<div dir="ltr">Thank you Paul. It's finally working now.<div>One more question, is the virtual_private required? When I omit it, things are still working in my setting. What's the default behavior when it's missing. I cannot find it in the man page of ipsec.conf.</div><div><br></div><div>Thanks,</div><div>Xinwei</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 18, 2017 at 5:12 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, 18 Apr 2017, Xinwei Hong wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Paul,<br>
Sorry for taking a long time to get back (I was out of office last week). <br>
<br>
I have uploaded the latest log files at:<br>
<a href="https://file.town/download/7wt9a05p7mwym05mzr4dox4q7" rel="noreferrer" target="_blank">https://file.town/download/7wt<wbr>9a05p7mwym05mzr4dox4q7</a><br>
<a href="https://file.town/download/fxn6861zvcra5qu3q9cv9c3l0" rel="noreferrer" target="_blank">https://file.town/download/fxn<wbr>6861zvcra5qu3q9cv9c3l0</a><br>
<br>
On the non-natt'ed side, I see:<br>
<br>
Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRe<wbr>moteRoutedSubnet-tunnel-<a href="http://10.0.0.0/24" target="_blank">10.0.<wbr>0.0/24</a>" #2: no suitable connection for peer '10.0.3.3'<br>
<br>
Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: | vpn-5483483: complete v1 state transition with INVALID_ID_INFORMATION<br>
<br>
Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRe<wbr>moteRoutedSubnet-tunnel-<a href="http://10.0.0.0/24" target="_blank">10.0.<wbr>0.0/24</a>" #2: sending encrypted notification INVALID_ID_INFORMATION to<br>
<a href="http://199.204.218.98:500" rel="noreferrer" target="_blank">199.204.218.98:500</a><br>
<br>
It recognizes the ip 10.0.3.3 which is behind NAT on the other end. Tcpdump on non-natt'ed side only see packets from the public IP, not 10.0.3.3<br>
</blockquote>
<br></span>
When behind NAT, try avoiding using IP addresses as ID's because the<br>
endpoint behind NAT would have to specify the public IP as its leftid=<br>
<br>
In this case 10.0.3.3 is NATed to 199.204.218.98 but it is using a<br>
leftid=10.0.3.3 (possibly because no leftid= is specified, which then<br>
defaults to the IP address).<br>
<br>
You can make up ID's as long as they are the same on both ends. For<br>
literal strings, prefix with an @, eg leftid=@MyServer<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks,<br>
Xinwei<br>
<br>
<br>
<br>
<br>
<br>
<br>
On Sat, Apr 8, 2017 at 3:09 PM, Paul Wouters <<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>> wrote:<br>
On Fri, 7 Apr 2017, Xinwei Hong wrote:<br>
<br>
I just upgraded it to 3.20. I built libreswan without specifying any parameter. I don't need klips in my setting anyway. I also<br>
added virtual-private=%v4:<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0<wbr>.0.0/8</a>. Still not working. <br>
The NAT part, I'm not sure why you say that. I still see same "no suitable connection for peer '10.0.3.3'" error, but I believe it's found inside of isakmp pkts.<br>
I did tcpdump on both<br>
machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one side and 199.204.218.98 on the peer side.<br>
<br>
I can upload new log if needed.<br>
<br>
<br>
I can have a look if you upload new logs. But please do not use that<br>
dropbox API because I cannot search and scroll through that. A link<br>
the actual files would be better so I can download these and have a<br>
look.<br>
<br>
Paul<br>
<br>
<br>
<br>
<br>
</blockquote>
</div></div></blockquote></div><br></div>