I did another 2 rounds test.
in 1st round, only put "mark=-1" in IPsec.conf on server side. After "service ipsec restart", none of 2 private clients can reach public server. in 2nd round, only put "mark=0xffffffff" in IPsec.conf on server side. After "service ipsec restart", none of 2 private clients can reach public server also. Thanks ________________________________ From: Swan <[email protected]> on behalf of Hao Chen <[email protected]> Sent: Tuesday, October 31, 2017 13:00 To: Paul Wouters Cc: [email protected] Subject: Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously? Appreciate for your quick response. Happy Halloween to the whole community ! This time, I added "mark=-1/0xfffffffff" & "overlapip=yes" in IPsec.conf on public server side. And did nothing else on server side. Through "mark" is NOT listed in https://libreswan.org/man/ipsec.conf.5.html , "service ipec restart" does *NOT* complain any error. So libreswan accept it. Even with that, public server still cannot accept 2 private clients behind NAT GW simultaneous unfortunately.... More worse is that the IPsec channel is totally broken(unreachable for 2 private clients) after I added "mark=-1/0xfffffffff" in IPsec.conf on server side. But after I comment out "mark=-1/0xfffffffff", it restores. I mean, only 1 private client behind NAT can reach public server side. The IPsec.conf on public server for private client 1 is: ============================================ [root@xcvms196 configs]# more ip4tran16135-44_146196-196to35.conf conn 196to35 ike=aes256-md5;modp1536 authby=secret aggrmode=no ikelifetime=14409s ikev2=yes phase2=esp type=tunnel # no matter it is tunnel or transport in here pfs=yes rekey=yes rekeymargin=540s phase2alg=3des,aes256-md5;modp1536 salifetime=3600s # local leftid=10.0.146.196 left=10.0.146.196 # remote rightid=192.168.161.35 right=10.0.161.34 rightsubnet=192.168.161.0/24 overlapip=yes mark=-1/0xfffffffff ## Misc auto=start The IPsec.conf on public server for private client 2 is: ============================================ [root@xcvms196 configs]# more ip4tran16135-44_146196-196to44.conf conn 196to44 ike=aes256-md5;modp1536 authby=secret aggrmode=no ikelifetime=14409s ikev2=yes phase2=esp type=tunnel # no matter it is tunnel or transport in here pfs=yes rekey=yes rekeymargin=540s phase2alg=3des,aes256-md5;modp1536 salifetime=3600s # local leftid=10.0.146.196 left=10.0.146.196 # remote rightid=192.168.161.44 right=10.0.161.34 rightsubnet=192.168.161.0/24 # overlapip=yes mark=-1/0xfffffffff Thanks and regards Hao Chen libreswan<https://libreswan.org/man/ipsec.conf.5.html> libreswan.org ipsec.conf.5. ipsec.conf - IPsec configuration and connections DESCRIPTION. The optional ipsec.conf file specifies most configuration and control information for the ... ________________________________ From: Paul Wouters <[email protected]> Sent: Monday, October 30, 2017 23:45 To: Hao Chen Cc: [email protected] Subject: Re: [Swan] Does libreswan v3.20 support multiple clients behind NAT to communicate with public server simultaneously? On Tue, 31 Oct 2017, Hao Chen wrote: > I still cannot let 2 private clients behind NAT to communicate public server > simultaneous. Can you please help me? Did you try the -1 mark that causes unique marks in the XFRM policy per client, with overlapip=yes set? It should need no custom iptables rules. That should work. If not, you should let us now what specific errors or problems you are seeing. The reqids should then also automatically get generated and be unique per client. Setting them manually is almost never the right solution. All of this only needs to happen on the server side. The client side needs no marking or anything odd, because it has no conflicts itself. Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
