<div dir="ltr"><div>I have the same problem here. While doing some searches on Google, looks like strongswan has a "connmark" plugin (<a href="https://wiki.strongswan.org/projects/strongswan/wiki/Connmark">https://wiki.strongswan.org/projects/strongswan/wiki/Connmark</a>) for this, they are using a similar idea as Paul suggested I think, but they are matching the spi instead. However in this way I think pluto will need to be updated as well so "ip xfrm" will xfrm packets by src/dst and the mark defined in iptables.<br><br></div>Still studying.. any pointer is appreciated :)<br><br clear="all"><div><div><div class="gmail_extra"><div><div class="gmail_signature"><div dir="ltr"><div><br>Best regards,<br>Steve<br><div><br></div></div></div></div></div>
<br><div class="gmail_quote">2015-07-28 3:38 GMT+08:00 <span dir="ltr"><<a href="mailto:jvpn@use.startmail.com" target="_blank">jvpn@use.startmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks for overlapip=yes suggestion, however, would you mind to let me know what "reqid" is?<br>
<br>
Does <a href="https://libreswan.org/wiki/SAref_code" rel="noreferrer" target="_blank">https://libreswan.org/wiki/SAref_code</a> sample have anything to do with this eroute problem?<br>
<br>
In general, logs show that server sees real (behind NAT) client IP address and can, theoretically, construct unique eroute.<br>
<br>
Also, there are several VPN providers which offer L2TP. Do you know if they have any NAT related limitations?<br>
<span class=""><br>
On Monday, July 27, 2015 8:46 AM, Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br>
><br>
>> First user connects fine, but second times out, with "cannot install<br>
>> eroute". Here is a fragment from log file:<br>
><br>
> This is not currently supported with NETKEY. You can get passed the<br>
> "eroute is in use" by adding overlapip=yes (I believe we removed the<br>
> stack restriction on that) but you still need some iptables rules<br>
> based on the reqid to ensure these two flows will work properly.<br>
><br>
> (We'd gladly receive patches for this :)<br>
<br>
</span>Josh<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" rel="noreferrer" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</div></div></blockquote></div><br></div></div></div></div>