[Swan] "cannot install eroute" when second client connected from behind the same NAT

jvpn at use.startmail.com jvpn at use.startmail.com
Mon Jul 27 22:38:17 EEST 2015

Thanks for overlapip=yes suggestion, however, would you mind to let me know what "reqid" is?

Does https://libreswan.org/wiki/SAref_code sample have anything to do with this eroute problem?

In general, logs show that server sees real (behind NAT) client IP address and can, theoretically, construct unique eroute. 

Also, there are several VPN providers which offer L2TP. Do you know if they have any NAT related limitations?

On Monday, July 27, 2015 8:46 AM, Paul Wouters <paul at nohats.ca> wrote:
>> First user connects fine, but second times out, with "cannot install
>> eroute". Here is a fragment from log file:
> This is not currently supported with NETKEY. You can get passed the
> "eroute is in use" by adding overlapip=yes (I believe we removed the
> stack restriction on that) but you still need some iptables rules
> based on the reqid to ensure these two flows will work properly.
> (We'd gladly receive patches for this :)


More information about the Swan mailing list