<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Do not run any iptables yourself!<div><br><div>Configure mark=-1/0xfffffffff in your ipsec configuration. Libreswan will add/remove the iptables rules<br><br><div id="AppleMailSignature">Sent from my iPhone</div><div><br>On Oct 31, 2017, at 21:08, Hao Chen <<a href="mailto:earthlovepython@outlook.com">earthlovepython@outlook.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>Hi Paul / All: </p>
<p><br>
</p>
<p><br>
</p>
<p><span>Everyone, happy Halloween! </span></p>
<p><br>
</p>
<p><br>
</p>
<p>1.</p>
<p>Appreciate for your response at first. </p>
<p><br>
</p>
<p><br>
</p>
<p>2.</p>
<p>If I understand your point correctly, I applied following "iptables rules" on public server side. But still no luck. </p>
<p><br>
iptables -t mangle -I PREROUTING -m policy --dir in <b>--pol IPsec -j MARK --set-mark 0xffffffff</b><br>
iptables -t mangle -I POSTROUTING -m policy --dir out <b>--pol IPsec -j MARK --set-mark 0xffffffff</b></p>
<p><b><br>
</b></p>
<p><i><u>OR</u></i></p>
<p><b><i><u><br>
</u></i></b></p>
<p>iptables -t mangle -I PREROUTING -m policy --dir in <b>-p ESP -j MARK --set-mark 0xffffffff</b></p>
<p>iptables -t mangle -I POSTROUTING -m policy --dir out <b>-p ESP -j MARK --set-mark 0xffffffff</b></p>
<p><b><br>
</b></p>
<p><b><br>
</b></p>
<p>Why I put "<b>0xffffffff</b>" instead of "-1" ? iptables<b> report error </b>"<span>bad mark value for option "--set-mark", or out of range</span>"</p>
<p><br>
</p>
<p>(By the way, I also tried "-j CONNMARK --set-mark 0xffffffff". still not work.)</p>
<p><br>
</p>
<p><b><u><i>Is above command correct? Did I misunderstand your instruction</i></u></b>?</p>
<p><br>
</p>
<p>3.</p>
<p>1). After I start <b>1st</b> private client behind NAT, "ip xfrm pol" on public server shows:</p>
<p><br>
</p>
<p></p>
<div>src 10.0.146.196/32 dst 192.168.161.0/24 <br>
dir out priority 2088 ptype main <br>
tmpl src 10.0.146.196 dst 10.0.161.34<br>
proto esp reqid <span style="background-color: rgb(0, 255, 0);">16397
</span>mode tunnel<br>
src 192.168.161.0/24 dst 10.0.146.196/32 <br>
dir fwd priority 2088 ptype main <br>
tmpl src 10.0.161.34 dst 10.0.146.196<br>
proto esp reqid <span style="background-color: rgb(0, 255, 0);">16397
</span>mode tunnel<br>
src 192.168.161.0/24 dst 10.0.146.196/32 <br>
dir in priority 2088 ptype main <br>
tmpl src 10.0.161.34 dst 10.0.146.196<br>
proto esp reqid <span style="background-color: rgb(0, 255, 0);">16397
</span>mode tunnel<br>
</div>
<p></p>
<p><br>
</p>
<div>2). After I start <b>2nd</b> private client behind NAT, "<i>ip xfrm <span style="background-color: rgb(255, 255, 0);">
pol</span></i>" <span>on public server </span>shows:</div>
<div><br>
</div>
<div>src 10.0.146.196/32 dst 192.168.161.0/24 <br>
</div>
<div>
<div> dir out priority 2088 ptype main <br>
tmpl src 10.0.146.196 dst 10.0.161.34<br>
proto esp reqid <span style="background-color: rgb(255, 0, 255);">
16401 </span>mode tunnel<br>
src 192.168.161.0/24 dst 10.0.146.196/32 <br>
dir fwd priority 2088 ptype main <br>
tmpl src 10.0.161.34 dst 10.0.146.196<br>
proto esp reqid <span style="background-color: rgb(255, 0, 255);">
16401 </span>mode tunnel<br>
src 192.168.161.0/24 dst 10.0.146.196/32 <br>
dir in priority 2088 ptype main <br>
tmpl src 10.0.161.34 dst 10.0.146.196<br>
proto esp reqid <span style="background-color: rgb(255, 0, 255);">
16401 </span>mode tunnel<br>
</div>
</div>
<div><br>
</div>
<div>3). After I start <b>2nd</b> private client behind NAT, "<i>ip xfrm <span style="background-color: rgb(255, 255, 0);">
state</span></i>" <span>on public server </span>shows:</div>
<div><br>
</div>
