[Swan] "cannot install eroute" when second client connected from behind the same NAT

Steve Leung kesteve at kesteve.com
Wed Jul 29 03:38:53 UTC 2015

Thank you Paul, I'm wondering if this idea can be applied to NETKEY, I
guess in this case pluto will need to be updated as well? so that adding
new SA will include "mark", and then updown script can insert iptables rule
in the mangle table to set connmark according to different SPI.

Best regards,

2015-07-28 16:11 GMT+08:00 Paul Wouters <paul at nohats.ca>:

> On Tue, 28 Jul 2015, Steve Leung wrote:
>  I have the same problem here. While doing some searches on Google, looks
>> like strongswan has a "connmark"
>> plugin (https://wiki.strongswan.org/projects/strongswan/wiki/Connmark)
>> for this, they are using a similar
>> idea as Paul suggested I think, but they are matching the spi instead.
>> However in this way I think pluto
>> will need to be updated as well so "ip xfrm" will xfrm packets by src/dst
>> and the mark defined in iptables.
>> Still studying.. any pointer is appreciated :)
> We currently don't expose the SPI numbers to the updown scripts, although
> we do expose the reqid. SPIs is something we can add if people want to use
> it for connmark. It seems both spi and reqid are supposed with iptables:
> http://ipset.netfilter.org/iptables-extensions.man.html
> Apart from exposing the SPIs, we would not need to make any changes to
> pluto. This is why we use the updown scripts, to give people to freedom
> to do things on a per-sa basis. We could change the updown script to
> detect NAT+transport mode and automatically insert the right iptables
> rules when we see this happening. That would be my preference over a
> new keyword.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150729/310926e1/attachment.html>

More information about the Swan mailing list