[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?
Hao Chen
earthlovepython at outlook.com
Thu Oct 26 17:58:41 UTC 2017
Hi All:
Currently, 2 private clients behind NAT GateWay cannot communicate(connect) to public server simultaneously.
1.
at first, without configuring "overlapid=yes", pluto.log report "cannot install eroute, it is in use for XXXX" for the 2nd startup client.
Only 1st client can communicate with public sever in all time.
No matter how many times I restart IPsec on 2nd machine, pluto.log on public server report "cannot install eroute, it is in use for XXXX".
2.
Get some clue from http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat
I configured "overlapid=yes" on server side. And added 2 IPTables rule on NAT-GW:
# 10.0.146.196 is public server; 192.168.161.xxx is private client.
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK --set-mark 35
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 44
2nd client kick out 1st client. While 2nd client can communicate with server, 1st client can NOT communicate any more. If I restart IPSec on 1st client, it kick 2nd client out....
3.
Since https://download.libreswan.org/CHANGES writes "this resolves multiple clients behind same NAT router issue" in v3.19.
And my libreswan is 3.20. So I speculate my configuration is wrong ????
So can you please tell me how to configure it correctly?
4.
My System information:
===============================
Libreswan: 3.20 (netkey) on 3.10.0-693.el7.x86_64
Red Hat Enterprise Linux Server 7.4 (Maipo)
iptables: 1.4.21
IPSec configuration on public server for 1st private client:
===============================
conn 196to44
ike=aes256-md5;modp1536
authby=secret
aggrmode=no
ikelifetime=14409s
ikev2=yes
phase2=esp
type=transport
pfs=yes
rekey=yes
rekeymargin=540s
phase2alg=3des,aes256-md5;modp1536
salifetime=3600s
# local
leftid=10.0.146.196
left=10.0.146.196
# remote
rightid=192.168.161.44
right=10.0.161.34
rightsubnet=192.168.161.0/24
rightsourceip=192.168.161.44
overlapip=yes
## Misc
auto=start
IPSec configuration on public server for 1st private client:
===============================
conn 196to35
ike=aes256-md5;modp1536
authby=secret
aggrmode=no
ikelifetime=14409s
ikev2=yes
phase2=esp
type=transport
pfs=yes
rekey=yes
rekeymargin=540s
phase2alg=3des,aes256-md5;modp1536
salifetime=3600s
# local
leftid=10.0.146.196
left=10.0.146.196
# remote
rightid=192.168.161.35
right=10.0.161.34
rightsubnet=192.168.161.0/24
rightsourceip=192.168.161.35
overlapip=yes
## Misc
auto=start
IPSec configuration on 1st private client:
===============================
conn ipv4tran44
ike=aes256-md5;modp1536
authby=secret
aggrmode=no
ikelifetime=14409s
ikev2=yes
phase2=esp
type=transport
pfs=yes
rekey=yes
rekeymargin=540s
phase2alg=3des,aes256-md5;modp1536
salifetime=3600s
# local
leftid=192.168.161.44
left=192.168.161.44
leftsubnet=192.168.161.0/24
# Remote
rightid=10.0.146.196
right=10.0.146.196
## Misc
auto=start
IPSec configuration on 2nd private client:
===============================
conn ipv4tran35
ike=aes256-md5;modp1536
authby=secret
aggrmode=no
ikelifetime=14409s
ikev2=yes
phase2=esp
type=transport
pfs=yes
rekey=yes
rekeymargin=540s
phase2alg=3des,aes256-md5;modp1536
salifetime=3600s
# local
leftid=192.168.161.35
left=192.168.161.35
leftsubnet=192.168.161.0/24
# Remote
rightid=10.0.146.196
right=10.0.146.196
## Misc
auto=start
configuration on NAT-GW machine
===============================
service ipsec stop
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth3/proxy_arp
iptables --append INPUT --protocol ESP --in-interface eth1 --jump ACCEPT
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK --set-mark 35
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 44
iptables -t nat -A POSTROUTING -p TCP -o eth1 -j SNAT --to-source 10.0.161.34:20000-40000
iptables -t nat -A POSTROUTING -p UDP -o eth1 -j SNAT --to-source 10.0.161.34:40000-60000
Thanks and regards
Hao Chen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171026/df8a3797/attachment.html>
More information about the Swan
mailing list