On Thu, 24 Jan 2019, Alex wrote:
Both endpoints are libreswan on fedora.
Regardless the side on dynamic IP should have auto=start and rekey=yes
and the side on static IP should have auto=add and rekey=no. The
one wih static IP will have (assuming you used left for local, and right
for remote) left=staticip and right=%any/ On the end with dynamic IP
you will have (again assuming you used left for local, and right for
remote) left=%defaultroute and right=staticp
It still does not like right=%any
# ipsec auto --up host-to-host
029 "host-to-host": cannot initiate connection without knowing peer IP
address (kind=CK_TEMPLATE)
036 failed to initiate host-to-host
As I said, only the end behind NAT can initiate. So running --up should
only be done on the node behind NAT.
I'd really like to figure out why RSA keys doesn't work. Is the left=
and right= parameters relative to which side the configuration file is
on, or do they remain consistent on both sides? In other words, does
the left side always remain the same, regardless of which side it is
on?
left is the leftside of your paper diagram. Right is the rightside of
your paper diagram. If you flip the paper, left becomes right, right
becomes left. So in theory, you can use the identical configuration on
both sides, and pluto will figure out if it is "left" or "right" on
each server with that identical configuration. BUT.... in your case,
remember you cannot re-use the identical configuration because you
cannot use "%any" on both sides. Still, for each server, you can
pick arbitrarilly what is left or what is right, according to your
paper diagram.
You had said left=%defaultroute, but if the right (remote) is the side
with the dynamic IP, it doesn't have a static address to use for
right=
When answering these type of questions, it is hard for us to write for
each option "if left is your local end use left=%defaultroute, and if
right is your local end use right=%defaultroute". So when answering
these questions, we tend to pick "left is local, right is remote".
This is my config now:
conn host-to-host
left=orion.guardiandigital.com
leftid=@orion
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAwEAAczgDWWfK4A83Q1e/fTYS2C...
right=%any
rightsubnet=192.168.11.0/24
rightrsasigkey=0sAwEAAZRIg5GeGCHBqp561KQrfoiQnwsh...
rightid=@wyckoff
auto=add
rekey=no
I assume that orion is the side on fixed ip/dns name, and that wyckoff
is the end with a dynmic IP and behind NAT. In that case, on orion
you can use this config. On wyckoff you will need to change "right=%any"
to "right=%defaultroute". All other options can be the same, and you do
not need to change left/right or anything.
Also, how do I add multiple subnets on both sides? I've seen
references using commas to separate them, braces, and spaces, and none
work.
You can use spaces or commas. An example from our test cases is:
leftsubnets={10.0.1.0/24,10.0.2.0/24,10.0.3.0/24,10.0.4.0/24}
rightsubnets={11.0.1.0/24,11.0.2.0/24,11.0.3.0/24,11.0.4.0/24}
Some older versions did not like the use of space+comma
003 "host-to-host" #1: Failed to find our RSA key
Is there debugging I can add to help determine why this is happening again?
If you are using rightrsasigkey= and leftrsasigkey= on keys properly
generated inside the current NSS database with "ipsec newhostkey" then
it should just work. I've talked a lot on the list in the past about
failures to generate keys, move NSS files etc, so I won't repeat myself
again. If in doubt what is in nss, use ipsec showhostkey --list and
generate new rsasigkey= statements with ipsec showhostkey --left (or
--right_ --ckaid XXXX (from the --list command)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
