Hi, > note, i would remove the empty lines to prevent possible confusion with > the config parser thinking a new section is starting. > > > # ipsec auto --up wyckofftun > > 029 "wyckofftun": cannot initiate connection without knowing peer IP > > You cannot use right=%any and left=%defaultroute, as then libreswan > cannot determine whether it is supposed to be "right" or "left".
Then when should it be used? > Regardless, if you initiate, you must know the remote endpoint's DNS > name or IP address. If one endpoint is behind NAT, only that endpoint > can initiate. Unless it is behind a NAT that does port forwarding, in > wich case your right= should be the hostname or IP address of the NAT > device. The endpoint is not behind NAT. It is laptops and desktops and phones connected to the remote VPN gateway on a private network with a dynamic IP. The gateway then uses NAT to allow them to communicate with the Internet, of course. So you're saying go back to using RSA keys instead of certs, correct? I'm again having the same problem I had some months ago when trying to create a host-to-host VPN using RSA keys. I've deleted *.db and recreated it and it still doesn't work. This is what I've done. Remote side (dynamic IP) # ipsec initnss Initializing NSS database # ipsec newhostkey Generated RSA key pair with CKAID b32410d13088e5f871df9c07c976172ffbe97dfc was stored in the NSS database # ipsec showhostkey --right --ckaid b32410d13088e5f871df9c07c976172ffbe97dfc # rsakey AwEAAcj4B rightrsasigkey=0sAwEAAcj4BMRurMTmyi6... Local side (VPN server) # rm -f *.db # ipsec initnss Initializing NSS database # ipsec newhostkey Generated RSA key pair with CKAID a8f822acb96d1c9be7fb52014169d42806df30d8 was stored in the NSS database # ipsec showhostkey --left --ckaid a8f822acb96d1c9be7fb52014169d42806df30d8 # rsakey AwEAAed2I leftrsasigkey=0sAwEAAed2Iw0fPA8tLL8q8MuFG5D... I've used that to create the following wyckofftun.conf file which is then copied to /etc/ipsec.d on both hosts conn wyckofftun authby=rsasig ikev2=insist fragmentation=yes rightid=@wyckoff-orion right=wyckoff.crabdance.com # rsakey AwEAAcj4B rightrsasigkey=0sAwEAAcj4BMRurMTmyi6... leftid=@orion-wyckoff left=68.195.193.42 # rsakey AwEAAed2I leftrsasigkey=0sAwEAAed2Iw0fPA8tLL8q8MuFG5D... When I try to bring up the tunnel, it reports it's unable to locate its RSA key. [root@orion ipsec.d]# ipsec auto --add wyckofftun 002 added connection description "wyckofftun" [root@orion ipsec.d]# ipsec auto --up wyckofftun 002 "wyckofftun" #2: initiating v2 parent SA 133 "wyckofftun" #2: initiate 002 "wyckofftun" #2: constructed local IKE proposals for wyckofftun (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;INTEG=NONE;DH=ECP_256 ... 133 "wyckofftun" #2: STATE_PARENT_I1: sent v2I1, expected v2R1 003 "wyckofftun" #2: Can't find the certificate or private key from the NSS CKA_ID 003 "wyckofftun" #2: Failed to find our RSA key # ipsec showhostkey --list < 1> RSA keyid: AwEAAed2I ckaid: a8f822acb96d1c9be7fb52014169d42806df30d8 The key is obviously there. This is on fedora29. Are we sure there isn't a problem with fedora28 or libreswan-3.27-1.fc28.x86_64? # ipsec barf https://drive.google.com/file/d/19LTtomUH8VY3GvQ76gKXfC90_YWy3pSw/view?usp=sharing I really hope someone can help me figure out what's wrong. _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan