[Swan] converting to use NAT traversal
Alex
mysqlstudent at gmail.com
Sun Jan 5 02:28:31 UTC 2020
Hi,
I managed to convince the admin to port forward both 4500 and 500,
along with AH and ESP to my 10.201.2.2 IP from the static external
96.56.24.210 (wyckoff) IP but I still can't get it to work.
Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
10.201.2.2 on the server itself), I'm seeing the following:
# ipsec auto --up orion-wyckoff
000 initiating all conns with alias='orion-wyckoff'
022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
of this connection. 68.195.193.42 or 96.56.24.210 are not usable
022 "orion-wyckoff/2x1": We cannot identify ourselves with either end
of this connection. 68.195.193.42 or 96.56.24.210 are not usable
022 "orion-wyckoff/1x2": We cannot identify ourselves with either end
of this connection. 68.195.193.42 or 96.56.24.210 are not usable
022 "orion-wyckoff/1x1": We cannot identify ourselves with either end
of this connection. 68.195.193.42 or 96.56.24.210 are not usable
Jan 4 21:27:00.402928: packet from 68.195.193.42:40384: initial Main
Mode message received on 10.201.2.2:500 but no connection has been
authorized with policy PSK+IKEV1_ALLOW
Jan 4 21:21:21.836883: packet from 68.195.193.42:500: initial parent
SA message received on 10.201.2.2:500 but no suitable connection found
with IKEv2 policy
Jan 4 21:21:21.836908: packet from 68.195.193.42:500: responding to
IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
unencrypted notification NO_PROPOSAL_CHOSEN
Here is my config again. I've tried to hardcode the IP just in case,
but I'm not sure that really matters, since it's a static IP and has a
DNS entry.
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=start
interfaces=%defaultroute
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightsubnets={192.168.11.0/24,192.168.10.0/24}
rightid=@wyckoff-orion
right=96.56.24.210
rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
leftid=@orion-wyckoff
left=orion.guardiandigital.com
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax...
On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <nick at howitts.co.uk> wrote:
>
> Try changing right to %any. Also check that your firewall allows udp:4500. If you use different configs at either end, then auto should be "add" at orion and can be "start" at wyckoff.
>
> Nick
>
> On 03/01/2020 21:57, Alex wrote:
>
> Hi,
> I've had a site-to-site VPN using libreswan built and working between
> two Optonline/Altice systems, one with a dynamic IP and the other with
> a static IP, for quite some time, but we've had to move the satellite
> office with the dynamic IP to one where we're only given a private
> 192.168.1.0/24 network and have no access to the outside public IP
> interface.
>
> Can I use NAT traversal for this? If so, how do I convert my existing
> configuration to use it?
>
> In this config, "wyckoff" is the dynamic (now private IP) side and
> "orion" is the static IP side.
>
> conn orion-wyckoff
> ikev2=insist
> authby=rsasig
> auto=add
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> rightid=@wyckoff-orion
> rightsubnets={192.168.11.0/24,192.168.10.0/24}
> right=wyckoff.example.com
> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj...
> leftid=@orion-wyckoff
> left=orion.example.com
> leftsubnets={192.168.1.0/24,192.168.6.0/24}
> leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu...
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list