[Swan] converting to use NAT traversal
Alex
mysqlstudent at gmail.com
Sun Jan 5 02:39:46 UTC 2020
Hi,
I should have mentioned that I read the FAQ on this NO_PROTOCOL_CHOSEN
error, but I don't believe it's a configuration mismatch between
libreswan and the remote IPsec server. The configuration hasn't
changed from what was previously working with the same systems.
The wyckoff server was moved from having a public IP address on its
external interface to an internal IP with ports 4500 and 500 being
forwarded to that internal IP address.
https://libreswan.org/wiki/FAQ#error:_ignoring_informational_payload.2C_type_NO_PROPOSAL_CHOSEN_msgid.3D00000000
I'm hoping someone has an obvious solution for me.
On Sat, Jan 4, 2020 at 9:28 PM Alex <mysqlstudent at gmail.com> wrote:
>
> Hi,
>
> I managed to convince the admin to port forward both 4500 and 500,
> along with AH and ESP to my 10.201.2.2 IP from the static external
> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>
> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> 10.201.2.2 on the server itself), I'm seeing the following:
> # ipsec auto --up orion-wyckoff
> 000 initiating all conns with alias='orion-wyckoff'
> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> of this connection. 68.195.193.42 or 96.56.24.210 are not usable
> 022 "orion-wyckoff/2x1": We cannot identify ourselves with either end
> of this connection. 68.195.193.42 or 96.56.24.210 are not usable
> 022 "orion-wyckoff/1x2": We cannot identify ourselves with either end
> of this connection. 68.195.193.42 or 96.56.24.210 are not usable
> 022 "orion-wyckoff/1x1": We cannot identify ourselves with either end
> of this connection. 68.195.193.42 or 96.56.24.210 are not usable
>
> Jan 4 21:27:00.402928: packet from 68.195.193.42:40384: initial Main
> Mode message received on 10.201.2.2:500 but no connection has been
> authorized with policy PSK+IKEV1_ALLOW
> Jan 4 21:21:21.836883: packet from 68.195.193.42:500: initial parent
> SA message received on 10.201.2.2:500 but no suitable connection found
> with IKEv2 policy
> Jan 4 21:21:21.836908: packet from 68.195.193.42:500: responding to
> IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
> unencrypted notification NO_PROPOSAL_CHOSEN
>
> Here is my config again. I've tried to hardcode the IP just in case,
> but I'm not sure that really matters, since it's a static IP and has a
> DNS entry.
>
> conn orion-wyckoff
> ikev2=insist
> authby=rsasig
> auto=start
> interfaces=%defaultroute
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> rightsubnets={192.168.11.0/24,192.168.10.0/24}
> rightid=@wyckoff-orion
> right=96.56.24.210
> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
> leftid=@orion-wyckoff
> left=orion.guardiandigital.com
> leftsubnets={192.168.1.0/24,192.168.6.0/24}
> leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax...
>
>
> On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <nick at howitts.co.uk> wrote:
> >
> > Try changing right to %any. Also check that your firewall allows udp:4500. If you use different configs at either end, then auto should be "add" at orion and can be "start" at wyckoff.
> >
> > Nick
> >
> > On 03/01/2020 21:57, Alex wrote:
> >
> > Hi,
> > I've had a site-to-site VPN using libreswan built and working between
> > two Optonline/Altice systems, one with a dynamic IP and the other with
> > a static IP, for quite some time, but we've had to move the satellite
> > office with the dynamic IP to one where we're only given a private
> > 192.168.1.0/24 network and have no access to the outside public IP
> > interface.
> >
> > Can I use NAT traversal for this? If so, how do I convert my existing
> > configuration to use it?
> >
> > In this config, "wyckoff" is the dynamic (now private IP) side and
> > "orion" is the static IP side.
> >
> > conn orion-wyckoff
> > ikev2=insist
> > authby=rsasig
> > auto=add
> > dpddelay=10
> > dpdtimeout=90
> > dpdaction=clear
> > rightid=@wyckoff-orion
> > rightsubnets={192.168.11.0/24,192.168.10.0/24}
> > right=wyckoff.example.com
> > rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj...
> > leftid=@orion-wyckoff
> > left=orion.example.com
> > leftsubnets={192.168.1.0/24,192.168.6.0/24}
> > leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu...
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
> >
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list