[Swan] Basic configuration question
Paul Wouters
paul at nohats.ca
Fri Dec 6 19:25:08 UTC 2019
On Fri, 6 Dec 2019, Ian Willis wrote:
> Date: Fri, 6 Dec 2019 00:46:33
> From: Ian Willis <ian at checksum.net.au>
> To: swan at lists.libreswan.org
> Subject: [Swan] Basic configuration question
>
> Hi All
>
> I have a pretty simple configuration however I don't appear to be able to make it work.
> I'm running the libreswan package on Centos8 on both ends.
> I would like to initally use raw RSA keys, however I can't make it work with PSK either.
> There is a host with a public IP address and a host on the private network.
> There is a small private network behind the public host which I would like to have accessible however the basic
> ipsec link between the hosts isn't coming up.
>
>
> (private Network) <-> (IPSEC host) <-> (Internet) <-> (ISP NAT) <-> (Modem Nat) - (local network)
>
> (10.19.96/20)- ((.5) chilli.buggerit.com. 203.43.75.103) <-> ISP <-> (router 192.168.1.1/24) <-> (IPSEC host)
>
> ###### Config public host
> conn chilli-aluminium
> leftid=@west
> left=203.43.75.103
> # rsakey AwEAAacqb
> leftrsasigkey=0sAwEAAacqbh2Uq....
> rightid=@east
> right=%any
> # rsakey AwEAAd8j4
> rightrsasigkey=0sAwEAAd8j4dyx
> authby=rsasig
Here you would want to add leftsubnet=10.19.96/20 but you would also
want something static for rightsubnet=. For example if your (IPSEC host)
is 192.168.1.13 on a static IP, you could use
rightsubnet=192.168.1.13/32
> ###### Config private hostconn chilli-aluminium
> conn chilli-aluminium
> rightid=@east
> right=%defaultroute
> # rsakey AwEAAd8j4
> rightrsasigkey=0sAwEAAd8j4dyx...
> leftid=@west
> left=203.43.75.103
> # rsakey AwEAAacqb
> leftrsasigkey=0sAwEAAacqbh2Uq...
> authby=rsasig
You would add the subnets here too.
> Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1] 143.225.60.18 #2: responding to AUTH message (ID 1) from
> 43.225.6
> 0.18:64916 with encrypted notification TS_UNACCEPTABLE
You get this because your TS (traffic selectors) are not acceptable. The
way the server is now setup, it will only allow right=postNAT-IP but
your client is proposing with its preNAT IP.
Paul
More information about the Swan
mailing list