left=192.168.161.44 leftsubnet=192.168.161.0/24 # Remote rightid=10.0.146.196 right=10.0.146.196 ## Misc auto=start IPSec configuration on 2nd private client: =============================== conn ipv4tran35 ike=aes256-md5;modp1536 authby=secret aggrmode=no ikelifetime=14409s ikev2=yes phase2=esp type=transport pfs=yes rekey=yes rekeymargin=540s phase2alg=3des,aes256-md5;modp1536 salifetime=3600s # local leftid=192.168.161.35 left=192.168.161.35 leftsubnet=192.168.161.0/24 # Remote rightid=10.0.146.196 right=10.0.146.196 ## Misc auto=start configuration on NAT-GW machine =============================== service ipsec stop echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth3/proxy_arp iptables --append INPUT --protocol ESP --in-interface eth1 --jump ACCEPT iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK --set-mark 35 iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 44 iptables -t nat -A POSTROUTING -p TCP -o eth1 -j SNAT --to-source 10.0.161.34:20000-40000 iptables -t nat -A POSTROUTING -p UDP -o eth1 -j SNAT --to-source 10.0.161.34:40000-60000 Thanks and regards Hao Chen
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
