<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p></p>
<div>Hi All:</div>
<div><br>
</div>
<div>Currently, 2 private clients behind NAT GateWay cannot communicate(connect) to public server simultaneously.
</div>
<div><br>
1.<br>
at first, without configuring "overlapid=yes", pluto.log report "cannot install eroute, it is in use for XXXX" for the 2nd startup client. </div>
<div><br>
</div>
<div>Only 1st client can communicate with public sever in all time.</div>
<div>No matter how many times I restart IPsec on 2nd machine, pluto.log on public server report "<span>cannot install eroute, it is in use for XXXX</span>".</div>
<div><br>
</div>
<div><br>
2.<br>
Get some clue from http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat
</div>
<div>I configured "overlapid=yes" on server side. And added 2 IPTables rule on NAT-GW:</div>
<div><br>
# 10.0.146.196 is public server; 192.168.161.xxx is private client.<br>
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK --set-mark 35<br>
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 44</div>
<div><br>
2nd client kick out 1st client. While 2nd client can communicate with server, 1st client can NOT communicate any more. If I restart IPSec on 1st client, it kick 2nd client out....</div>
<div><br>
</div>
<div><br>
3. <br>
Since https://download.libreswan.org/CHANGES writes "this resolves multiple clients behind same NAT router issue" in v3.19.
<br>
And my libreswan is 3.20. So I speculate my configuration is wrong ????</div>
<div>So can you please tell me how to configure it correctly? </div>
<div><br>
</div>
<div><br>
</div>
<div>4.<br>
My System information:<br>
===============================<br>
Libreswan: 3.20 (netkey) on 3.10.0-693.el7.x86_64<br>
Red Hat Enterprise Linux Server 7.4 (Maipo)<br>
iptables: 1.4.21</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
IPSec configuration on public server for 1st private client:<br>
===============================<br>
conn 196to44<br>
ike=aes256-md5;modp1536<br>
authby=secret<br>
aggrmode=no<br>
ikelifetime=14409s<br>
ikev2=yes<br>
phase2=esp<br>
type=transport <br>
pfs=yes<br>
rekey=yes<br>
rekeymargin=540s<br>
phase2alg=3des,aes256-md5;modp1536<br>
salifetime=3600s<br>
<br>
# local<br>
leftid=10.0.146.196<br>
left=10.0.146.196<br>
<br>
# remote <br>
rightid=192.168.161.44<br>
right=10.0.161.34<br>
rightsubnet=192.168.161.0/24<br>
rightsourceip=192.168.161.44<br>
<br>
overlapip=yes <br>
<br>
## Misc<br>
auto=start</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>IPSec configuration on public server for 1st private client:<br>
===============================<br>
conn 196to35<br>
ike=aes256-md5;modp1536<br>
authby=secret<br>
aggrmode=no<br>
ikelifetime=14409s<br>
ikev2=yes<br>
phase2=esp<br>
type=transport <br>
pfs=yes<br>
rekey=yes<br>
rekeymargin=540s<br>
phase2alg=3des,aes256-md5;modp1536<br>
salifetime=3600s</div>
<div> # local<br>
leftid=10.0.146.196<br>
left=10.0.146.196<br>
<br>
# remote <br>
rightid=192.168.161.35<br>
right=10.0.161.34<br>
rightsubnet=192.168.161.0/24<br>
rightsourceip=192.168.161.35</div>
<div> overlapip=yes <br>
<br>
## Misc<br>
auto=start</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
IPSec configuration on 1st private client:<br>
===============================<br>
conn ipv4tran44<br>
ike=aes256-md5;modp1536<br>
authby=secret<br>
aggrmode=no<br>
ikelifetime=14409s<br>
ikev2=yes<br>
phase2=esp<br>
type=transport <br>
pfs=yes<br>
rekey=yes<br>
rekeymargin=540s<br>
phase2alg=3des,aes256-md5;modp1536<br>
salifetime=3600s</div>
<div> # local <br>
leftid=192.168.161.44<br>
left=192.168.161.44<br>
leftsubnet=192.168.161.0/24<br>
<br>
# Remote<br>
rightid=10.0.146.196<br>
right=10.0.146.196<br>
<br>
## Misc<br>
auto=start</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
IPSec configuration on 2nd private client:<br>
===============================<br>
conn ipv4tran35<br>
ike=aes256-md5;modp1536<br>
authby=secret<br>
aggrmode=no<br>
ikelifetime=14409s<br>
ikev2=yes<br>
phase2=esp<br>
type=transport <br>
pfs=yes<br>
rekey=yes<br>
rekeymargin=540s<br>
phase2alg=3des,aes256-md5;modp1536<br>
salifetime=3600s<br>
<br>
# local <br>
leftid=192.168.161.35<br>
left=192.168.161.35<br>
leftsubnet=192.168.161.0/24<br>
<br>
# Remote<br>
rightid=10.0.146.196<br>
right=10.0.146.196 <br>
<br>
## Misc<br>
auto=start</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><span>configuration</span> on NAT-GW machine<br>
===============================<br>
service ipsec stop<br>
echo 1 > /proc/sys/net/ipv4/ip_forward<br>
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp<br>
echo 1 > /proc/sys/net/ipv4/conf/eth3/proxy_arp</div>
<div><br>
</div>
<div>iptables --append INPUT --protocol ESP --in-interface eth1 --jump ACCEPT</div>
<div>iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.35 -d 10.0.146.196 -j MARK --set-mark 35<br>
iptables -t mangle -A PREROUTING -p esp -m policy --dir in -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 44</div>
<div><br>
</div>
<div>iptables -t nat -A POSTROUTING -p TCP -o eth1 -j SNAT --to-source 10.0.161.34:20000-40000<br>
iptables -t nat -A POSTROUTING -p UDP -o eth1 -j SNAT --to-source 10.0.161.34:40000-60000</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
Thanks and regards</div>
<div>Hao Chen<br>
</div>
<br>
<p></p>
<div style="color: rgb(0, 0, 0);">
<div>
<div style="color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif; font-size:12pt">
</div>
</div>
</div>
</div>
</body>
</html>