<div>
<div>[root@xcvms196 configs]# ip x s<br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0x7c64a8c0 reqid <span style="background-color: rgb(255, 0, 255);">
16401 </span>mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth-trunc hmac(md5) 0x4bcfde9f974a8687e4e3ef13099d47b0 96<br>
enc cbc(des3_ede) 0x7bf36fe75db23faba9ab4988e5a8f0d078700f84e9d2f1ba<br>
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0xad, oseq 0x0, bitmap 0xffffffff<br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0x861c7bfa reqid <span style="background-color: rgb(255, 0, 255);">
16401 </span>mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth-trunc hmac(md5) 0x11a031caa1d3275b711cdb0233fb3b89 96<br>
enc cbc(des3_ede) 0xd3bad85755cbfbcf8c52c781be0b097efc977c29d9a6394d<br>
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0xad, bitmap 0x00000000<br>
src 10.0.146.196 dst 192.168.161.44<br>
proto esp spi 0x00000000 reqid 0 mode transport<br>
replay-window 0 <br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 192.168.161.44/32 proto icmp type 0 code 0 dev eth0
<br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0x8814c900 reqid <span style="background-color: rgb(0, 255, 0);">
16397 </span>mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth-trunc hmac(md5) 0x51139bef3e2844a9f5f5be76168f9bf7 96<br>
enc cbc(des3_ede) 0x93bfd2ffedce31eca6060300395cc463cb0afa8f4f690947<br>
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0xca, oseq 0x0, bitmap 0xffffffff<br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0xa112d396 reqid <span style="background-color: rgb(0, 255, 0);">
16397 </span>mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth-trunc hmac(md5) 0xcc17a8448aac4c46520497a80c80cec8 96<br>
enc cbc(des3_ede) 0x98ecc800d52aed60080cfc6e6de8a9f2dbbb8299437c34bf<br>
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x1b, bitmap 0x00000000<br>
</div>
</div>
<div><br>
</div>
<div>====> From above "ip xfrm pol" output, I do not see "mark" this column. </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>4.</div>
<div>"ip" version is : "<span>ip utility, </span><b>iproute2-ss130716</b>" </div>
<div>"iptables" version is: "<span>iptables v1.4.21</span>"</div>
<div>uname shows: "<span>Linux xcvms196 <b>3.10.0-693.el7.x86_64 #1 SMP </b>Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux</span>"<br>
<br>
<br>
</div>
<div><br>
Thanks and regards</div>
<div><br>
</div>
<div>Hao Chen</div>
<div><br>
</div>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>From:</b> Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>><br>
<b>Sent:</b> Monday, October 30, 2017 23:45<br>
<b>To:</b> Hao Chen<br>
<b>Cc:</b> <a href="mailto:swan@lists.libreswan.org">swan@lists.libreswan.org</a><br>
<b>Subject:</b> Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">On Tue, 31 Oct 2017, Hao Chen wrote:<br>
<br>
> I still cannot let 2 private clients behind NAT to communicate public server simultaneous. Can you please help me?<br>
<br>
Did you try the -1 mark that causes unique marks in the XFRM policy per<br>
client, with overlapip=yes set? It should need no custom iptables<br>
rules. That should work. If not, you should let us now what specific<br>
errors or problems you are seeing.<br>
<br>
The reqids should then also automatically get generated and be unique<br>
per client. Setting them manually is almost never the right solution.<br>
<br>
All of this only needs to happen on the server side. The client side<br>
needs no marking or anything odd, because it has no conflicts itself.<br>
<br>
Paul<br>
</div>
</span></font></div>
</div>
</div></blockquote></div></div></body></html>