[Swan] "cannot install eroute" when second client connected from behind the same NAT

jvpn at use.startmail.com jvpn at use.startmail.com
Mon Jul 27 20:53:36 UTC 2015

Adding overlapip=yes allows second client connection but then both clients timeout and disconnect.

What iptables rules are needed? Are there any samples?


On Monday, July 27, 2015 8:46 AM, Paul Wouters <paul at nohats.ca> wrote:
> This is not currently supported with NETKEY. You can get passed the
> "eroute is in use" by adding overlapip=yes (I believe we removed the
> stack restriction on that) but you still need some iptables rules
> based on the reqid to ensure these two flows will work properly.

More information about the Swan mailing list