[Swan] Basic configuration question

Ian Willis ian at checksum.net.au
Fri Dec 6 05:46:33 UTC 2019 

Hi All

I have a pretty simple configuration however I don't appear to be able
to make it work.
I'm running the libreswan package on Centos8 on both ends.
I would like to initally use raw RSA keys, however I can't make it work
with PSK either. 
There is a host with a public IP address and a host on the private
network.
There is a small private network behind the public host which I would
like to have accessible however the basic ipsec link between the hosts
isn't coming up.


(private Network) <-> (IPSEC host) <-> (Internet) <-> (ISP NAT) <->
(Modem Nat) - (local network)

(10.19.96/20)- ((.5) chilli.buggerit.com. 203.43.75.103) <-> ISP <->
(router 192.168.1.1/24) <-> (IPSEC host)

###### Config public host
conn chilli-aluminium
   leftid=@west
    left=203.43.75.103
        # rsakey AwEAAacqb
        leftrsasigkey=0sAwEAAacqbh2Uq....
    rightid=@east
    right=%any
    # rsakey AwEAAd8j4
        rightrsasigkey=0sAwEAAd8j4dyx
   authby=rsasig

###### Config private hostconn chilli-aluminium
conn chilli-aluminium
    rightid=@east
    right=%defaultroute
    # rsakey AwEAAd8j4
        rightrsasigkey=0sAwEAAd8j4dyx...
    leftid=@west
    left=203.43.75.103
        # rsakey AwEAAacqb
        leftrsasigkey=0sAwEAAacqbh2Uq...
    authby=rsasig

############
log when connecting.

Dec  6 05:28:12 chilli pluto[20339]: | constructed local IKE proposals
for chilli-aluminium (IKE SA responder matching remo
te proposals):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=
ECP_256,ECP_384,ECP_521,MODP2048,MODP
3072,MODP4096,MODP8192
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE
;DH=ECP_256,ECP_384,ECP_521,M
ODP2048,MODP3072,MODP4096,MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_
512_256,HMAC_SHA2
_256_128;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA
2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,
MODP8192 5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;IN
TEG=HMAC_SHA2_256_128;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP
4096,MODP8192
Dec  6 05:28:12 chilli pluto[20339]: packet from 143.225.60.18:1011:
proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=
ECP_256 chosen from remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256
;DH=ECP_384;DH=
ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match]
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMA
C_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=
MODP4096;DH=MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC
_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256
_128;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH
=MODP3072;DH=MODP4096;DH=MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256
;DH=ECP_384;DH=ECP
_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=EC
P_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP
8192
Dec  6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: STATE_PARENT_R1: received v2I1, sent v2R1 {auth
=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
Dec  6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: IKEv2 mode peer ID is ID_FQDN: '@east'
Dec  6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: Authenticated using RSA
Dec  6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: responding to AUTH message (ID 1) from 43.225.6
0.18:64916 with encrypted notification TS_UNACCEPTABLE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191206/8e8560b6/attachment.html>

More information about the Swan mailing list