[Openswan Users] "cannot install eroute" occurs for Mac OSX users behind same NAT (v2.6.33)

Richard Schmidt huntingtonsurfca at gmail.com
Wed May 18 13:23:54 EDT 2011

Reinstalled v2.6.32. As I thought: Mac OSX users can connect from behind the same NAT using NETKEY.

I'm going to have to go with my previous assumption that ignoring the right subnet with the workaround prevents distinguishing connections from the same IP ("eroute in use"). 

The workaround solved my previous problem of reconnecting clients after the tunnel shutdown several hours ago (like 12-24 hours); getting the xl2tpd error "attempting to reuse tunnel". My pluto logs were looking exactly like the ones mentioned with the workaround so I didn't look further into it, but I can recreate the problem if that would help to have a log of my previous (v32 and lower) problem.

As it is though, v2.6.33's Mac OSX workaround works well as long as you only have one user on the IP at a time. Concurrent users are a no-go.

Is there anything I can do to give some better information about either problem? This started as an OSX peculiarity didn't it? Maybe there's a bug filed with them that I can track down.

Richard Schmidt

On May 17, 2011, at 4:41 PM, Paul Wouters wrote:

> On Tue, 17 May 2011, Richard Schmidt wrote:
>> I think when the OSX workaround was applied (in .33 I believe), it broke functionality for multiple Mac OSX users behind NAT.
> Could you confirm that with a test? My guess would be the two events are not related,
> but we use KLIPS and SAref to handle the multiple NAT cases as shown in
> http://www.openswan.org/docs/ipsecsaref.png
>> I've provided a transcript of the pluto log. Perhaps you can shed some light on how to fix this? I think SAref tracking was mentioned in an ancient email involving eroute, except I wouldn't know how to go about doing that for road-warriors on cellular data networks.
> You would need to run an SAref patched kernel with a regular KLIPS module, and use
> protostack=mast in config setup and overlapip=yes in the l2tp connection definition.
> We do provide some binaries for ubuntu based kernel with SAref and for rhel6beta kernels
> (rhel5 /centos5 kernels are based on 2.6.18 and not supported with the SAref patch, though
> it should work fine for the elrepo.org 2.6.38 based rhel5/centos5 kernels)
> I thought (but I could be wrong!) that NETKEY did handle the two clients behind the same
> NAT correctly, but not the two client on same internal IP behind different NAT routers.
> Paul

More information about the Users mailing list