
<html><body><span style="display:block;" class="xfm_34457850"><div><span style="font-size:12pt;line-height:14pt;font-family:Arial;" class="xfmc1">So any advices?</span><br/></div>


<div><br/></div>


<div><i><span style="font-size:10pt;line-height:12pt;"><span style="font-family:Arial;">30 декабря 2020, 23:51:04, от "Валентин Росавицкий" <</span><a href="mailto:valintinr@ukr.net" target="_blank"><span style="font-family:Arial;">valintinr@ukr.net</span></a><span style="font-family:Arial;">>:</span></span></i></div>


<div><br/></div>


<blockquote style="border-left:1px solid #cccccc;margin:0px 0px 0px 0.8ex;padding-left:1ex;">


<div style="display:block;">


<div><span style="font-size:12pt;line-height:14pt;font-family:Arial;">Hello everyone,</span></div>


<div><span style="font-family:Arial;"><span style="color:#000000;background-color:#ffffff;"><span style="font-size:12pt;line-height:14pt;">I am trying to configure ipsec with hwdsl2 scripts for ipsec+xauth. Immediately after installation everything works without problems but I need to connect multiple clients from the same NAT network and for this I specified in the configuration file the option mark=-1 (-1/0xffffffffff) and overl</span></span><span style="font-size:12pt;line-height:14pt;">ap=yes and this leads to the client being able to successfully connect to the server but nothing else works. The command "ip xfrm pol" shows that the mark is present on the packets, the counters for SNAT/MASQUERADE do not grow (command "iptables -L -n -v -t nat").</span></span></div>


<div><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">Can anyone advise what could b</span><span style="font-size:12pt;line-height:14pt;">e the problem?</span><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><span style="color:#000000;background-color:#ffffff;"><span style="font-size:12pt;line-height:14pt;">journalctl show nothing interesting</span></span></span></div>


<div><span style="font-family:Arial;"><span style="color:#000000;background-color:#ffffff;"><span style="font-size:12pt;line-height:14pt;">I ran pluto with the --debug-all option and there is also nothing interesting to help.</span></span></span></div>


<div><span style="font-family:Arial;"><span style="color:#000000;background-color:#ffffff;"><span style="font-size:12pt;line-height:14pt;"><br/></span></span></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div>


<div><span style="font-size:12pt;line-height:14pt;"># ip xfrm pol</span></div>


<div><span style="font-size:12pt;background-color:#ffffff;line-height:14pt;">src 0.0.0.0/0 dst 10.3.0.50/32  </span></div>


</div>


<div><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">        dir out priority 2097087  </span><br/><span style="font-size:12pt;line-height:14pt;">        mark 0x10003/0xffffffff  </span><br/><span style="font-size:12pt;line-height:14pt;">        tmpl src XXX dst YYY </span><br/><span style="font-size:12pt;line-height:14pt;">                proto esp reqid 16409 mode tunnel


</span><br/><span style="font-size:12pt;line-height:14pt;">src 10.3.0.50/32 dst 0.0.0.0/0  </span><br/><span style="font-size:12pt;line-height:14pt;">        dir fwd priority 2097087  </span><br/><span style="font-size:12pt;line-height:14pt;">        mark 0x10003/0xffffffff  </span><br/><span style="font-size:12pt;line-height:14pt;">        tmpl src YYY dst XXX </span><br/><span style="font-size:12pt;line-height:14pt;">                proto esp reqid 16409 mode tunnel


</span><br/><span style="font-size:12pt;line-height:14pt;">src 10.3.0.50/32 dst 0.0.0.0/0  </span><br/><span style="font-size:12pt;line-height:14pt;">        dir in priority 2097087  </span><br/><span style="font-size:12pt;line-height:14pt;">        mark 0x10003/0xffffffff  </span><br/><span style="font-size:12pt;line-height:14pt;">        tmpl src YYY dst XXX </span><br/><span style="font-size:12pt;line-height:14pt;">                proto esp reqid 16409 mode tunnel</span><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><span style="color:#000000;background-color:#ffffff;"><span style="font-size:12pt;line-height:14pt;"># ip xfr state                 </span></span><br/><span style="font-size:12pt;line-height:14pt;">src YYY dst </span></span><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">XXX</span></span><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">


</span><br/><span style="font-size:12pt;line-height:14pt;">        proto esp spi 0x1bcdfa26 reqid 16409 mode tunnel


</span><br/><span style="font-size:12pt;line-height:14pt;">        replay-window 32 flag nopmtudisc af-unspec


</span><br/><span style="font-size:12pt;line-height:14pt;">        auth-trunc hmac(sha512) 0x1c8e4fcc469456e7fedecab78078325f4e9040993c04f4537b5906f4c1bef6fdc771d2ae8176086adfe5a468145ba870650dd5cc49af3c868efda0fe95dad676 256


</span><br/><span style="font-size:12pt;line-height:14pt;">        enc cbc(aes) 0xc861312bdc0cc17bab5f47f550fa6e5652a12f12346764ab10238f54381dc259


</span><br/><span style="font-size:12pt;line-height:14pt;">        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0


</span><br/><span style="font-size:12pt;line-height:14pt;">        anti-replay context: seq 0x2c5, oseq 0x0, bitmap 0xffffffff


