Thank you Paul. I just upgraded it to 3.20. I built libreswan without specifying any parameter. I don't need klips in my setting anyway. I also added virtual-private=%v4:10.0.0.0/8. Still not working. The NAT part, I'm not sure why you say that. I still see same "no suitable connection for peer '10.0.3.3'" error, but I believe it's found inside of isakmp pkts. I did tcpdump on both machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one side and 199.204.218.98 on the peer side.
I can upload new log if needed. Thanks, Xinwei On Fri, Apr 7, 2017 at 1:57 PM, Paul Wouters <[email protected]> wrote: > On Fri, 7 Apr 2017, Xinwei Hong wrote: > > Thank you Paul. I tried ikepad=no, it does not work.Meanwhile, I tried to >> setup natt between two mathine running libreswan. It also failed, but >> probably for different reason. >> >> The log files are here: >> https://www.dropbox.com/s/2381ktqrmshp57s/natt1.log?dl=0 >> https://www.dropbox.com/s/0uzx62mgwq2krgw/natt2.log?dl=0 >> > > Did you compile without KLIPS support? That broke NAT-T and was fixed in > 3.19, while you are running 3.18. > > configs: >> one side is nat'ed. 199.204.218.98 nat to 10.0.3.3 >> >> config setup >> protostack=netkey >> plutodebug=all >> listen=10.0.3.3 >> conn conn_natt >> authby=secret >> left=10.0.3.3 >> right=199.204.217.159 >> ike=3des-md5;modp1024 >> phase2alg=3des-md5;modp1024 >> ikelifetime=28800s >> salifetime=3600s >> leftsubnet=10.0.0.0/24 >> rightsubnet=10.0.1.0/24 >> type=tunnel >> auto=start >> >> >> on the peer: >> config setup >> protostack=netkey >> plutodebug=all >> listen=199.204.217.159 >> > > This is missing a virtual-private=%v4:10.0.0.0/8 > > conn conn_vpn-5483483-tunnel >> authby=secret >> left=199.204.217.159 >> right=199.204.218.98 >> ike=3des-md5;modp1024 >> phase2alg=3des-md5;modp1024 >> ikelifetime=28800s >> salifetime=3600s >> conn conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24 >> also=conn_vpn-5483483-tunnel >> leftsubnet=10.0.1.0/24 >> rightsubnet=10.0.0.0/24 >> > > It's always a little tricky to build a subnet tunnel for the subnet you > are. It should work but its easy for some tuning to be missing. > > Apr 7 12:14:07 xenial33 pluto[5964]: | Notify Message Type: >> INVALID_ID_INFORMATION (0x12) >> > > The logs you posted show the original error being: > > Apr 7 19:14:07 vvr-10-69-244-11 pluto[24396]: vpn-5483483: > "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no > suitable connection for peer '10.0.3.3' > > Looks like your 10.0.3.3 did not get NAT'ed to 199.204.218.98 and so the > conncetion's right= IP value does not match the observed IP. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
