[Swan] libreswan/racoon interoperability problem with NAT-T
Xinwei Hong
xhong at skytap.com
Tue Apr 18 23:32:04 UTC 2017
Hi Paul,
Sorry for taking a long time to get back (I was out of office last week).
I have uploaded the latest log files at:
https://file.town/download/7wt9a05p7mwym05mzr4dox4q7
https://file.town/download/fxn6861zvcra5qu3q9cv9c3l0
On the non-natt'ed side, I see:
Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483:
"conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no
suitable connection for peer '10.0.3.3'
Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: | vpn-5483483: complete v1
state transition with INVALID_ID_INFORMATION
Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483:
"conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2:
sending encrypted notification INVALID_ID_INFORMATION to 199.204.218.98:500
It recognizes the ip 10.0.3.3 which is behind NAT on the other end. Tcpdump
on non-natt'ed side only see packets from the public IP, not 10.0.3.3
Thanks,
Xinwei
On Sat, Apr 8, 2017 at 3:09 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 7 Apr 2017, Xinwei Hong wrote:
>
> I just upgraded it to 3.20. I built libreswan without specifying any
>> parameter. I don't need klips in my setting anyway. I also
>> added virtual-private=%v4:10.0.0.0/8. Still not working.
>> The NAT part, I'm not sure why you say that. I still see same
>> "no suitable connection for peer '10.0.3.3'" error, but I believe it's
>> found inside of isakmp pkts. I did tcpdump on both
>> machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one side
>> and 199.204.218.98 on the peer side.
>>
>> I can upload new log if needed.
>>
>
> I can have a look if you upload new logs. But please do not use that
> dropbox API because I cannot search and scroll through that. A link
> the actual files would be better so I can download these and have a
> look.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170418/820aa8b2/attachment.html>
More information about the Swan
mailing list