<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p></p>
<div>Appreciate for your help !</div>
<div><br>
</div>
<div><br>
</div>
<div><b><span style="background-color: rgb(255, 255, 0);">With </span>"mark=0xfffffffff</b>"
<b>in IPsec.conf</b>, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:<br>
(<i><u>none of 2 private clients behind NAT can reach public IP</u></i>)<br>
=================================================================================<br>
[root@xcvms196 configs]# ip x s<br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0xb7d2dbc9 reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x5d9962ff579e65ce56b0cb71bf4ca667 96<br>
enc cbc(des3_ede) 0x0984fd0119de418333b3f8ec53b63459b7788f80b2f50546<br>
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0x37b, oseq 0x0, bitmap 0xffffffff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0x2544dacb reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0xabec2b482bcb1f15bf8e46fd75d985d7 96<br>
enc cbc(des3_ede) 0xd14870879408fe7734133829e2b1057267698c37187ef692<br>
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0x23165b92 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x7eee3a5f4def6df269eb6a0f8f1f4422 96<br>
enc cbc(des3_ede) 0xf9c4d8e3bd74ae58615214bcdcf2ecc76c0eda23cc04d3f9<br>
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0x380, oseq 0x0, bitmap 0xffffffff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0x109c5faf reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x1fc378045127c2988db46ac013bca353 96<br>
enc cbc(des3_ede) 0x38b1da3d6132cc8f7dd63f76bee579b0fa81ba4079d6cdcf<br>
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# ip x p<br>
src 10.0.146.196/32 dst 10.0.161.34/32 <br>
dir out priority 2080 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.161.34/32 dst 10.0.146.196/32 <br>
dir in priority 2080 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.146.196/32 dst 192.168.161.0/24 <br>
dir out priority 2088 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 0 mode transport<br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 <br>
socket out priority 0 ptype main <br>
src ::/0 dst ::/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<b><span style="background-color: rgb(255, 255, 0);">With </span>"mark=-1" <b>in IPsec.conf</b>,
</b>output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:<br>
(<i><u>none of 2 private clients behind NAT can reach public IP</u></i>)<br>
=================================================================================<br>
[root@xcvms196 configs]# ip x s<br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0xd93232ff reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x843533582499dd7a87f99c498828432b 96<br>
enc cbc(des3_ede) 0x1d1790a25fd9fc5dac8085cd012ec0519f689067be4bc3c7<br>
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0xb, oseq 0x0, bitmap 0x000007ff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0xd657e94d reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0xd6302e3add8a7151d6751cbb40968bae 96<br>
enc cbc(des3_ede) 0x56efafb3e50c548c989346b651ef59e2b2929b522aae1609<br>
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0xe0879ba6 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x85d312973f015ee7001f1487bb5199f4 96<br>
enc cbc(des3_ede) 0x7271cd1bdca6efd80adec728fe05043cc81d21f68303491a<br>
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0x12, oseq 0x0, bitmap 0x0003ffff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0xd26b1f55 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x0ea32b5e8f5fa8afbd42fff7d0d2f9c3 96<br>
enc cbc(des3_ede) 0x7b595d3727f5f0f4f1c600405aab963e24c637a431d0957e<br>
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# <br>
[root@xcvms196 configs]# ip x p<br>
src 10.0.146.196/32 dst 10.0.161.34/32 <br>
dir out priority 2080 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.161.34/32 dst 10.0.146.196/32 <br>
dir in priority 2080 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.146.196/32 dst 192.168.161.0/24 <br>
dir out priority 2088 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 0 mode transport<br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 <br>
socket out priority 0 ptype main <br>
src ::/0 dst ::/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><b><span style="background-color: rgb(255, 255, 0);">With </span>"mark=-1/0xffffffff" in IPsec.conf</b>, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:<br>
(<i><u>none of 2 private clients behind NAT can reach public IP</u></i>)<br>
=================================================================================<br>
[root@xcvms196 ~]# ip x s<br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0xb3a79b2f reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0xa7dbfd2ad1750d980f375c76bc95040b 96<br>
enc cbc(des3_ede) 0x19fdc2b58fb1fb5a106d8632ad9ee2a81b5d6e43a68a757f<br>
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0x9, oseq 0x0, bitmap 0x000001ff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0x378ff7e6 reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x25750e89ce04610fea560e71a072c69c 96<br>
enc cbc(des3_ede) 0x7ae39c9f2cff18c61839979ea9c34116afd366cc773a1517<br>
