[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?

Hao Chen earthlovepython at outlook.com
Thu Oct 26 17:58:41 UTC 2017 

Hi All:

Currently, 2 private clients behind NAT GateWay cannot communicate(connect) to public server simultaneously.

1.
at first, without configuring "overlapid=yes", pluto.log report "cannot install eroute, it is in use for XXXX" for the 2nd startup client.

Only 1st client can communicate with public sever in all time.
No matter how many times I restart IPsec on 2nd machine, pluto.log on public server report "cannot install eroute, it is in use for XXXX".


2.
Get some clue from http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat
I configured "overlapid=yes" on server side. And added 2 IPTables rule on NAT-GW:

# 10.0.146.196 is public server; 192.168.161.xxx is private client.
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK  --set-mark 35
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK  --set-mark 44

2nd client kick out 1st client. While 2nd client can communicate with server, 1st client can NOT communicate any more. If I restart IPSec on 1st client, it kick 2nd client out....


3.
Since https://download.libreswan.org/CHANGES writes "this resolves multiple clients behind same NAT router issue" in v3.19.
And my libreswan is 3.20. So I speculate my configuration is wrong ????
So can you please tell me how to configure it correctly?


4.
My System information:
===============================
Libreswan: 3.20 (netkey) on 3.10.0-693.el7.x86_64
Red Hat Enterprise Linux Server 7.4 (Maipo)
iptables: 1.4.21




IPSec configuration on public server for 1st private client:
===============================
conn 196to44
  ike=aes256-md5;modp1536
  authby=secret
  aggrmode=no
  ikelifetime=14409s
  ikev2=yes
  phase2=esp
  type=transport
  pfs=yes
  rekey=yes
  rekeymargin=540s
  phase2alg=3des,aes256-md5;modp1536
  salifetime=3600s

  # local
  leftid=10.0.146.196
  left=10.0.146.196

  # remote
  rightid=192.168.161.44
  right=10.0.161.34
  rightsubnet=192.168.161.0/24
  rightsourceip=192.168.161.44

  overlapip=yes

  ## Misc
  auto=start



IPSec configuration on public server for 1st private client:
===============================
conn 196to35
  ike=aes256-md5;modp1536
  authby=secret
  aggrmode=no
  ikelifetime=14409s
  ikev2=yes
  phase2=esp
  type=transport
  pfs=yes
  rekey=yes
  rekeymargin=540s
  phase2alg=3des,aes256-md5;modp1536
  salifetime=3600s
  # local
  leftid=10.0.146.196
  left=10.0.146.196

  # remote
  rightid=192.168.161.35
  right=10.0.161.34
  rightsubnet=192.168.161.0/24
  rightsourceip=192.168.161.35
  overlapip=yes

  ## Misc
  auto=start




IPSec configuration on 1st private client:
===============================
conn ipv4tran44
  ike=aes256-md5;modp1536
  authby=secret
  aggrmode=no
  ikelifetime=14409s
  ikev2=yes
  phase2=esp
  type=transport
  pfs=yes
  rekey=yes
  rekeymargin=540s
  phase2alg=3des,aes256-md5;modp1536
  salifetime=3600s
  # local
  leftid=192.168.161.44
  left=192.168.161.44
  leftsubnet=192.168.161.0/24

  # Remote
  rightid=10.0.146.196
  right=10.0.146.196

  ## Misc
  auto=start




IPSec configuration on 2nd private client:
===============================
conn ipv4tran35
  ike=aes256-md5;modp1536
  authby=secret
  aggrmode=no
  ikelifetime=14409s
  ikev2=yes
  phase2=esp
  type=transport
  pfs=yes
  rekey=yes
  rekeymargin=540s
  phase2alg=3des,aes256-md5;modp1536
  salifetime=3600s

  # local
  leftid=192.168.161.35
  left=192.168.161.35
  leftsubnet=192.168.161.0/24

  # Remote
  rightid=10.0.146.196
  right=10.0.146.196

  ## Misc
  auto=start




configuration on NAT-GW machine
===============================
service ipsec stop
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth3/proxy_arp

iptables --append INPUT --protocol ESP --in-interface eth1 --jump ACCEPT
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK  --set-mark 35
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK  --set-mark 44

iptables -t nat -A POSTROUTING -p TCP -o eth1 -j SNAT --to-source 10.0.161.34:20000-40000
iptables -t nat -A POSTROUTING -p UDP -o eth1 -j SNAT --to-source 10.0.161.34:40000-60000





Thanks and regards
Hao Chen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171026/df8a3797/attachment.html>

More information about the Swan mailing list