[Swan] "cannot install eroute" when second client connected from behind the same NAT

Paul Wouters paul at nohats.ca
Tue Jul 28 11:11:53 EEST 2015

On Tue, 28 Jul 2015, Steve Leung wrote:

> I have the same problem here. While doing some searches on Google, looks like strongswan has a "connmark"
> plugin (https://wiki.strongswan.org/projects/strongswan/wiki/Connmark) for this, they are using a similar
> idea as Paul suggested I think, but they are matching the spi instead. However in this way I think pluto
> will need to be updated as well so "ip xfrm" will xfrm packets by src/dst and the mark defined in iptables.
> Still studying.. any pointer is appreciated :)

We currently don't expose the SPI numbers to the updown scripts, although
we do expose the reqid. SPIs is something we can add if people want to use
it for connmark. It seems both spi and reqid are supposed with iptables:


Apart from exposing the SPIs, we would not need to make any changes to
pluto. This is why we use the updown scripts, to give people to freedom
to do things on a per-sa basis. We could change the updown script to
detect NAT+transport mode and automatically insert the right iptables
rules when we see this happening. That would be my preference over a
new keyword.


More information about the Swan mailing list