[Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?
Hao Chen
earthlovepython at outlook.com
Tue Oct 31 20:37:47 UTC 2017
Appreciate for your help !
With "mark=0xfffffffff" in IPsec.conf, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:
(none of 2 private clients behind NAT can reach public IP)
=================================================================================
[root at xcvms196 configs]# ip x s
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xb7d2dbc9 reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0x5d9962ff579e65ce56b0cb71bf4ca667 96
enc cbc(des3_ede) 0x0984fd0119de418333b3f8ec53b63459b7788f80b2f50546
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x37b, oseq 0x0, bitmap 0xffffffff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0x2544dacb reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0xabec2b482bcb1f15bf8e46fd75d985d7 96
enc cbc(des3_ede) 0xd14870879408fe7734133829e2b1057267698c37187ef692
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0x23165b92 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0x7eee3a5f4def6df269eb6a0f8f1f4422 96
enc cbc(des3_ede) 0xf9c4d8e3bd74ae58615214bcdcf2ecc76c0eda23cc04d3f9
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x380, oseq 0x0, bitmap 0xffffffff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0x109c5faf reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0x1fc378045127c2988db46ac013bca353 96
enc cbc(des3_ede) 0x38b1da3d6132cc8f7dd63f76bee579b0fa81ba4079d6cdcf
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
[root at xcvms196 configs]#
[root at xcvms196 configs]#
[root at xcvms196 configs]# ip x p
src 10.0.146.196/32 dst 10.0.161.34/32
dir out priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.161.34/32 dst 10.0.146.196/32
dir in priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.146.196/32 dst 192.168.161.0/24
dir out priority 2088 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
With "mark=-1" in IPsec.conf, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:
(none of 2 private clients behind NAT can reach public IP)
=================================================================================
[root at xcvms196 configs]# ip x s
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xd93232ff reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0x843533582499dd7a87f99c498828432b 96
enc cbc(des3_ede) 0x1d1790a25fd9fc5dac8085cd012ec0519f689067be4bc3c7
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xb, oseq 0x0, bitmap 0x000007ff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0xd657e94d reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0xd6302e3add8a7151d6751cbb40968bae 96
enc cbc(des3_ede) 0x56efafb3e50c548c989346b651ef59e2b2929b522aae1609
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xe0879ba6 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0x85d312973f015ee7001f1487bb5199f4 96
enc cbc(des3_ede) 0x7271cd1bdca6efd80adec728fe05043cc81d21f68303491a
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x12, oseq 0x0, bitmap 0x0003ffff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0xd26b1f55 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0x0ea32b5e8f5fa8afbd42fff7d0d2f9c3 96
enc cbc(des3_ede) 0x7b595d3727f5f0f4f1c600405aab963e24c637a431d0957e
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
[root at xcvms196 configs]#
[root at xcvms196 configs]#
[root at xcvms196 configs]#
[root at xcvms196 configs]#
[root at xcvms196 configs]#
[root at xcvms196 configs]#
[root at xcvms196 configs]# ip x p
src 10.0.146.196/32 dst 10.0.161.34/32
dir out priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.161.34/32 dst 10.0.146.196/32
dir in priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.146.196/32 dst 192.168.161.0/24
dir out priority 2088 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
With "mark=-1/0xffffffff" in IPsec.conf, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:
(none of 2 private clients behind NAT can reach public IP)
=================================================================================
[root at xcvms196 ~]# ip x s
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xb3a79b2f reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0xa7dbfd2ad1750d980f375c76bc95040b 96
enc cbc(des3_ede) 0x19fdc2b58fb1fb5a106d8632ad9ee2a81b5d6e43a68a757f
