[Swan] What's a "usable" IP?

Paul Wouters paul at nohats.ca
Mon Sep 11 16:13:37 UTC 2017


On Mon, 11 Sep 2017, Whit Blauvelt wrote:

> On Mon, Sep 11, 2017 at 11:01:26AM -0400, Paul Wouters wrote:
>> On Mon, 11 Sep 2017, Whit Blauvelt wrote:
>
>>> Sep 11 09:54:20 nyfw1 pluto[9960]: adding interface enp2s0f1/enp2s0f1 <public IP>:500
>>> Sep 11 09:54:20 nyfw1 pluto[9960]: adding interface enp2s0f1/enp2s0f1 <public IP>:4500
>
>> If the IP was added after pluto was started, run "ipsec whack --listen"
>
> Thanks Paul. The IP was there before pluto was started, but tried "ipsec
> whack --listen" anyway.
>
> Still the same. The two lines above show, so it's finding the IP, but then:
>
>  Sep 11 11:07:26 nyfw1 pluto[6124]: "amazonwest": We cannot identify ourselves with either end of this connection.  172.17.10.3 or <public IP> are not usable
>
> Is there any way to override pluto and force it to accept the IP as usable?

Well, if the IP is not local on the machine, it cannot be used to build
a packet with that source address.

If you are on dynamic IP, you probably want to use left=%defaultroute
instead. If you are behind NAT, you need to use the local IP configured
on the host (not the public IP used on the upstream NAT gateway) as
you left= but you might then want to use leftid=publicip.

Paul


More information about the Swan mailing list