Hi All
I have a pretty simple configuration however I don't appear
to be able to make it work.
I'm running the libreswan package on Centos8 on both ends.
I would like to initally use raw RSA keys, however I can't
make it work with PSK either.
There is a host with a public IP address and a host on the
private network.
There is a small private network behind the public host which
I would like to have accessible however the basic ipsec link
between the hosts isn't coming up.
(private Network) <-> (IPSEC host) <-> (Internet)
<-> (ISP NAT) <-> (Modem Nat) - (local network)
(10.19.96/20)- ((.5) chilli.buggerit.com. 203.43.75.103)
<-> ISP <-> (router 192.168.1.1/24) <-> (IPSEC
host)
###### Config public host
conn chilli-aluminium
left=203.43.75.103
# rsakey AwEAAacqb
leftrsasigkey=0sAwEAAacqbh2Uq....
right=%any
# rsakey AwEAAd8j4
rightrsasigkey=0sAwEAAd8j4dyx
authby=rsasig
###### Config private hostconn chilli-aluminium
conn chilli-aluminium
right=%defaultroute
# rsakey AwEAAd8j4
rightrsasigkey=0sAwEAAd8j4dyx...
left=203.43.75.103
# rsakey AwEAAacqb
leftrsasigkey=0sAwEAAacqbh2Uq...
authby=rsasig
############
log when connecting.
Dec 6 05:28:12 chilli pluto[20339]: | constructed local IKE
proposals for chilli-aluminium (IKE SA responder matching remo
te proposals):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP
3072,MODP4096,MODP8192
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,M
ODP2048,MODP3072,MODP4096,MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2
_256_128;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA
2_256;INTEG=NONE;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;IN
TEG=HMAC_SHA2_256_128;DH=ECP_256,ECP_384,ECP_521,MODP2048,MODP3072,MODP4096,MODP8192
Dec 6 05:28:12 chilli pluto[20339]: packet from
143.225.60.18:1011: proposal
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=
ECP_256 chosen from remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=ECP_384;DH=
ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match]
2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMA
C_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
3:IKE:ENCR=AES_CBC_256;PRF=HMAC
_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH
=MODP3072;DH=MODP4096;DH=MODP8192
4:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=ECP_384;DH=ECP
_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
5:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=EC
P_256;DH=ECP_384;DH=ECP_521;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192
Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: STATE_PARENT_R1: received v2I1, sent v2R1
{auth
=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512
group=DH19}
Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: IKEv2 mode peer ID is ID_FQDN:
'@east'
Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: Authenticated using RSA
Dec 6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1]
143.225.60.18 #2: responding to AUTH message (ID 1) from
43.225.6
0.18:64916 with encrypted notification TS_UNACCEPTABLE
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
