[Swan] libreswan/racoon interoperability problem with NAT-T

Paul Wouters paul at nohats.ca
Wed Apr 19 00:12:33 UTC 2017 

On Tue, 18 Apr 2017, Xinwei Hong wrote:

> Hi Paul,
> Sorry for taking a long time to get back (I was out of office last week). 
> 
> I have uploaded the latest log files at:
> https://file.town/download/7wt9a05p7mwym05mzr4dox4q7
> https://file.town/download/fxn6861zvcra5qu3q9cv9c3l0
> 
> On the non-natt'ed side, I see:
> 
> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no suitable connection for peer '10.0.3.3'
> 
> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: | vpn-5483483: complete v1 state transition with INVALID_ID_INFORMATION
> 
> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: sending encrypted notification INVALID_ID_INFORMATION to
> 199.204.218.98:500
> 
> It recognizes the ip 10.0.3.3 which is behind NAT on the other end. Tcpdump on non-natt'ed side only see packets from the public IP, not 10.0.3.3

When behind NAT, try avoiding using IP addresses as ID's because the
endpoint behind NAT would have to specify the public IP as its leftid=

In this case 10.0.3.3 is NATed to 199.204.218.98 but it is using a
leftid=10.0.3.3 (possibly because no leftid= is specified, which then
defaults to the IP address).

You can make up ID's as long as they are the same on both ends. For
literal strings, prefix with an @, eg leftid=@MyServer

Paul

> Thanks,
> Xinwei
> 
> 
> 
> 
> 
> 
> On Sat, Apr 8, 2017 at 3:09 PM, Paul Wouters <paul at nohats.ca> wrote:
>       On Fri, 7 Apr 2017, Xinwei Hong wrote:
>
>             I just upgraded it to 3.20. I built libreswan without specifying any parameter. I don't need klips in my setting anyway. I also
>             added virtual-private=%v4:10.0.0.0/8. Still not working. 
>             The NAT part, I'm not sure why you say that. I still see same "no suitable connection for peer '10.0.3.3'" error, but I believe it's found inside of isakmp pkts.
>             I did tcpdump on both
>             machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one side and 199.204.218.98 on the peer side.
>
>             I can upload new log if needed.
> 
>
>       I can have a look if you upload new logs. But please do not use that
>       dropbox API because I cannot search and scroll through that. A link
>       the actual files would be better so I can download these and have a
>       look.
>
>       Paul
> 
> 
> 
>

More information about the Swan mailing list