[Swan] "cannot install eroute" when second client connected from behind the same NAT

Steve Leung kesteve at kesteve.com
Tue Jul 28 05:43:45 EEST 2015


I have the same problem here. While doing some searches on Google, looks
like strongswan has a "connmark" plugin (
https://wiki.strongswan.org/projects/strongswan/wiki/Connmark) for this,
they are using a similar idea as Paul suggested I think, but they are
matching the spi instead. However in this way I think pluto will need to be
updated as well so "ip xfrm" will xfrm packets by src/dst and the mark
defined in iptables.

Still studying.. any pointer is appreciated :)


Best regards,
Steve


2015-07-28 3:38 GMT+08:00 <jvpn at use.startmail.com>:

> Thanks for overlapip=yes suggestion, however, would you mind to let me
> know what "reqid" is?
>
> Does https://libreswan.org/wiki/SAref_code sample have anything to do
> with this eroute problem?
>
> In general, logs show that server sees real (behind NAT) client IP address
> and can, theoretically, construct unique eroute.
>
> Also, there are several VPN providers which offer L2TP. Do you know if
> they have any NAT related limitations?
>
> On Monday, July 27, 2015 8:46 AM, Paul Wouters <paul at nohats.ca> wrote:
> >
> >> First user connects fine, but second times out, with "cannot install
> >> eroute". Here is a fragment from log file:
> >
> > This is not currently supported with NETKEY. You can get passed the
> > "eroute is in use" by adding overlapip=yes (I believe we removed the
> > stack restriction on that) but you still need some iptables rules
> > based on the reqid to ensure these two flows will work properly.
> >
> > (We'd gladly receive patches for this :)
>
> Josh
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150728/375f1de3/attachment.html>


More information about the Swan mailing list