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0x3091a747 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0xcffe57b25b5fd2cdcc5a539636233f77 96<br>
enc cbc(des3_ede) 0x397ad04de7320d9ff100bd5e271d58fb081aca2f503e7966<br>
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0xd, oseq 0x0, bitmap 0x00001fff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0x8c797833 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x88ba1a43b0aea8250c04a4c25bbfe651 96<br>
enc cbc(des3_ede) 0x8b12cdb49ec89fc2f5a7a909fd6ab12fc2599692db92a185<br>
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# ip x p<br>
src 10.0.146.196/32 dst 10.0.161.34/32 <br>
dir out priority 2080 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.161.34/32 dst 10.0.146.196/32 <br>
dir in priority 2080 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.146.196/32 dst 192.168.161.0/24 <br>
dir out priority 2088 ptype main <br>
mark -1/0xffffffff<br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 0 mode transport<br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 <br>
socket out priority 0 ptype main <br>
src ::/0 dst ::/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
[root@xcvms196 ~]# </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<b><span style="background-color: rgb(255, 255, 0);">Without </span>"mark=-1/0xffffffff"</b>
<b>in IPsec.conf</b>, output of "ip xfrm XYZ" after I "service ipsec restart" 2nd private client:<br>
(<i><u>only one of 2 private clients behind NAT can reach public IP at any time</u></i>)<br>
=================================================================================<br>
[root@xcvms196 ~]# ip x s<br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0x2832c317 reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x899660ce1c2cc44550abd4c49730e0dc 96<br>
enc cbc(des3_ede) 0xf048c9086049df305133db7fcec3d8bb94413bf7e7d51ed0<br>
encap type espinudp sport 40003 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0x7, oseq 0x0, bitmap 0x0000007f<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0xfd31b8ab reqid 16401 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x9fa6f238d41e28f4ef8716daeb9b56c9 96<br>
enc cbc(des3_ede) 0x104650e68eaaacb6d0217b1f68bdf0be3721027d731ea49f<br>
encap type espinudp sport 4500 dport 40003 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x7, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
src 10.0.161.34 dst 10.0.146.196<br>
proto esp spi 0xc5ec32a0 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0xa204c30abc6f657448ae35fafe33073b 96<br>
enc cbc(des3_ede) 0x72700dafa81ba243df7d441734f46571144b5b1c5fa26ce4<br>
encap type espinudp sport 40004 dport 4500 addr 0.0.0.0<br>
anti-replay context: seq 0xd, oseq 0x0, bitmap 0x00001fff<br>
sel src 10.0.161.34/32 dst 10.0.146.196/32 <br>
src 10.0.146.196 dst 10.0.161.34<br>
proto esp spi 0x3ef1eb49 reqid 16397 mode transport<br>
replay-window 32 <br>
auth-trunc hmac(md5) 0x53554a6e8089d5c4e23497a201ba5b83 96<br>
enc cbc(des3_ede) 0x767c4d4e52d96e573f7d77dcf9318a14b8cd12e49f322133<br>
encap type espinudp sport 4500 dport 40004 addr 0.0.0.0<br>
anti-replay context: seq 0x0, oseq 0x5, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 10.0.161.34/32 <br>
src 10.0.146.196 dst 192.168.161.44<br>
proto esp spi 0x00000000 reqid 0 mode transport<br>
replay-window 0 <br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 192.168.161.44/32 proto icmp type 0 code 0 dev eth0
<br>
src 10.0.146.196 dst 192.168.161.35<br>
proto esp spi 0x00000000 reqid 0 mode transport<br>
replay-window 0 <br>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
sel src 10.0.146.196/32 dst 192.168.161.35/32 proto icmp type 0 code 0 dev eth0
<br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# <br>
[root@xcvms196 ~]# ip x p<br>
src 10.0.146.196/32 dst 10.0.161.34/32 <br>
dir out priority 2080 ptype main <br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.161.34/32 dst 10.0.146.196/32 <br>
dir in priority 2080 ptype main <br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 16401 mode transport<br>
src 10.0.146.196/32 dst 192.168.161.0/24 <br>
dir out priority 2088 ptype main <br>
tmpl src 0.0.0.0 dst 0.0.0.0<br>
proto esp reqid 0 mode transport<br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir fwd priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 136 <br>
dir in priority 1 ptype main <br>
src ::/0 dst ::/0 proto ipv6-icmp type 135 <br>
dir out priority 1 ptype main <br>
src ::/0 dst ::/0 <br>
socket out priority 0 ptype main <br>
src ::/0 dst ::/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 ptype main <br>
[root@xcvms196 ~]# </div>
<div><br>
</div>
<br>
<p></p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>From:</b> Paul Wouters <paul@nohats.ca><br>
<b>Sent:</b> Tuesday, October 31, 2017 13:16<br>
<b>To:</b> Hao Chen<br>
<b>Cc:</b> swan@lists.libreswan.org<br>
<b>Subject:</b> Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">On Tue, 31 Oct 2017, Hao Chen wrote:<br>
<br>
> in 1st round, only put "mark=-1" in IPsec.conf on server side. <br>
> <br>
> After "service ipsec restart", none of 2 private clients can reach public server. <br>
<br>
What did ip xfrm state and ip xfrm policy show ? Did the SA get<br>
installed with unique marks for both clients?<br>
<br>
Paul<br>
</div>
</span></font></div>
</div>
</body>
</html>