[Swan] converting to use NAT traversal

Alex mysqlstudent at gmail.com
Sun Jan 5 02:39:46 UTC 2020


Hi,

I should have mentioned that I read the FAQ on this NO_PROTOCOL_CHOSEN
error, but I don't believe it's a configuration mismatch between
libreswan and the remote IPsec server. The configuration hasn't
changed from what was previously working with the same systems.

The wyckoff server was moved from having a public IP address on its
external interface to an internal IP with ports 4500 and 500 being
forwarded to that internal IP address.

https://libreswan.org/wiki/FAQ#error:_ignoring_informational_payload.2C_type_NO_PROPOSAL_CHOSEN_msgid.3D00000000

I'm hoping someone has an obvious solution for me.

On Sat, Jan 4, 2020 at 9:28 PM Alex <mysqlstudent at gmail.com> wrote:
>
> Hi,
>
> I managed to convince the admin to port forward both 4500 and 500,
> along with AH and ESP to my 10.201.2.2 IP from the static external
> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>
> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> 10.201.2.2 on the server itself), I'm seeing the following:
> # ipsec auto --up orion-wyckoff
> 000 initiating all conns with alias='orion-wyckoff'
> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> of this connection.  68.195.193.42 or 96.56.24.210 are not usable
> 022 "orion-wyckoff/2x1": We cannot identify ourselves with either end
> of this connection.  68.195.193.42 or 96.56.24.210 are not usable
> 022 "orion-wyckoff/1x2": We cannot identify ourselves with either end
> of this connection.  68.195.193.42 or 96.56.24.210 are not usable
> 022 "orion-wyckoff/1x1": We cannot identify ourselves with either end
> of this connection.  68.195.193.42 or 96.56.24.210 are not usable
>
> Jan  4 21:27:00.402928: packet from 68.195.193.42:40384: initial Main
> Mode message received on 10.201.2.2:500 but no connection has been
> authorized with policy PSK+IKEV1_ALLOW
> Jan  4 21:21:21.836883: packet from 68.195.193.42:500: initial parent
> SA message received on 10.201.2.2:500 but no suitable connection found
> with IKEv2 policy
> Jan  4 21:21:21.836908: packet from 68.195.193.42:500: responding to
> IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
> unencrypted notification NO_PROPOSAL_CHOSEN
>
> Here is my config again. I've tried to hardcode the IP just in case,
> but I'm not sure that really matters, since it's a static IP and has a
> DNS entry.
>
> conn orion-wyckoff
>         ikev2=insist
>         authby=rsasig
>         auto=start
>         interfaces=%defaultroute
>         dpddelay=10
>         dpdtimeout=90
>         dpdaction=clear
>         rightsubnets={192.168.11.0/24,192.168.10.0/24}
>         rightid=@wyckoff-orion
>         right=96.56.24.210
>         rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
>         leftid=@orion-wyckoff
>         left=orion.guardiandigital.com
>         leftsubnets={192.168.1.0/24,192.168.6.0/24}
>         leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax...
>
>
> On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <nick at howitts.co.uk> wrote:
> >
> > Try changing right to %any. Also check that your firewall allows udp:4500. If you use different configs at either end, then auto should be "add" at orion and can be "start" at wyckoff.
> >
> > Nick
> >
> > On 03/01/2020 21:57, Alex wrote:
> >
> > Hi,
> > I've had a site-to-site VPN using libreswan built and working between
> > two Optonline/Altice systems, one with a dynamic IP and the other with
> > a static IP, for quite some time, but we've had to move the satellite
> > office with the dynamic IP to one where we're only given a private
> > 192.168.1.0/24 network and have no access to the outside public IP
> > interface.
> >
> > Can I use NAT traversal for this? If so, how do I convert my existing
> > configuration to use it?
> >
> > In this config, "wyckoff" is the dynamic (now private IP) side and
> > "orion" is the static IP side.
> >
> > conn orion-wyckoff
> >         ikev2=insist
> >         authby=rsasig
> >         auto=add
> >         dpddelay=10
> >         dpdtimeout=90
> >         dpdaction=clear
> >         rightid=@wyckoff-orion
> >         rightsubnets={192.168.11.0/24,192.168.10.0/24}
> >         right=wyckoff.example.com
> >         rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj...
> >         leftid=@orion-wyckoff
> >         left=orion.example.com
> >         leftsubnets={192.168.1.0/24,192.168.6.0/24}
> >         leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu...
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
> >
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list