[Swan] Multiple clients behind same NAT network
Валентин Росавицкий
valintinr at ukr.net
Wed Dec 30 21:28:21 UTC 2020
Hello everyone,
I am trying to configure ipsec with hwdsl2 scripts for ipsec+xauth. Immediately after installation everything works without problems but I need to connect multiple clients from the same NAT network and for this I specified in the configuration file the option mark=-1 (-1/0xffffffffff) and overlap=yes and this leads to the client being able to successfully connect to the server but nothing else works. The command "ip xfrm pol" shows that the mark is present on the packets, the counters for SNAT/MASQUERADE do not grow (command "iptables -L -n -v -t nat").
Can anyone advise what could be the problem?
journalctl show nothing interesting
I ran pluto with the --debug-all option and there is also nothing interesting to help.
# ip xfrm pol
src 0.0.0.0/0 dst 10.3.0.50/32
dir out priority 2097087
mark 0x10003/0xffffffff
tmpl src XXX dst YYY
proto esp reqid 16409 mode tunnel
src 10.3.0.50/32 dst 0.0.0.0/0
dir fwd priority 2097087
mark 0x10003/0xffffffff
tmpl src YYY dst XXX
proto esp reqid 16409 mode tunnel
src 10.3.0.50/32 dst 0.0.0.0/0
dir in priority 2097087
mark 0x10003/0xffffffff
tmpl src YYY dst XXX
proto esp reqid 16409 mode tunnel
# ip xfr state
src YYY dst XXX
proto esp spi 0x1bcdfa26 reqid 16409 mode tunnel
replay-window 32 flag nopmtudisc af-unspec
auth-trunc hmac(sha512) 0x1c8e4fcc469456e7fedecab78078325f4e9040993c04f4537b5906f4c1bef6fdc771d2ae8176086adfe5a468145ba870650dd5cc49af3c868efda0fe95dad676 256
enc cbc(aes) 0xc861312bdc0cc17bab5f47f550fa6e5652a12f12346764ab10238f54381dc259
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x2c5, oseq 0x0, bitmap 0xffffffff
src XXX dst YYY
proto esp spi 0x061e9419 reqid 16409 mode tunnel
replay-window 32 flag nopmtudisc af-unspec
auth-trunc hmac(sha512) 0x43956b137d4ab7e067942baa4c890d72c9f554f8dbf79a834834a2b68c729f3c997e4e053136ea5d9b6b7c7a7c548b6d9624a965c481b0b3c9c33d9f852a101d 256
enc cbc(aes) 0x9917fb528520305dc825f04a44a5c72a6d24ceaea25fed3e7fcf1c8827a3abe6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.2.0.0/24,%v4:!10.3.0.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
conn shared
left=%defaultroute
leftid=XXX
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=never
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
sha2-truncbug=no
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
phase2=esp
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=10.3.0.50-10.3.0.250
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
fragmentation=yes
cisco-unity=yes
also=shared
mark=-1
overlap=yes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201230/4eca33ed/attachment-0001.html>
More information about the Swan
mailing list