[Swan] Roadwarrior and NAT
Paul Wouters
paul at nohats.ca
Tue Oct 12 02:33:14 UTC 2021
On Mon, 11 Oct 2021, Phil Nightowl wrote:
> A brief summary:
>
> server --------------- NAT1 -------- internet --- NAT2 ------ roadwarrior
> 172.16.0.129 172.16.0.254/1.2.3.4 10.0.0.x 10.0.0.y
>
>
> Both server and roadwarrior are going to use certificates in production;
> but to make debugging simpler, I temporarily switched to PSKs. The current
> configs are as follows:
You are getting:
pluto[15505]: "roadw"[1] 9.8.7.6 #1: responding to AUTH message (ID 1) from 9.8.7.6:4500 with
encrypted notification TS_UNACCEPTABLE
It means your subnets/IPs are not matching. The easiest IKEv2 solution
is for the server to give the roadwarrior an IP to use.
>
> Server (responder):
> -------------------
> conn roadw
> type=tunnel
> left=%defaultroute
> leftid=@server
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=@roadw
> rightsubnet=vhost:%priv,%no
vhost is only used for IKEv1, instead use:
rightaddresspool=100.64.0.1-100.64.0.10
and add:
narrowing=yes
> auto=add
> ikev2=insist
> authby=secret
> pfs=yes
> aggressive=no
> salifetime=1h
> negotiationshunt=hold
> failureshunt=drop
> rekey=no
>
>
> Roadwarrior (initiator):
> ------------------------
> conn server
> left=%defaultroute
> leftid=@roadw
> right=1.2.3.4
> rightid=@server
> ikev2=insist
> auto=ondemand
> authby=secret
> pfs=yes
> aggressive=no
> salifetime=1h
> negotiationshunt=hold
> failureshunt=drop
on the client add:
narrowing=yes
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
Once authenticated the server will give the "narrowed" tunnel of
100.64.01/32 <-> 0.0.0.0/0, which the client will accept.
Paul
More information about the Swan
mailing list