<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
With PSK and IKEv1 you have to be very careful with your
left/rightid. Much easier is to switch to IKEv2, in which case they
just have to agree.<br>
<br>
<div class="moz-cite-prefix">On 06/12/2019 05:46, Ian Willis wrote:<br>
</div>
<blockquote type="cite"
cite="mid:b3bc21ef0fc16711e2a2253ef40d40112e79bdd7.camel@checksum.net.au">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>Hi All</div>
<div><br>
</div>
<div>I have a pretty simple configuration however I don't appear
to be able to make it work.</div>
<div>I'm running the libreswan package on Centos8 on both ends.</div>
<div>I would like to initally use raw RSA keys, however I can't
make it work with PSK either. </div>
<div>There is a host with a public IP address and a host on the
private network.</div>
<div>There is a small private network behind the public host which
I would like to have accessible however the basic ipsec link
between the hosts isn't coming up.</div>
<div><br>
</div>
<div><br>
</div>
<div>(private Network) <-> (IPSEC host) <-> (Internet)
<-> (ISP NAT) <-> (Modem Nat) - (local network)</div>
<div><br>
</div>
<div>(10.19.96/20)- ((.5) chilli.buggerit.com. 203.43.75.103)
<-> ISP <-> (router 192.168.1.1/24) <-> (IPSEC
host)</div>
<div><br>
</div>
<div>###### Config public host</div>
<div>conn chilli-aluminium</div>
<div> <a href="mailto:leftid=@west" moz-do-not-send="true">leftid=@west</a></div>
<div> left=203.43.75.103</div>
<div> # rsakey AwEAAacqb</div>
<div> leftrsasigkey=0sAwEAAacqbh2Uq....</div>
<div> <a href="mailto:rightid=@east" moz-do-not-send="true">rightid=@east</a></div>
<div> right=%any</div>
<div> # rsakey AwEAAd8j4</div>
<div> rightrsasigkey=0sAwEAAd8j4dyx</div>
<div> authby=rsasig</div>
<div><br>
</div>
<div>###### Config private hostconn chilli-aluminium</div>
<div>conn chilli-aluminium</div>
<div> <a href="mailto:rightid=@east" moz-do-not-send="true">rightid=@east</a></div>
<div> right=%defaultroute</div>
<div> # rsakey AwEAAd8j4</div>
<div> rightrsasigkey=0sAwEAAd8j4dyx...</div>
<div> <a href="mailto:leftid=@west" moz-do-not-send="true">leftid=@west</a></div>
<div> left=203.43.75.103</div>
<div> # rsakey AwEAAacqb</div>
<div> leftrsasigkey=0sAwEAAacqbh2Uq...</div>
<div> authby=rsasig</div>
<div><br>
</div>
<div>############</div>
<div>log when connecting.</div>
<div><br>
</div>
<div>Dec 6 05:28:12 chilli pluto[20339]: | constructed local IKE
proposals for chilli-aluminium (IKE SA responder matching remo</div>
<div>te proposals):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP</div>
<div>3072,MODP4096,MODP8192
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,M</div>
<div>ODP2048,MODP3072,MODP4096,MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2</div>
<div>_256_128;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA</div>
<div>2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;IN</div>
<div>TEG=HMAC_SHA2_256_128;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192</div>
<div>Dec 6 05:28:12 chilli pluto[20339]: packet from
143.225.60.18:1011: proposal
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=</div>
<div>ECP_256 chosen from remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=ECP_384;DH=</div>
<div>ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match]
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMA</div>
<div>C_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC</div>
<div>_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH</div>
<div>=MODP3072;DH=MODP4096;DH=MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP</div>
<div>_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=EC</div>
<div>P_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192</div>
<div>Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: STATE_PARENT_R1: received v2I1, sent v2R1
{auth</div>
<div>=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512
group=DH19}</div>
<div>Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: IKEv2 mode peer ID is ID_FQDN: <a
href="mailto:'@east" moz-do-not-send="true">'@east</a>'</div>
<div>Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: Authenticated using RSA</div>
<div>Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: responding to AUTH message (ID 1) from
43.225.6</div>
<div>0.18:64916 with encrypted notification TS_UNACCEPTABLE</div>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>