[Swan] "cannot install eroute" when second client connected from behind the same NAT

jvpn at use.startmail.com jvpn at use.startmail.com
Sun Jul 26 22:05:23 EEST 2015


Configured L2TP using slightly simplified instructions from https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
(RHEL version https://gist.github.com/hwdsl2/e9a78a50e300d12ae195 )
I used latest libreswan-3.13-1.el6.i686 from epel, my own firewall rules and shorter sysctl list:

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0

Configured two users as suggested in https://gist.github.com/hwdsl2/123b886f29f4c689f531

First user connects fine, but second times out, with "cannot install eroute". Here is a fragment from log file:

Jul 26 14:16:25 localhost pluto[4299]: "vpnpsk"[8] <client external IP> #27: responding to Quick Mode proposal {msgid:ebbfa25f}
Jul 26 14:16:25 localhost pluto[4299]: "vpnpsk"[8] <client external IP> #27:     us: <server IP>/32===<server IP><<server IP>>:17/1701
Jul 26 14:16:25 localhost pluto[4299]: "vpnpsk"[8] <client external IP> #27:   them: <client external IP>[<client internal IP>]:17/0
Jul 26 14:16:25 localhost pluto[4299]: "vpnpsk"[8] <client external IP> #27: cannot install eroute -- it is in use for "vpnpsk"[6] <client external IP> #6

I saw similar subject in archives (https://lists.libreswan.org/pipermail/swan/2014/001001.html) but it seems to be a slightly different case.
Is this an ipsec limitation or error in configuration?

Thanks,
Josh.


More information about the Swan mailing list