<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>I did another 2 rounds test. </p>
<p><br>
</p>
<p>in 1st round, only put "mark=-1" in IPsec.conf on server side. </p>
<p>After "service ipsec restart", none of 2 private clients can reach public server. </p>
<p><br>
</p>
<p></p>
<p>in 2nd round, only put "mark=0xffffffff" in IPsec.conf on server side. </p>
<p>After "service ipsec restart", none of 2 private clients can reach public server also. </p>
<br>
<p></p>
Thanks<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>From:</b> Swan <swan-bounces@lists.libreswan.org> on behalf of Hao Chen <earthlovepython@outlook.com><br>
<b>Sent:</b> Tuesday, October 31, 2017 13:00<br>
<b>To:</b> Paul Wouters<br>
<b>Cc:</b> swan@lists.libreswan.org<br>
<b>Subject:</b> Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?</font>
<div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p>Appreciate for your quick response. </p>
<p><br>
</p>
<p>Happy Halloween to the whole community !</p>
<p><br>
</p>
<p>This time, I added<b> "mark=-1/0xfffffffff" & "overlapip=yes" in IPsec.conf </b>
on <b>public server </b>side. And did nothing else on server side. </p>
<p>Through "mark" is NOT listed in <a class="OWAAutoLink" id="LPlnk618148" href="https://libreswan.org/man/ipsec.conf.5.html" previewremoved="true">https://libreswan.org/man/ipsec.conf.5.html</a> , "service ipec restart" does *NOT* complain any error. So libreswan
accept it.</p>
<p></p>
<p>Even with that, public server still <b>cannot</b> accept 2 private clients behind NAT GW simultaneous u<span>nfortunately</span>....</p>
<p></p>
<p>More worse is that the IPsec channel is <b>totally broken(unreachable for 2 private clients) after I added "mark=-1/0xfffffffff"</b> in IPsec.conf on server side. </p>
<p>But after I comment out "mark=<span>-1/0xfffffffff</span>", it restores. I mean, only 1 private client behind NAT can reach public server side.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>The IPsec.conf on public server for private client 1 is:</p>
<p>============================================</p>
<p></p>
<div>[root@xcvms196 configs]# more ip4tran16135-44_146196-196to35.conf<br>
conn 196to35<br>
ike=aes256-md5;modp1536<br>
authby=secret<br>
aggrmode=no<br>
ikelifetime=14409s<br>
ikev2=yes<br>
phase2=esp<br>
type=tunnel <b><u><i>#</i></u></b> no matter it is tunnel or transport in here<br>
pfs=yes<br>
rekey=yes<br>
rekeymargin=540s<br>
phase2alg=3des,aes256-md5;modp1536<br>
salifetime=3600s</div>
<div><br>
</div>
<div> # local<br>
leftid=10.0.146.196<br>
left=10.0.146.196<br>
<br>
# remote <br>
rightid=192.168.161.35<br>
right=10.0.161.34<br>
rightsubnet=192.168.161.0/24<br>
<br>
<b><span style="background-color:rgb(255,255,0)"> overlapip=yes </span><br>
<span style="background-color:rgb(255,255,0)"> mark=-1/0xfffffffff</span></b><br>
<br>
## Misc<br>
auto=start<br>
</div>
<p></p>
<p><br>
</p>
<p><br>
</p>
<p></p>
<p>The IPsec.conf on public server for private client 2 is:</p>
<p>============================================</p>
<p></p>
<p></p>
<div>[root@xcvms196 configs]# more ip4tran16135-44_146196-196to44.conf<br>
conn 196to44<br>
ike=aes256-md5;modp1536<br>
authby=secret<br>
aggrmode=no<br>
ikelifetime=14409s<br>
ikev2=yes<br>
phase2=esp<br>
type=tunnel <b><i><u>#</u></i></b> no matter it is tunnel or transport in here<br>
pfs=yes<br>
rekey=yes<br>
rekeymargin=540s<br>
phase2alg=3des,aes256-md5;modp1536<br>
salifetime=3600s</div>
<div><br>
</div>
<div> # local<br>
leftid=10.0.146.196<br>
left=10.0.146.196<br>
<br>
# remote <br>
rightid=192.168.161.44<br>
right=10.0.161.34<br>
rightsubnet=192.168.161.0/24<br>
