[Swan] Possible to setup multiple connections, partly behind NAT?
Paul Wouters
paul at nohats.ca
Tue Feb 20 17:44:23 EET 2024
On Tue, 20 Feb 2024, Phil Nightowl wrote:
> Subject: Re: [Swan] Possible to setup multiple connections, partly behind NAT?
>
>>> Should I remove the leftsubnet/rightsubnet options altogether?
>>
>> Yes.
> After doing that, I tried to connect from remotehost1.privlan to
> server.privlan - which now should basically be a quite common host-to-host
> connection with NAT in between.
If you have NAT, then you no longer have a host-to-host connection. What
internal IPs should be used? Some end has to hand out an IP address for
the other end to use.
If you have two subnets that you want to have "meshed", you should build
a net-to-net connection between the two gateways of those subnets, so
that all the mesh nodes are not even aware of the NAT in the middle.
> pluto[22373]: "headq" #2: dropping unexpected IKE_AUTH message containing TS_UNACCEPTABLE notification; message payloads: SKF; encrypted payloads: IDr,CERT,AUTH,N; unexpected payloads: IDr,CERT,AUTH
Because the nodes are now using their pre-NAT IP which cannot be
trusted. Eg I could say I am 8.8.8.8 pre-NAT and steal your google DNS
traffic. One end is suggsting a connection of internalIP1-PubIP1, and
the other end is suggestion internalIP2-PubIP2 and thus they won't agree.
Paul
More information about the Swan
mailing list