On Thu, 2 May 2019, Nick Howitt wrote:
I have an IKEv2 conn with one end behind NAT:
Nat'd (remote):
conn nick-ikev2
type=tunnel
authby=secret
auto=start
left=10.20.40.248
leftsourceip=192.168.20.1
leftsubnet=192.168.20.0/24
leftid=@clearos_in_clearvm
right=my.fqdn
rightsubnet=172.17.2.0/24
rightid=@nick
ikev2=insist
dpdaction=restart
dpdtimeout=120
dpddelay=30
looks ok.
Other (local) end:
conn nick-ikev2
type=tunnel
authby=secret
auto=add
left=%any
#left=209.90.117.194
leftsubnet=192.168.20.0/24
leftid=@clearos_in_clearvm
right=%defaultroute
rightsubnet=172.17.2.0/24
rightsourceip=172.17.2.1
rightid=@nick
ikev2=insist
dpdaction=restart
dpdtimeout=120
dpddelay=30
rekey=no
auto=add with rekey=no should have dpdaction=clear and not restart. As
it cannot start to the endpoint behind NAT.
Using libreswan-3.25-4.1.el7_6.x86_64.
Can you run with plutodebug=all then egrep -i dpd over the log?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
