[Swan] Multiple clients behind same NAT network

Валентин Росавицкий valintinr at ukr.net
Wed Dec 30 21:28:21 UTC 2020


Hello everyone,
I am trying to configure ipsec with hwdsl2 scripts for ipsec+xauth. Immediately after installation everything works without problems but I need to connect multiple clients from the same NAT network and for this I specified in the configuration file the option mark=-1 (-1/0xffffffffff) and overlap=yes and this leads to the client being able to successfully connect to the server but nothing else works. The command "ip xfrm pol" shows that the mark is present on the packets, the counters for SNAT/MASQUERADE do not grow (command "iptables -L -n -v -t nat").
Can anyone advise what could be the problem?

journalctl show nothing interesting
I ran pluto with the --debug-all option and there is also nothing interesting to help.


# ip xfrm pol
src 0.0.0.0/0 dst 10.3.0.50/32  
       dir out priority 2097087  
       mark 0x10003/0xffffffff  
       tmpl src XXX dst YYY 
               proto esp reqid 16409 mode tunnel 
src 10.3.0.50/32 dst 0.0.0.0/0  
       dir fwd priority 2097087  
       mark 0x10003/0xffffffff  
       tmpl src YYY dst XXX 
               proto esp reqid 16409 mode tunnel 
src 10.3.0.50/32 dst 0.0.0.0/0  
       dir in priority 2097087  
       mark 0x10003/0xffffffff  
       tmpl src YYY dst XXX 
               proto esp reqid 16409 mode tunnel



# ip xfr state                 
src YYY dst XXX 
       proto esp spi 0x1bcdfa26 reqid 16409 mode tunnel 
       replay-window 32 flag nopmtudisc af-unspec 
       auth-trunc hmac(sha512) 0x1c8e4fcc469456e7fedecab78078325f4e9040993c04f4537b5906f4c1bef6fdc771d2ae8176086adfe5a468145ba870650dd5cc49af3c868efda0fe95dad676 256 
       enc cbc(aes) 0xc861312bdc0cc17bab5f47f550fa6e5652a12f12346764ab10238f54381dc259 
       encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 
       anti-replay context: seq 0x2c5, oseq 0x0, bitmap 0xffffffff 
src XXX dst YYY 
       proto esp spi 0x061e9419 reqid 16409 mode tunnel 
       replay-window 32 flag nopmtudisc af-unspec 
       auth-trunc hmac(sha512) 0x43956b137d4ab7e067942baa4c890d72c9f554f8dbf79a834834a2b68c729f3c997e4e053136ea5d9b6b7c7a7c548b6d9624a965c481b0b3c9c33d9f852a101d 256 
       enc cbc(aes) 0x9917fb528520305dc825f04a44a5c72a6d24ceaea25fed3e7fcf1c8827a3abe6 
       encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 
       anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000




version 2.0 

config setup 
 virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.2.0.0/24,%v4:!10.3.0.0/24 
 protostack=netkey 
 interfaces=%defaultroute 
 uniqueids=no 

conn shared 
 left=%defaultroute 
 leftid=XXX 
 right=%any 
 encapsulation=yes 
 authby=secret 
 pfs=no 
 rekey=no 
 keyingtries=5 
 dpddelay=30 
 dpdtimeout=120 
 dpdaction=clear 
 ikev2=never 
 ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 
 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 
 sha2-truncbug=no 

conn l2tp-psk 
 auto=add 
 leftprotoport=17/1701 
 rightprotoport=17/%any 
 type=transport 
 phase2=esp 
 also=shared 

conn xauth-psk 
 auto=add 
 leftsubnet=0.0.0.0/0 
 rightaddresspool=10.3.0.50-10.3.0.250 
 modecfgdns="8.8.8.8 8.8.4.4" 
 leftxauthserver=yes 
 rightxauthclient=yes 
 leftmodecfgserver=yes 
 rightmodecfgclient=yes 
 modecfgpull=yes 
 xauthby=file 
 fragmentation=yes 
 cisco-unity=yes 
 also=shared 
 mark=-1
 overlap=yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201230/4eca33ed/attachment-0001.html>


More information about the Swan mailing list