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x9, oseq 0x0, bitmap 0x000001ff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0x378ff7e6 reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0x25750e89ce04610fea560e71a072c69c 96
enc cbc(des3_ede) 0x7ae39c9f2cff18c61839979ea9c34116afd366cc773a1517
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0x3091a747 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0xcffe57b25b5fd2cdcc5a539636233f77 96
enc cbc(des3_ede) 0x397ad04de7320d9ff100bd5e271d58fb081aca2f503e7966
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xd, oseq 0x0, bitmap 0x00001fff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0x8c797833 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0x88ba1a43b0aea8250c04a4c25bbfe651 96
enc cbc(des3_ede) 0x8b12cdb49ec89fc2f5a7a909fd6ab12fc2599692db92a185
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
[root at xcvms196 ~]#
[root at xcvms196 ~]#
[root at xcvms196 ~]#
[root at xcvms196 ~]#
[root at xcvms196 ~]# ip x p
src 10.0.146.196/32 dst 10.0.161.34/32
dir out priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.161.34/32 dst 10.0.146.196/32
dir in priority 2080 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.146.196/32 dst 192.168.161.0/24
dir out priority 2088 ptype main
mark -1/0xffffffff
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
[root at xcvms196 ~]#
Without "mark=-1/0xffffffff" in IPsec.conf, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:
(only one of 2 private clients behind NAT can reach public IP at any time)
=================================================================================
[root at xcvms196 ~]# ip x s
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0x2832c317 reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0x899660ce1c2cc44550abd4c49730e0dc 96
enc cbc(des3_ede) 0xf048c9086049df305133db7fcec3d8bb94413bf7e7d51ed0
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x7, oseq 0x0, bitmap 0x0000007f
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0xfd31b8ab reqid 16401 mode transport
replay-window 32
auth-trunc hmac(md5) 0x9fa6f238d41e28f4ef8716daeb9b56c9 96
enc cbc(des3_ede) 0x104650e68eaaacb6d0217b1f68bdf0be3721027d731ea49f
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x7, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.161.34 dst 10.0.146.196
proto esp spi 0xc5ec32a0 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0xa204c30abc6f657448ae35fafe33073b 96
enc cbc(des3_ede) 0x72700dafa81ba243df7d441734f46571144b5b1c5fa26ce4
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xd, oseq 0x0, bitmap 0x00001fff
sel src 10.0.161.34/32 dst 10.0.146.196/32
src 10.0.146.196 dst 10.0.161.34
proto esp spi 0x3ef1eb49 reqid 16397 mode transport
replay-window 32
auth-trunc hmac(md5) 0x53554a6e8089d5c4e23497a201ba5b83 96
enc cbc(des3_ede) 0x767c4d4e52d96e573f7d77dcf9318a14b8cd12e49f322133
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x5, bitmap 0x00000000
sel src 10.0.146.196/32 dst 10.0.161.34/32
src 10.0.146.196 dst 192.168.161.44
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 192.168.161.44/32 proto icmp type 0 code 0 dev eth0
src 10.0.146.196 dst 192.168.161.35
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.0.146.196/32 dst 192.168.161.35/32 proto icmp type 0 code 0 dev eth0
[root at xcvms196 ~]#
[root at xcvms196 ~]#
[root at xcvms196 ~]#
[root at xcvms196 ~]# ip x p
src 10.0.146.196/32 dst 10.0.161.34/32
dir out priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.161.34/32 dst 10.0.146.196/32
dir in priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16401 mode transport
src 10.0.146.196/32 dst 192.168.161.0/24
dir out priority 2088 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1 ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
[root at xcvms196 ~]#
________________________________
From: Paul Wouters <paul at nohats.ca>
Sent: Tuesday, October 31, 2017 13:16
To: Hao Chen
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?
On Tue, 31 Oct 2017, Hao Chen wrote:
> in 1st round, only put "mark=-1" in IPsec.conf on server side.
>
> After "service ipsec restart", none of 2 private clients can reach public server.
What did ip xfrm state and ip xfrm policy show ? Did the SA get
installed with unique marks for both clients?
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171031/a8a19408/attachment-0001.html>
More information about the Swan
mailing list