[Swan] converting to use NAT traversal

Sun Jan 5 13:54:58 UTC 2020

Hi,

I've made a few changes, but it still appears to be failing. From
wyckoff (right side):
Jan  5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
ourselves with either end of this connection.  68.195.193.42 or
96.56.24.210 are not usable

Jan  5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1:
retransmission; will wait 8 seconds for response
Jan  5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator
received a message with I(Initiator) flag set; dropping packet
Jan  5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator
received a message with I(Initiator) flag set; dropping packet
Jan  5 08:50:53.838729: packet from 68.195.193.42:500: initial parent
SA message received on 10.201.2.2:500 but no suitable connection found
with IKEv2 policy
Jan  5 08:50:53.838789: packet from 68.195.193.42:500: responding to
IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
unencrypted notification NO_PROPOSAL_CHOSEN

It appears it's still confused about which side is which?

> > I managed to convince the admin to port forward both 4500 and 500,
> > along with AH and ESP to my 10.201.2.2 IP from the static external
> > 96.56.24.210 (wyckoff) IP but I still can't get it to work.
> >
> > Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> > 10.201.2.2 on the server itself), I'm seeing the following:
> > # ipsec auto --up orion-wyckoff
> > 000 initiating all conns with alias='orion-wyckoff'
> > 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> > of this connection.  68.195.193.42 or 96.56.24.210
>
> You need to use a real IP address or %defaultroute for the local end (eg left=) and not the address it will get NATed to

I believe that I am. The address that it's NATed to is 10.201.2.2, an
internal unroutable IP.

> >        dpddelay=10
> >        dpdtimeout=90
> >        dpdaction=clear
> >        rightsubnets={192.168.11.0/24,192.168.10.0/24}
> >        rightid=@wyckoff-orion
> >        right=96.56.24.210
> >        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
> >        leftid=@orion-wyckoff
> >        left=orion.guardiandigital.com
>
> If this is on orion, use left=%defaultroute

This is on the right side. Previously this side had a dynamic IP, so I
could now conceivably enter the IPs directly on both sides?

Here is the config for the left side (orion, 68.195.193.42):
conn orion-wyckoff
        ikev2=insist
        authby=rsasig
        auto=add
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        rightid=@wyckoff-orion
        rightsubnets={192.168.11.0/24,192.168.10.0/24}
        right=96.56.24.210
        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
        leftid=@orion-wyckoff
        left=68.195.193.42
        leftsubnets={192.168.1.0/24,192.168.6.0/24}
        leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...

Here is the config for the right side (wyckoff, 96.56.24.210):
conn orion-wyckoff
        ikev2=insist
        authby=rsasig
        auto=start
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        rightsubnets={192.168.11.0/24,192.168.10.0/24}
        rightid=@wyckoff-orion
        right=96.56.24.210
        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7...
        leftid=@orion-wyckoff
        left=%defaultroute
        leftsubnets={192.168.1.0/24,192.168.6.0/24}
        leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6...

I've also tried hardcoding the IP on each side for left= and right=.