Re: [Swan] converting to use NAT traversal
Hi, > > I've made a few changes, but it still appears to be failing. From > > wyckoff (right side): > > Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify > > ourselves with either end of this connection. 68.195.193.42 or > > 96.56.24.210 are not usable > > If both ends are behind NAT, you have to make the change I mentioned on both > ends specific for that end. The local (left) part MUST be %defaultroute > or an IP/DNS that refers to a local IP present on the machine and not it’s > “going to be NATed to IP/DNS” No, both ends are not behind NAT - only wyckoff (96.56.24.210). Its actual IP is the 10.201.2.2. The left side (orion, 68.195.193.42) has a public static IP and I've set it to be that IP. That now makes sense. The right side (wyckoff) doesn't know that its public IP is the 96.56.24.210, so I've set it to %defaultroute, and it appears to now be working. Thanks so much. ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] converting to use NAT traversal
> On Jan 5, 2020, at 08:54, Alex wrote:
>
> Hi,
>
> I've made a few changes, but it still appears to be failing. From
> wyckoff (right side):
> Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
> ourselves with either end of this connection. 68.195.193.42 or
> 96.56.24.210 are not usable
If both ends are behind NAT, you have to make the change I mentioned on both
ends specific for that end. The local (left) part MUST be %defaultroute or an
IP/DNS that refers to a local IP present on the machine and not it’s “going to
be NATed to IP/DNS”
Paul
>
> Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1:
> retransmission; will wait 8 seconds for response
> Jan 5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator
> received a message with I(Initiator) flag set; dropping packet
> Jan 5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator
> received a message with I(Initiator) flag set; dropping packet
> Jan 5 08:50:53.838729: packet from 68.195.193.42:500: initial parent
> SA message received on 10.201.2.2:500 but no suitable connection found
> with IKEv2 policy
> Jan 5 08:50:53.838789: packet from 68.195.193.42:500: responding to
> IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
> unencrypted notification NO_PROPOSAL_CHOSEN
>
> It appears it's still confused about which side is which?
>
>>> I managed to convince the admin to port forward both 4500 and 500,
>>> along with AH and ESP to my 10.201.2.2 IP from the static external
>>> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>>>
>>> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
>>> 10.201.2.2 on the server itself), I'm seeing the following:
>>> # ipsec auto --up orion-wyckoff
>>> 000 initiating all conns with alias='orion-wyckoff'
>>> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
>>> of this connection. 68.195.193.42 or 96.56.24.210
>>
>> You need to use a real IP address or %defaultroute for the local end (eg
>> left=) and not the address it will get NATed to
>
> I believe that I am. The address that it's NATed to is 10.201.2.2, an
> internal unroutable IP.
>
>>> dpddelay=10
>>> dpdtimeout=90
>>> dpdaction=clear
>>> rightsubnets={192.168.11.0/24,192.168.10.0/24}
>>> rightid=@wyckoff-orion
>>> right=96.56.24.210
>>> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
>>> leftid=@orion-wyckoff
>>> left=orion.guardiandigital.com
>>
>> If this is on orion, use left=%defaultroute
>
> This is on the right side. Previously this side had a dynamic IP, so I
> could now conceivably enter the IPs directly on both sides?
>
> Here is the config for the left side (orion, 68.195.193.42):
> conn orion-wyckoff
>ikev2=insist
>authby=rsasig
>auto=add
>dpddelay=10
>dpdtimeout=90
>dpdaction=clear
>rightid=@wyckoff-orion
>rightsubnets={192.168.11.0/24,192.168.10.0/24}
>right=96.56.24.210
>rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
>leftid=@orion-wyckoff
>left=68.195.193.42
>leftsubnets={192.168.1.0/24,192.168.6.0/24}
>leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...
>
> Here is the config for the right side (wyckoff, 96.56.24.210):
> conn orion-wyckoff
>ikev2=insist
>authby=rsasig
>auto=start
>dpddelay=10
>dpdtimeout=90
>dpdaction=clear
>rightsubnets={192.168.11.0/24,192.168.10.0/24}
>rightid=@wyckoff-orion
>right=96.56.24.210
>rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7...
>leftid=@orion-wyckoff
>left=%defaultroute
>leftsubnets={192.168.1.0/24,192.168.6.0/24}
>leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6...
>
> I've also tried hardcoding the IP on each side for left= and right=.
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] converting to use NAT traversal
Hi,
I've made a few changes, but it still appears to be failing. From
wyckoff (right side):
Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
ourselves with either end of this connection. 68.195.193.42 or
96.56.24.210 are not usable
Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1:
retransmission; will wait 8 seconds for response
Jan 5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator
received a message with I(Initiator) flag set; dropping packet
Jan 5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator
received a message with I(Initiator) flag set; dropping packet
Jan 5 08:50:53.838729: packet from 68.195.193.42:500: initial parent
SA message received on 10.201.2.2:500 but no suitable connection found
with IKEv2 policy
Jan 5 08:50:53.838789: packet from 68.195.193.42:500: responding to
IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
unencrypted notification NO_PROPOSAL_CHOSEN
It appears it's still confused about which side is which?
> > I managed to convince the admin to port forward both 4500 and 500,
> > along with AH and ESP to my 10.201.2.2 IP from the static external
> > 96.56.24.210 (wyckoff) IP but I still can't get it to work.
> >
> > Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
> > 10.201.2.2 on the server itself), I'm seeing the following:
> > # ipsec auto --up orion-wyckoff
> > 000 initiating all conns with alias='orion-wyckoff'
> > 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
> > of this connection. 68.195.193.42 or 96.56.24.210
>
> You need to use a real IP address or %defaultroute for the local end (eg
> left=) and not the address it will get NATed to
I believe that I am. The address that it's NATed to is 10.201.2.2, an
internal unroutable IP.
> >dpddelay=10
> >dpdtimeout=90
> >dpdaction=clear
> >rightsubnets={192.168.11.0/24,192.168.10.0/24}
> >rightid=@wyckoff-orion
> >right=96.56.24.210
> >rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
> >leftid=@orion-wyckoff
> >left=orion.guardiandigital.com
>
> If this is on orion, use left=%defaultroute
This is on the right side. Previously this side had a dynamic IP, so I
could now conceivably enter the IPs directly on both sides?
Here is the config for the left side (orion, 68.195.193.42):
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=add
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightid=@wyckoff-orion
rightsubnets={192.168.11.0/24,192.168.10.0/24}
right=96.56.24.210
rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
leftid=@orion-wyckoff
left=68.195.193.42
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...
Here is the config for the right side (wyckoff, 96.56.24.210):
conn orion-wyckoff
ikev2=insist
authby=rsasig
auto=start
dpddelay=10
dpdtimeout=90
dpdaction=clear
rightsubnets={192.168.11.0/24,192.168.10.0/24}
rightid=@wyckoff-orion
right=96.56.24.210
rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7...
leftid=@orion-wyckoff
left=%defaultroute
leftsubnets={192.168.1.0/24,192.168.6.0/24}
leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6...
I've also tried hardcoding the IP on each side for left= and right=.
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
