[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?
Paul Wouters
paul at nohats.ca
Fri Oct 27 01:53:48 UTC 2017
On Thu, 26 Oct 2017, Hao Chen wrote:
> at first, without configuring "overlapid=yes", pluto.log report "cannot install eroute, it is in use for XXXX" for the 2nd startup client.
>
> Only 1st client can communicate with public sever in all time.
> No matter how many times I restart IPsec on 2nd machine, pluto.log on public server report "cannot install eroute, it is in use for XXXX".
>
>
> 2.
> Get some clue from http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat
> I configured "overlapid=yes" on server side. And added 2 IPTables rule on NAT-GW:
Instead of NAT, use:
mark=-1/0xffffffff
This should install the policies with a unique mark for each connection.
When used with overlapip=yes, it should install multiple policies to
the same IPs with the mark causing the rules to be different and not
clash.
The only limitation is that traffic must be initiated from the client,
to get the initial MARK. If multiple clients clash, then you cannot
from the server connect to the one IP and expect to reach one or the
other. But in the typical use of IPsec Transport Mode with L2TP, it
is always the client generating the traffic so this solution works.
Paul
More information about the Swan
mailing list