Re: [Swan] converting to use NAT traversal
Hi, > > I've made a few changes, but it still appears to be failing. From > > wyckoff (right side): > > Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify > > ourselves with either end of this connection. 68.195.193.42 or > > 96.56.24.210 are not usable > > If both ends are behind NAT, you have to make the change I mentioned on both > ends specific for that end. The local (left) part MUST be %defaultroute > or an IP/DNS that refers to a local IP present on the machine and not it’s > “going to be NATed to IP/DNS” No, both ends are not behind NAT - only wyckoff (96.56.24.210). Its actual IP is the 10.201.2.2. The left side (orion, 68.195.193.42) has a public static IP and I've set it to be that IP. That now makes sense. The right side (wyckoff) doesn't know that its public IP is the 96.56.24.210, so I've set it to %defaultroute, and it appears to now be working. Thanks so much. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] converting to use NAT traversal
> On Jan 5, 2020, at 08:54, Alex wrote: > > Hi, > > I've made a few changes, but it still appears to be failing. From > wyckoff (right side): > Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify > ourselves with either end of this connection. 68.195.193.42 or > 96.56.24.210 are not usable If both ends are behind NAT, you have to make the change I mentioned on both ends specific for that end. The local (left) part MUST be %defaultroute or an IP/DNS that refers to a local IP present on the machine and not it’s “going to be NATed to IP/DNS” Paul > > Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1: > retransmission; will wait 8 seconds for response > Jan 5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator > received a message with I(Initiator) flag set; dropping packet > Jan 5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator > received a message with I(Initiator) flag set; dropping packet > Jan 5 08:50:53.838729: packet from 68.195.193.42:500: initial parent > SA message received on 10.201.2.2:500 but no suitable connection found > with IKEv2 policy > Jan 5 08:50:53.838789: packet from 68.195.193.42:500: responding to > IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with > unencrypted notification NO_PROPOSAL_CHOSEN > > It appears it's still confused about which side is which? > >>> I managed to convince the admin to port forward both 4500 and 500, >>> along with AH and ESP to my 10.201.2.2 IP from the static external >>> 96.56.24.210 (wyckoff) IP but I still can't get it to work. >>> >>> Both sides are now static IPs. On wyckoff (96.56.24.210 externally, >>> 10.201.2.2 on the server itself), I'm seeing the following: >>> # ipsec auto --up orion-wyckoff >>> 000 initiating all conns with alias='orion-wyckoff' >>> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end >>> of this connection. 68.195.193.42 or 96.56.24.210 >> >> You need to use a real IP address or %defaultroute for the local end (eg >> left=) and not the address it will get NATed to > > I believe that I am. The address that it's NATed to is 10.201.2.2, an > internal unroutable IP. > >>> dpddelay=10 >>> dpdtimeout=90 >>> dpdaction=clear >>> rightsubnets={192.168.11.0/24,192.168.10.0/24} >>> rightid=@wyckoff-orion >>> right=96.56.24.210 >>> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk... >>> leftid=@orion-wyckoff >>> left=orion.guardiandigital.com >> >> If this is on orion, use left=%defaultroute > > This is on the right side. Previously this side had a dynamic IP, so I > could now conceivably enter the IPs directly on both sides? > > Here is the config for the left side (orion, 68.195.193.42): > conn orion-wyckoff >ikev2=insist >authby=rsasig >auto=add >dpddelay=10 >dpdtimeout=90 >dpdaction=clear >rightid=@wyckoff-orion >rightsubnets={192.168.11.0/24,192.168.10.0/24} >right=96.56.24.210 >rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz... >leftid=@orion-wyckoff >left=68.195.193.42 >leftsubnets={192.168.1.0/24,192.168.6.0/24} >leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN... > > Here is the config for the right side (wyckoff, 96.56.24.210): > conn orion-wyckoff >ikev2=insist >authby=rsasig >auto=start >dpddelay=10 >dpdtimeout=90 >dpdaction=clear >rightsubnets={192.168.11.0/24,192.168.10.0/24} >rightid=@wyckoff-orion >right=96.56.24.210 >rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7... >leftid=@orion-wyckoff >left=%defaultroute >leftsubnets={192.168.1.0/24,192.168.6.0/24} >leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6... > > I've also tried hardcoding the IP on each side for left= and right=. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] converting to use NAT traversal
Hi, I've made a few changes, but it still appears to be failing. From wyckoff (right side): Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify ourselves with either end of this connection. 68.195.193.42 or 96.56.24.210 are not usable Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1: retransmission; will wait 8 seconds for response Jan 5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator received a message with I(Initiator) flag set; dropping packet Jan 5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator received a message with I(Initiator) flag set; dropping packet Jan 5 08:50:53.838729: packet from 68.195.193.42:500: initial parent SA message received on 10.201.2.2:500 but no suitable connection found with IKEv2 policy Jan 5 08:50:53.838789: packet from 68.195.193.42:500: responding to IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with unencrypted notification NO_PROPOSAL_CHOSEN It appears it's still confused about which side is which? > > I managed to convince the admin to port forward both 4500 and 500, > > along with AH and ESP to my 10.201.2.2 IP from the static external > > 96.56.24.210 (wyckoff) IP but I still can't get it to work. > > > > Both sides are now static IPs. On wyckoff (96.56.24.210 externally, > > 10.201.2.2 on the server itself), I'm seeing the following: > > # ipsec auto --up orion-wyckoff > > 000 initiating all conns with alias='orion-wyckoff' > > 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end > > of this connection. 68.195.193.42 or 96.56.24.210 > > You need to use a real IP address or %defaultroute for the local end (eg > left=) and not the address it will get NATed to I believe that I am. The address that it's NATed to is 10.201.2.2, an internal unroutable IP. > >dpddelay=10 > >dpdtimeout=90 > >dpdaction=clear > >rightsubnets={192.168.11.0/24,192.168.10.0/24} > >rightid=@wyckoff-orion > >right=96.56.24.210 > >rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk... > >leftid=@orion-wyckoff > >left=orion.guardiandigital.com > > If this is on orion, use left=%defaultroute This is on the right side. Previously this side had a dynamic IP, so I could now conceivably enter the IPs directly on both sides? Here is the config for the left side (orion, 68.195.193.42): conn orion-wyckoff ikev2=insist authby=rsasig auto=add dpddelay=10 dpdtimeout=90 dpdaction=clear rightid=@wyckoff-orion rightsubnets={192.168.11.0/24,192.168.10.0/24} right=96.56.24.210 rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz... leftid=@orion-wyckoff left=68.195.193.42 leftsubnets={192.168.1.0/24,192.168.6.0/24} leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN... Here is the config for the right side (wyckoff, 96.56.24.210): conn orion-wyckoff ikev2=insist authby=rsasig auto=start dpddelay=10 dpdtimeout=90 dpdaction=clear rightsubnets={192.168.11.0/24,192.168.10.0/24} rightid=@wyckoff-orion right=96.56.24.210 rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7... leftid=@orion-wyckoff left=%defaultroute leftsubnets={192.168.1.0/24,192.168.6.0/24} leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6... I've also tried hardcoding the IP on each side for left= and right=. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan