[Swan] converting to use NAT traversal

Paul Wouters paul at nohats.ca
Sun Jan 5 15:15:11 UTC 2020



> On Jan 5, 2020, at 08:54, Alex <mysqlstudent at gmail.com> wrote:
> 
> Hi,
> 
> I've made a few changes, but it still appears to be failing. From
> wyckoff (right side):
> Jan  5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
> ourselves with either end of this connection.  68.195.193.42 or
> 96.56.24.210 are not usable


If both ends are behind NAT, you have to make the change I mentioned on both ends specific for that end. The local (left) part MUST be %defaultroute or an IP/DNS that refers to a local IP present on the machine and not it’s “going to be NATed to IP/DNS”

Paul

> 
> Jan  5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1:
> retransmission; will wait 8 seconds for response
> Jan  5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator
> received a message with I(Initiator) flag set; dropping packet
> Jan  5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator
> received a message with I(Initiator) flag set; dropping packet
> Jan  5 08:50:53.838729: packet from 68.195.193.42:500: initial parent
> SA message received on 10.201.2.2:500 but no suitable connection found
> with IKEv2 policy
> Jan  5 08:50:53.838789: packet from 68.195.193.42:500: responding to
> IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
> unencrypted notification NO_PROPOSAL_CHOSEN
> 
> It appears it's still confused about which side is which?
> 
>>> I managed to convince the admin to port forward both 4500 and 500,
>>> along with AH and ESP to my 10.201.2.2 IP from the static external
>>> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>>> 
>>> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
>>> 10.201.2.2 on the server itself), I'm seeing the following:
>>> # ipsec auto --up orion-wyckoff
>>> 000 initiating all conns with alias='orion-wyckoff'
>>> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
>>> of this connection.  68.195.193.42 or 96.56.24.210
>> 
>> You need to use a real IP address or %defaultroute for the local end (eg left=) and not the address it will get NATed to
> 
> I believe that I am. The address that it's NATed to is 10.201.2.2, an
> internal unroutable IP.
> 
>>>       dpddelay=10
>>>       dpdtimeout=90
>>>       dpdaction=clear
>>>       rightsubnets={192.168.11.0/24,192.168.10.0/24}
>>>       rightid=@wyckoff-orion
>>>       right=96.56.24.210
>>>       rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
>>>       leftid=@orion-wyckoff
>>>       left=orion.guardiandigital.com
>> 
>> If this is on orion, use left=%defaultroute
> 
> This is on the right side. Previously this side had a dynamic IP, so I
> could now conceivably enter the IPs directly on both sides?
> 
> Here is the config for the left side (orion, 68.195.193.42):
> conn orion-wyckoff
>        ikev2=insist
>        authby=rsasig
>        auto=add
>        dpddelay=10
>        dpdtimeout=90
>        dpdaction=clear
>        rightid=@wyckoff-orion
>        rightsubnets={192.168.11.0/24,192.168.10.0/24}
>        right=96.56.24.210
>        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
>        leftid=@orion-wyckoff
>        left=68.195.193.42
>        leftsubnets={192.168.1.0/24,192.168.6.0/24}
>        leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...
> 
> Here is the config for the right side (wyckoff, 96.56.24.210):
> conn orion-wyckoff
>        ikev2=insist
>        authby=rsasig
>        auto=start
>        dpddelay=10
>        dpdtimeout=90
>        dpdaction=clear
>        rightsubnets={192.168.11.0/24,192.168.10.0/24}
>        rightid=@wyckoff-orion
>        right=96.56.24.210
>        rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7...
>        leftid=@orion-wyckoff
>        left=%defaultroute
>        leftsubnets={192.168.1.0/24,192.168.6.0/24}
>        leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6...
> 
> I've also tried hardcoding the IP on each side for left= and right=.



More information about the Swan mailing list