[Swan] Basic configuration question

Paul Wouters paul at nohats.ca
Fri Dec 6 19:25:08 UTC 2019 

On Fri, 6 Dec 2019, Ian Willis wrote:

> Date: Fri, 6 Dec 2019 00:46:33
> From: Ian Willis <ian at checksum.net.au>
> To: swan at lists.libreswan.org
> Subject: [Swan] Basic configuration question
> 
> Hi All
> 
> I have a pretty simple configuration however I don't appear to be able to make it work.
> I'm running the libreswan package on Centos8 on both ends.
> I would like to initally use raw RSA keys, however I can't make it work with PSK either.
> There is a host with a public IP address and a host on the private network.
> There is a small private network behind the public host which I would like to have accessible however the basic
> ipsec link between the hosts isn't coming up.
> 
> 
> (private Network) <-> (IPSEC host) <-> (Internet) <-> (ISP NAT) <-> (Modem Nat) - (local network)
> 
> (10.19.96/20)- ((.5) chilli.buggerit.com. 203.43.75.103) <-> ISP <-> (router 192.168.1.1/24) <-> (IPSEC host)
> 
> ###### Config public host
> conn chilli-aluminium
>    leftid=@west
>     left=203.43.75.103
>         # rsakey AwEAAacqb
>         leftrsasigkey=0sAwEAAacqbh2Uq....
>     rightid=@east
>     right=%any
>     # rsakey AwEAAd8j4
>         rightrsasigkey=0sAwEAAd8j4dyx
>    authby=rsasig

Here you would want to add leftsubnet=10.19.96/20 but you would also
want something static for rightsubnet=. For example if your (IPSEC host)
is 192.168.1.13 on a static IP, you could use
rightsubnet=192.168.1.13/32

> ###### Config private hostconn chilli-aluminium
> conn chilli-aluminium
>     rightid=@east
>     right=%defaultroute
>     # rsakey AwEAAd8j4
>         rightrsasigkey=0sAwEAAd8j4dyx...
>     leftid=@west
>     left=203.43.75.103
>         # rsakey AwEAAacqb
>         leftrsasigkey=0sAwEAAacqbh2Uq...
>     authby=rsasig

You would add the subnets here too.

> Dec  6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1] 143.225.60.18 #2: responding to AUTH message (ID 1) from
> 43.225.6
> 0.18:64916 with encrypted notification TS_UNACCEPTABLE

You get this because your TS (traffic selectors) are not acceptable. The
way the server is now setup, it will only allow right=postNAT-IP but
your client is proposing with its preNAT IP.

Paul

More information about the Swan mailing list