[Swan] converting to use NAT traversal

Paul Wouters paul at nohats.ca
Sun Jan 5 03:10:42 UTC 2020 


> On Jan 4, 2020, at 21:28, Alex <mysqlstudent at gmail.com> wrote:
> 
> Hi,
> 
> I managed to convince the admin to port forward both 4500 and 500,
> along with AH and ESP to my 10.201.2.2 IP from the static external
> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
> 
> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> 10.201.2.2 on the server itself), I'm seeing the following:
> # ipsec auto --up orion-wyckoff
> 000 initiating all conns with alias='orion-wyckoff'
> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> of this connection.  68.195.193.42 or 96.56.24.210

You need to use a real IP address or %defaultroute for the local end (eg left=) and not the address it will get NATed to



> are not usable
> .
> conn orion-wyckoff
>        ikev2=insist
>        authby=rsasig
>        auto=start
>        interfaces=%defaultroute

Thus interfaces= option is bad - remove it completely

>        dpddelay=10
>        dpdtimeout=90
>        dpdaction=clear
>        rightsubnets={192.168.11.0/24,192.168.10.0/24}
>        rightid=@wyckoff-orion
>        right=96.56.24.210
>        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
>        leftid=@orion-wyckoff
>        left=orion.guardiandigital.com

If this is on orion, use left=%defaultroute



>        leftsubnets={192.168.1.0/24,192.168.6.0/24}
>        leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax...
> 
> 
>> On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <nick at howitts.co.uk> wrote:
>> 
>> Try changing right to %any. Also check that your firewall allows udp:4500. If you use different configs at either end, then auto should be "add" at orion and can be "start" at wyckoff.
>> 
>> Nick
>> 
>> On 03/01/2020 21:57, Alex wrote:
>> 
>> Hi,
>> I've had a site-to-site VPN using libreswan built and working between
>> two Optonline/Altice systems, one with a dynamic IP and the other with
>> a static IP, for quite some time, but we've had to move the satellite
>> office with the dynamic IP to one where we're only given a private
>> 192.168.1.0/24 network and have no access to the outside public IP
>> interface.
>> 
>> Can I use NAT traversal for this? If so, how do I convert my existing
>> configuration to use it?
>> 
>> In this config, "wyckoff" is the dynamic (now private IP) side and
>> "orion" is the static IP side.
>> 
>> conn orion-wyckoff
>>        ikev2=insist
>>        authby=rsasig
>>        auto=add
>>        dpddelay=10
>>        dpdtimeout=90
>>        dpdaction=clear
>>        rightid=@wyckoff-orion
>>        rightsubnets={192.168.11.0/24,192.168.10.0/24}
>>        right=wyckoff.example.com
>>        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj...
>>        leftid=@orion-wyckoff
>>        left=orion.example.com
>>        leftsubnets={192.168.1.0/24,192.168.6.0/24}
>>        leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu...
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>> 
>> 
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list