Hi Paul / all: Paul: Thanks for your response at first ! 1. (1). In previous email, you mentioned "mark=-1/0xffffffff" and "Instead of NAT". Are you saying, I shall run "iptables -t mangle" on private client??? But it does NOT take effect after I run "iptables -t mangle -A POSTROUTING -p esp -m policy --dir out -s 192.168.161.44 -d 10.0.146.196 -j MARK --set-mark 16344" on private client. After I run above command, "ip xfrm state" still shows reqid as "16397" on private client. Only after I configure "reqid" in ipsecXX.conf on private machine, "ip xfrm state" shows the value which I configured. (By the way, on public server side, "reqid" (output of "ip xfrm state") is changed after I configure "reqid" in IPSecXXX.conf also.) (2). Can you please tell me where to run "iptables -t mangle --set-mask"? On private client or public server?
2. http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat writes "still need some iptables rules based on the reqid to ensure these two flows" . https://libreswan.org/wiki/SAref_code writes "When a packet is sent out, it will pass through iptables. Libreswan maintains an IPSEC chain in the mangle table. This allows it to tag packets using xmark". >From above links, looks like "iptables -t mangle" is used for some work. but >https://linux.die.net/man/8/iptables writes "--set-mark mark " "It can for >example be used in conjunction with iproute2" Can you please give some clue(links) about how does "--set-mark mark " work with IPsec(xfrm)? Thanks ________________________________ From: Paul Wouters <[email protected]> Sent: Thursday, October 26, 2017 18:53 To: Hao Chen Cc: [email protected] Subject: Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously? On Thu, 26 Oct 2017, Hao Chen wrote: > at first, without configuring "overlapid=yes", pluto.log report "cannot > install eroute, it is in use for XXXX" for the 2nd startup client. > > Only 1st client can communicate with public sever in all time. > No matter how many times I restart IPsec on 2nd machine, pluto.log on public > server report "cannot install eroute, it is in use for XXXX". > > > 2. > Get some clue from > http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat "cannot install eroute" when second client connected from ...<http://swan.libreswan.narkive.com/Rxj6YbXK/cannot-install-eroute-when-second-client-connected-from-behind-the-same-nat> swan.libreswan.narkive.com "cannot install eroute" when second client connected from behind the same NAT > I configured "overlapid=yes" on server side. And added 2 IPTables rule on > NAT-GW: Instead of NAT, use: mark=-1/0xffffffff This should install the policies with a unique mark for each connection. When used with overlapip=yes, it should install multiple policies to the same IPs with the mark causing the rules to be different and not clash. The only limitation is that traffic must be initiated from the client, to get the initial MARK. If multiple clients clash, then you cannot from the server connect to the one IP and expect to reach one or the other. But in the typical use of IPsec Transport Mode with L2TP, it is always the client generating the traffic so this solution works. Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
