Hello everyone, I am trying to configure ipsec with hwdsl2 scripts for ipsec+xauth. Immediately after installation everything works without problems but I need to connect multiple clients from the same NAT network and for this I specified in the configuration file the option mark=-1 (-1/0xffffffffff) and overlap=yes and this leads to the client being able to successfully connect to the server but nothing else works. The command "ip xfrm pol" shows that the mark is present on the packets, the counters for SNAT/MASQUERADE do not grow (command "iptables -L -n -v -t nat"). Can anyone advise what could be the problem?
journalctl show nothing interesting I ran pluto with the --debug-all option and there is also nothing interesting to help. # ip xfrm pol src 0.0.0.0/0 dst 10.3.0.50/32 dir out priority 2097087 mark 0x10003/0xffffffff tmpl src XXX dst YYY proto esp reqid 16409 mode tunnel src 10.3.0.50/32 dst 0.0.0.0/0 dir fwd priority 2097087 mark 0x10003/0xffffffff tmpl src YYY dst XXX proto esp reqid 16409 mode tunnel src 10.3.0.50/32 dst 0.0.0.0/0 dir in priority 2097087 mark 0x10003/0xffffffff tmpl src YYY dst XXX proto esp reqid 16409 mode tunnel # ip xfr state src YYY dst XXX proto esp spi 0x1bcdfa26 reqid 16409 mode tunnel replay-window 32 flag nopmtudisc af-unspec auth-trunc hmac(sha512) 0x1c8e4fcc469456e7fedecab78078325f4e9040993c04f4537b5906f4c1bef6fdc771d2ae8176086adfe5a468145ba870650dd5cc49af3c868efda0fe95dad676 256 enc cbc(aes) 0xc861312bdc0cc17bab5f47f550fa6e5652a12f12346764ab10238f54381dc259 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x2c5, oseq 0x0, bitmap 0xffffffff src XXX dst YYY proto esp spi 0x061e9419 reqid 16409 mode tunnel replay-window 32 flag nopmtudisc af-unspec auth-trunc hmac(sha512) 0x43956b137d4ab7e067942baa4c890d72c9f554f8dbf79a834834a2b68c729f3c997e4e053136ea5d9b6b7c7a7c548b6d9624a965c481b0b3c9c33d9f852a101d 256 enc cbc(aes) 0x9917fb528520305dc825f04a44a5c72a6d24ceaea25fed3e7fcf1c8827a3abe6 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 version 2.0 config setup virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.2.0.0/24,%v4:!10.3.0.0/24 protostack=netkey interfaces=%defaultroute uniqueids=no conn shared left=%defaultroute leftid=XXX right=%any encapsulation=yes authby=secret pfs=no rekey=no keyingtries=5 dpddelay=30 dpdtimeout=120 dpdaction=clear ikev2=never ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2 sha2-truncbug=no conn l2tp-psk auto=add leftprotoport=17/1701 rightprotoport=17/%any type=transport phase2=esp also=shared conn xauth-psk auto=add leftsubnet=0.0.0.0/0 rightaddresspool=10.3.0.50-10.3.0.250 modecfgdns="8.8.8.8 8.8.4.4" leftxauthserver=yes rightxauthclient=yes leftmodecfgserver=yes rightmodecfgclient=yes modecfgpull=yes xauthby=file fragmentation=yes cisco-unity=yes also=shared mark=-1 overlap=yes
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
