[Swan] Roadwarrior and NAT

Paul Wouters paul at nohats.ca
Tue Oct 12 02:33:14 UTC 2021


On Mon, 11 Oct 2021, Phil Nightowl wrote:

> A brief summary:
>
> server --------------- NAT1 -------- internet --- NAT2 ------ roadwarrior
> 172.16.0.129   172.16.0.254/1.2.3.4             10.0.0.x       10.0.0.y
>
>
> Both server and roadwarrior are going to use certificates in production;
> but to make debugging simpler, I temporarily switched to PSKs. The current
> configs are as follows:

You are getting:

 	pluto[15505]: "roadw"[1] 9.8.7.6 #1: responding to AUTH message (ID 1) from 9.8.7.6:4500 with
 	encrypted notification TS_UNACCEPTABLE

It means your subnets/IPs are not matching. The easiest IKEv2 solution
is for the server to give the roadwarrior an IP to use.

>
> Server (responder):
> -------------------
> conn roadw
>     type=tunnel
>     left=%defaultroute
>     leftid=@server
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=@roadw
>     rightsubnet=vhost:%priv,%no

vhost is only used for IKEv1, instead use:

       rightaddresspool=100.64.0.1-100.64.0.10

and add:

       narrowing=yes

>     auto=add
>     ikev2=insist
>     authby=secret
>     pfs=yes
>     aggressive=no
>     salifetime=1h
>     negotiationshunt=hold
>     failureshunt=drop
>     rekey=no
>
>
> Roadwarrior (initiator):
> ------------------------
> conn server
>    left=%defaultroute
>    leftid=@roadw
>    right=1.2.3.4
>    rightid=@server
>    ikev2=insist
>    auto=ondemand
>    authby=secret
>    pfs=yes
>    aggressive=no
>    salifetime=1h
>    negotiationshunt=hold
>    failureshunt=drop

on the client add:

      narrowing=yes
      leftsubnet=0.0.0.0/0
      rightsubnet=0.0.0.0/0


Once authenticated the server will give the "narrowed" tunnel of
100.64.01/32 <-> 0.0.0.0/0, which the client will accept.

Paul


More information about the Swan mailing list