[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?

Hao Chen earthlovepython at outlook.com
Tue Oct 31 20:00:33 UTC 2017


Appreciate for your quick response.


Happy Halloween to the whole community !


This time, I added "mark=-1/0xfffffffff" & "overlapip=yes" in IPsec.conf on public server side. And did nothing else on server side.

Through "mark" is NOT listed in https://libreswan.org/man/ipsec.conf.5.html , "service ipec restart" does *NOT* complain any error. So libreswan accept it.

Even with that, public server still cannot accept 2 private clients behind NAT GW simultaneous unfortunately....

More worse is that the IPsec channel is totally broken(unreachable for 2 private clients) after I added "mark=-1/0xfffffffff" in IPsec.conf on server side.

But after I comment out "mark=-1/0xfffffffff", it restores. I mean, only 1 private client behind NAT can reach public server side.




The IPsec.conf on public server for private client 1 is:

============================================

[root at xcvms196 configs]# more  ip4tran16135-44_146196-196to35.conf
conn 196to35
  ike=aes256-md5;modp1536
  authby=secret
  aggrmode=no
  ikelifetime=14409s
  ikev2=yes
  phase2=esp
  type=tunnel      # no matter it is tunnel or transport in here
  pfs=yes
  rekey=yes
  rekeymargin=540s
  phase2alg=3des,aes256-md5;modp1536
  salifetime=3600s

  # local
  leftid=10.0.146.196
  left=10.0.146.196

  # remote
  rightid=192.168.161.35
  right=10.0.161.34
  rightsubnet=192.168.161.0/24

  overlapip=yes
  mark=-1/0xfffffffff

  ## Misc
  auto=start



The IPsec.conf on public server for private client 2 is:

============================================

[root at xcvms196 configs]# more  ip4tran16135-44_146196-196to44.conf
conn 196to44
  ike=aes256-md5;modp1536
  authby=secret
  aggrmode=no
  ikelifetime=14409s
  ikev2=yes
  phase2=esp
  type=tunnel        # no matter it is tunnel or transport in here
  pfs=yes
  rekey=yes
  rekeymargin=540s
  phase2alg=3des,aes256-md5;modp1536
  salifetime=3600s

  # local
  leftid=10.0.146.196
  left=10.0.146.196

  # remote
  rightid=192.168.161.44
  right=10.0.161.34
  rightsubnet=192.168.161.0/24

  #
  overlapip=yes
  mark=-1/0xfffffffff



Thanks and regards


Hao Chen




libreswan<https://libreswan.org/man/ipsec.conf.5.html>
libreswan.org
ipsec.conf.5. ipsec.conf - IPsec configuration and connections DESCRIPTION. The optional ipsec.conf file specifies most configuration and control information for the ...







________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Monday, October 30, 2017 23:45
To: Hao Chen
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?

On Tue, 31 Oct 2017, Hao Chen wrote:

> I still cannot let 2 private clients behind NAT to communicate public server simultaneous. Can you please help me?

Did you try the -1 mark that causes unique marks in the XFRM policy per
client, with overlapip=yes set? It should need no custom iptables
rules. That should work. If not, you should let us now what specific
errors or problems you are seeing.

The reqids should then also automatically get generated and be unique
per client. Setting them manually is almost never the right solution.

All of this only needs to happen on the server side. The client side
needs no marking or anything odd, because it has no conflicts itself.

Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171031/ffda4666/attachment.html>


More information about the Swan mailing list