[Swan] libreswan/racoon interoperability problem with NAT-T

Xinwei Hong xhong at skytap.com
Wed Apr 19 04:09:14 UTC 2017 

Thank you Paul. It's finally working now.
One more question, is the virtual_private required? When I omit it, things
are still working in my setting. What's the default behavior when it's
missing. I cannot find it in the man page of ipsec.conf.

Thanks,
Xinwei

On Tue, Apr 18, 2017 at 5:12 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 18 Apr 2017, Xinwei Hong wrote:
>
> Hi Paul,
>> Sorry for taking a long time to get back (I was out of office last week).
>>
>> I have uploaded the latest log files at:
>> https://file.town/download/7wt9a05p7mwym05mzr4dox4q7
>> https://file.town/download/fxn6861zvcra5qu3q9cv9c3l0
>>
>> On the non-natt'ed side, I see:
>>
>> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483:
>> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2:
>> no suitable connection for peer '10.0.3.3'
>>
>> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: | vpn-5483483: complete v1
>> state transition with INVALID_ID_INFORMATION
>>
>> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483:
>> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2:
>> sending encrypted notification INVALID_ID_INFORMATION to
>> 199.204.218.98:500
>>
>> It recognizes the ip 10.0.3.3 which is behind NAT on the other end.
>> Tcpdump on non-natt'ed side only see packets from the public IP, not
>> 10.0.3.3
>>
>
> When behind NAT, try avoiding using IP addresses as ID's because the
> endpoint behind NAT would have to specify the public IP as its leftid=
>
> In this case 10.0.3.3 is NATed to 199.204.218.98 but it is using a
> leftid=10.0.3.3 (possibly because no leftid= is specified, which then
> defaults to the IP address).
>
> You can make up ID's as long as they are the same on both ends. For
> literal strings, prefix with an @, eg leftid=@MyServer
>
> Paul
>
>
> Thanks,
>> Xinwei
>>
>>
>>
>>
>>
>>
>> On Sat, Apr 8, 2017 at 3:09 PM, Paul Wouters <paul at nohats.ca> wrote:
>>       On Fri, 7 Apr 2017, Xinwei Hong wrote:
>>
>>             I just upgraded it to 3.20. I built libreswan without
>> specifying any parameter. I don't need klips in my setting anyway. I also
>>             added virtual-private=%v4:10.0.0.0/8. Still not working.
>>             The NAT part, I'm not sure why you say that. I still see same
>> "no suitable connection for peer '10.0.3.3'" error, but I believe it's
>> found inside of isakmp pkts.
>>             I did tcpdump on both
>>             machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one
>> side and 199.204.218.98 on the peer side.
>>
>>             I can upload new log if needed.
>>
>>
>>       I can have a look if you upload new logs. But please do not use that
>>       dropbox API because I cannot search and scroll through that. A link
>>       the actual files would be better so I can download these and have a
>>       look.
>>
>>       Paul
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170418/92fb2a2a/attachment.html>

More information about the Swan mailing list