[Swan] converting to use NAT traversal
Alex
mysqlstudent at gmail.com
Sun Jan 5 13:54:58 UTC 2020
Hi,
I've made a few changes, but it still appears to be failing. From
wyckoff (right side):
Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
ourselves with either end of this connection. 68.195.193.42 or
96.56.24.210 are not usable
Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1:
retransmission; will wait 8 seconds for response
Jan 5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator
received a message with I(Initiator) flag set; dropping packet
Jan 5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator
received a message with I(Initiator) flag set; dropping packet
Jan 5 08:50:53.838729: packet from 68.195.193.42:500: initial parent
SA message received on 10.201.2.2:500 but no suitable connection found
with IKEv2 policy
Jan 5 08:50:53.838789: packet from 68.195.193.42:500: responding to
IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
unencrypted notification NO_PROPOSAL_CHOSEN
It appears it's still confused about which side is which?
> > I managed to convince the admin to port forward both 4500 and 500,
> > along with AH and ESP to my 10.201.2.2 IP from the static external
> > 96.56.24.210 (wyckoff) IP but I still can't get it to work.
> >
> > Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> > 10.201.2.2 on the server itself), I'm seeing the following:
> > # ipsec auto --up orion-wyckoff
> > 000 initiating all conns with alias='orion-wyckoff'
> > 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> > of this connection. 68.195.193.42 or 96.56.24.210
>
> You need to use a real IP address or %defaultroute for the local end (eg left=) and not the address it will get NATed to
I believe that I am. The address that it's NATed to is 10.201.2.2, an
internal unroutable IP.
> > dpddelay=10
> > dpdtimeout=90
> > dpdaction=clear
> > rightsubnets={192.168.11.0/24,192.168.10.0/24}
> > rightid=@wyckoff-orion
> > right=96.56.24.210
> > rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
> > leftid=@orion-wyckoff
> > left=orion.guardiandigital.com
>
> If this is on orion, use left=%defaultroute
This is on the right side. Previously this side had a dynamic IP, so I
could now conceivably enter the IPs directly on both sides?
Here is the config for the left side (orion, 68.195.193.42):
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=add
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightid=@wyckoff-orion
rightsubnets={192.168.11.0/24,192.168.10.0/24}
right=96.56.24.210
rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
leftid=@orion-wyckoff
left=68.195.193.42
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...
Here is the config for the right side (wyckoff, 96.56.24.210):
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=start
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightsubnets={192.168.11.0/24,192.168.10.0/24}
rightid=@wyckoff-orion
right=96.56.24.210
rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7...
leftid=@orion-wyckoff
left=%defaultroute
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6...
I've also tried hardcoding the IP on each side for left= and right=.
More information about the Swan
mailing list