[Swan] "cannot install eroute" when second client connected from behind the same NAT

Paul Wouters paul at nohats.ca
Mon Jul 27 15:46:02 EEST 2015


On Sun, 26 Jul 2015, jvpn at use.startmail.com wrote:

> Configured L2TP using slightly simplified instructions from https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
> (RHEL version https://gist.github.com/hwdsl2/e9a78a50e300d12ae195 )
> I used latest libreswan-3.13-1.el6.i686 from epel, my own firewall rules and shorter sysctl list:
>
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.all.rp_filter = 0
>
> Configured two users as suggested in https://gist.github.com/hwdsl2/123b886f29f4c689f531
>
> First user connects fine, but second times out, with "cannot install eroute". Here is a fragment from log file:

This is not currently supported with NETKEY. You can get passed the
"eroute is in use" by adding overlapip=yes (I believe we removed the
stack restriction on that) but you still need some iptables rules
based on the reqid to ensure these two flows will work properly.

(We'd gladly receive patches for this :)

Paul


More information about the Swan mailing list