[Swan] "cannot install eroute" when second client connected from behind the same NAT

jvpn at use.startmail.com jvpn at use.startmail.com
Tue Dec 29 04:20:22 UTC 2015


I don't know how it is done but softether vpn server accepts at least two L2TP connections from behind the same NAT/subnet and traffic flows to/from both devices.

On Tuesday, July 28, 2015 10:38 PM, Steve Leung <kesteve at kesteve.com> wrote:
> Thank you Paul, I'm wondering if this idea can be applied to NETKEY, I
> guess in this case pluto will need to be updated as well? so that adding
> new SA will include "mark", and then updown script can insert iptables
> rule
> in the mangle table to set connmark according to different SPI.
> 
> Best regards,
> Steve
> 
> 
> 2015-07-28 16:11 GMT+08:00 Paul Wouters <paul at nohats.ca>:
> 
>> On Tue, 28 Jul 2015, Steve Leung wrote:
>>
>>  I have the same problem here. While doing some searches on Google,
>> looks
>>> like strongswan has a "connmark"
>>> plugin (https://wiki.strongswan.org/projects/strongswan/wiki/Connmark)
>>> for this, they are using a similar
>>> idea as Paul suggested I think, but they are matching the spi instead.
>>> However in this way I think pluto
>>> will need to be updated as well so "ip xfrm" will xfrm packets by
>>> src/dst
>>> and the mark defined in iptables.
>>>
>>> Still studying.. any pointer is appreciated :)
>>>
>>
>> We currently don't expose the SPI numbers to the updown scripts,
>> although
>> we do expose the reqid. SPIs is something we can add if people want to
>> use
>> it for connmark. It seems both spi and reqid are supposed with
>> iptables:
>>
>> http://ipset.netfilter.org/iptables-extensions.man.html
>>
>> Apart from exposing the SPIs, we would not need to make any changes to
>> pluto. This is why we use the updown scripts, to give people to freedom
>> to do things on a per-sa basis. We could change the updown script to
>> detect NAT+transport mode and automatically insert the right iptables
>> rules when we see this happening. That would be my preference over a
>> new keyword.
>>
>> Paul
>>


More information about the Swan mailing list