[Swan] converting to use NAT traversal
Paul Wouters
paul at nohats.ca
Sun Jan 5 03:10:42 UTC 2020
> On Jan 4, 2020, at 21:28, Alex <mysqlstudent at gmail.com> wrote:
>
> Hi,
>
> I managed to convince the admin to port forward both 4500 and 500,
> along with AH and ESP to my 10.201.2.2 IP from the static external
> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>
> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> 10.201.2.2 on the server itself), I'm seeing the following:
> # ipsec auto --up orion-wyckoff
> 000 initiating all conns with alias='orion-wyckoff'
> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> of this connection. 68.195.193.42 or 96.56.24.210
You need to use a real IP address or %defaultroute for the local end (eg left=) and not the address it will get NATed to
> are not usable
> .
> conn orion-wyckoff
> ikev2=insist
> authby=rsasig
> auto=start
> interfaces=%defaultroute
Thus interfaces= option is bad - remove it completely
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> rightsubnets={192.168.11.0/24,192.168.10.0/24}
> rightid=@wyckoff-orion
> right=96.56.24.210
> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
> leftid=@orion-wyckoff
> left=orion.guardiandigital.com
If this is on orion, use left=%defaultroute
> leftsubnets={192.168.1.0/24,192.168.6.0/24}
> leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax...
>
>
>> On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <nick at howitts.co.uk> wrote:
>>
>> Try changing right to %any. Also check that your firewall allows udp:4500. If you use different configs at either end, then auto should be "add" at orion and can be "start" at wyckoff.
>>
>> Nick
>>
>> On 03/01/2020 21:57, Alex wrote:
>>
>> Hi,
>> I've had a site-to-site VPN using libreswan built and working between
>> two Optonline/Altice systems, one with a dynamic IP and the other with
>> a static IP, for quite some time, but we've had to move the satellite
>> office with the dynamic IP to one where we're only given a private
>> 192.168.1.0/24 network and have no access to the outside public IP
>> interface.
>>
>> Can I use NAT traversal for this? If so, how do I convert my existing
>> configuration to use it?
>>
>> In this config, "wyckoff" is the dynamic (now private IP) side and
>> "orion" is the static IP side.
>>
>> conn orion-wyckoff
>> ikev2=insist
>> authby=rsasig
>> auto=add
>> dpddelay=10
>> dpdtimeout=90
>> dpdaction=clear
>> rightid=@wyckoff-orion
>> rightsubnets={192.168.11.0/24,192.168.10.0/24}
>> right=wyckoff.example.com
>> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj...
>> leftid=@orion-wyckoff
>> left=orion.example.com
>> leftsubnets={192.168.1.0/24,192.168.6.0/24}
>> leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu...
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list