<br>
#<br>
<b><span style="background-color:rgb(255,255,0)"> overlapip=yes </span><br>
<span style="background-color:rgb(255,255,0)"> mark=-1/0xfffffffff</span></b><br>
<br>
<br>
</div>
<p></p>
<p>Thanks and regards</p>
<p><br>
</p>
<p>Hao Chen</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div id="LPBorder_GT_15094791798650.0638907017117285" style="width:100%; text-indent:0px; overflow:auto; margin-bottom:20px">
<table id="LPContainer_15094791798620.9130430913895342" style="width:90%; overflow:auto; padding-top:20px; padding-bottom:20px; margin-top:20px; border-top-color:rgb(200,200,200); border-bottom-color:rgb(200,200,200); border-top-width:1px; border-bottom-width:1px; border-top-style:dotted; border-bottom-style:dotted; background-color:rgb(255,255,255)" cellspacing="0">
<tbody>
<tr valign="top" style="border-spacing:0px">
<td id="TextCell_15094791798630.25052989042989826" style="padding: 0px; vertical-align: top; display: table-cell; position: relative;" colspan="2">
<div id="LPRemovePreviewContainer_15094791798630.786496271497453"></div>
<div id="LPTitle_15094791798630.5466525406118992" style="top:0px; color:rgb(0,120,215); line-height:21px; font-family:"wf_segoe-ui_light","Segoe UI Light","Segoe WP Light","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif; font-size:21px; font-weight:400">
<a id="LPUrlAnchor_15094791798640.1109649963196031" style="text-decoration:none" href="https://libreswan.org/man/ipsec.conf.5.html" target="_blank">libreswan</a></div>
<div id="LPMetadata_15094791798640.9510340427716861" style="margin:10px 0px 16px; color:rgb(102,102,102); line-height:14px; font-family:"wf_segoe-ui_normal","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif; font-size:14px; font-weight:400">
libreswan.org</div>
<div id="LPDescription_15094791798640.7399590938655127" style="color:rgb(102,102,102); line-height:20px; overflow:hidden; font-family:"wf_segoe-ui_normal","Segoe UI","Segoe WP",Tahoma,Arial,sans-serif; font-size:14px; font-weight:400; display:block; max-height:100px">
ipsec.conf.5. ipsec.conf - IPsec configuration and connections DESCRIPTION. The optional ipsec.conf file specifies most configuration and control information for the ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<p><br>
</p>
<div><br>
</div>
<div><br>
</div>
<div><br>
<br>
</div>
<div style="color:rgb(0,0,0)">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font color="#000000" face="Calibri, sans-serif" style="font-size:11pt"><b>From:</b> Paul Wouters <paul@nohats.ca><br>
<b>Sent:</b> Monday, October 30, 2017 23:45<br>
<b>To:</b> Hao Chen<br>
<b>Cc:</b> swan@lists.libreswan.org<br>
<b>Subject:</b> Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously?</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt">
<div class="PlainText">On Tue, 31 Oct 2017, Hao Chen wrote:<br>
<br>
> I still cannot let 2 private clients behind NAT to communicate public server simultaneous. Can you please help me?<br>
<br>
Did you try the -1 mark that causes unique marks in the XFRM policy per<br>
client, with overlapip=yes set? It should need no custom iptables<br>
rules. That should work. If not, you should let us now what specific<br>
errors or problems you are seeing.<br>
<br>
The reqids should then also automatically get generated and be unique<br>
per client. Setting them manually is almost never the right solution.<br>
<br>
All of this only needs to happen on the server side. The client side<br>
needs no marking or anything odd, because it has no conflicts itself.<br>
<br>
Paul<br>
</div>
</span></font></div>
</div>
</div>
</div>
</div>
</body>
</html>