</span><br/><span style="font-size:12pt;line-height:14pt;">src </span></span><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">XXX</span></span><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;"> dst </span></span><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">YYY</span></span><span style="font-family:Arial;"><span style="font-size:12pt;line-height:14pt;">


</span><br/><span style="font-size:12pt;line-height:14pt;">        proto esp spi 0x061e9419 reqid 16409 mode tunnel


</span><br/><span style="font-size:12pt;line-height:14pt;">        replay-window 32 flag nopmtudisc af-unspec


</span><br/><span style="font-size:12pt;line-height:14pt;">        auth-trunc hmac(sha512) 0x43956b137d4ab7e067942baa4c890d72c9f554f8dbf79a834834a2b68c729f3c997e4e053136ea5d9b6b7c7a7c548b6d9624a965c481b0b3c9c33d9f852a101d 256


</span><br/><span style="font-size:12pt;line-height:14pt;">        enc cbc(aes) 0x9917fb528520305dc825f04a44a5c72a6d24ceaea25fed3e7fcf1c8827a3abe6


</span><br/><span style="font-size:12pt;line-height:14pt;">        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0


</span><br/><span style="font-size:12pt;line-height:14pt;">        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000</span><br/><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><br/></span></div>


<div><span style="font-family:Arial;"><span style="color:#000000;background-color:#ffffff;"><span style="font-size:12pt;line-height:14pt;">version 2.0


</span></span><br/><br/><span style="font-size:12pt;line-height:14pt;">config setup


</span><br/><span style="font-size:12pt;line-height:14pt;">  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.2.0.0/24,%v4:!10.3.0.0/24


</span><br/><span style="font-size:12pt;line-height:14pt;">  protostack=netkey


</span><br/><span style="font-size:12pt;line-height:14pt;">  interfaces=%defaultroute


</span><br/><span style="font-size:12pt;line-height:14pt;">  uniqueids=no


</span><br/><br/><span style="font-size:12pt;line-height:14pt;">conn shared


</span><br/><span style="font-size:12pt;line-height:14pt;">  left=%defaultroute


</span><br/><span style="font-size:12pt;line-height:14pt;">  leftid=XXX </span><br/><span style="font-size:12pt;line-height:14pt;">  right=%any


</span><br/><span style="font-size:12pt;line-height:14pt;">  encapsulation=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  authby=secret


</span><br/><span style="font-size:12pt;line-height:14pt;">  pfs=no


</span><br/><span style="font-size:12pt;line-height:14pt;">  rekey=no


</span><br/><span style="font-size:12pt;line-height:14pt;">  keyingtries=5


</span><br/><span style="font-size:12pt;line-height:14pt;">  dpddelay=30


</span><br/><span style="font-size:12pt;line-height:14pt;">  dpdtimeout=120


</span><br/><span style="font-size:12pt;line-height:14pt;">  dpdaction=clear


</span><br/><span style="font-size:12pt;line-height:14pt;">  ikev2=never


</span><br/><span style="font-size:12pt;line-height:14pt;">  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024


</span><br/><span style="font-size:12pt;line-height:14pt;">  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2


</span><br/><span style="font-size:12pt;line-height:14pt;">  sha2-truncbug=no


</span><br/><br/><span style="font-size:12pt;line-height:14pt;">conn l2tp-psk


</span><br/><span style="font-size:12pt;line-height:14pt;">  auto=add


</span><br/><span style="font-size:12pt;line-height:14pt;">  leftprotoport=17/1701


</span><br/><span style="font-size:12pt;line-height:14pt;">  rightprotoport=17/%any


</span><br/><span style="font-size:12pt;line-height:14pt;">  type=transport


</span><br/><span style="font-size:12pt;line-height:14pt;">  phase2=esp


</span><br/><span style="font-size:12pt;line-height:14pt;">  also=shared


</span><br/><br/><span style="font-size:12pt;line-height:14pt;">conn xauth-psk


</span><br/><span style="font-size:12pt;line-height:14pt;">  auto=add


</span><br/><span style="font-size:12pt;line-height:14pt;">  leftsubnet=0.0.0.0/0


</span><br/><span style="font-size:12pt;line-height:14pt;">  rightaddresspool=10.3.0.50-10.3.0.250


</span><br/><span style="font-size:12pt;line-height:14pt;">  modecfgdns="8.8.8.8 8.8.4.4"


</span><br/><span style="font-size:12pt;line-height:14pt;">  leftxauthserver=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  rightxauthclient=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  leftmodecfgserver=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  rightmodecfgclient=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  modecfgpull=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  xauthby=file


</span><br/><span style="font-size:12pt;line-height:14pt;">  fragmentation=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  cisco-unity=yes


</span><br/><span style="font-size:12pt;line-height:14pt;">  also=shared


</span><br/><span style="font-size:12pt;line-height:14pt;">  mark=-1</span></span></div>


<div><span style="font-family:Arial;"><span style="font-size:12pt;background-color:#ffffff;line-height:14pt;"> overl</span></span><span style="font-size:12pt;line-height:14pt;">ap=yes</span></div>


</div>


<pre style="margin:5px 0;">_______________________________________________


Swan mailing list


<a href="mailto:Swan@lists.libreswan.org" target="_self" rel="noreferrer noopener">Swan@lists.libreswan.org</a>


<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank" rel="noreferrer noopener">https://lists.libreswan.org/mailman/listinfo/swan</a>


</pre>


</blockquote></span></body></html>