Re: [Swan] Basic configuration question

Fri, 06 Dec 2019 11:26:12 -0800 

On Fri, 6 Dec 2019, Ian Willis wrote:


Date: Fri, 6 Dec 2019 00:46:33
From: Ian Willis <[email protected]>
To: [email protected]
Subject: [Swan] Basic configuration question

Hi All

I have a pretty simple configuration however I don't appear to be able to make 
it work.
I'm running the libreswan package on Centos8 on both ends.
I would like to initally use raw RSA keys, however I can't make it work with 
PSK either.
There is a host with a public IP address and a host on the private network.
There is a small private network behind the public host which I would like to 
have accessible however the basic
ipsec link between the hosts isn't coming up.


(private Network) <-> (IPSEC host) <-> (Internet) <-> (ISP NAT) <-> (Modem Nat) 
- (local network)

(10.19.96/20)- ((.5) chilli.buggerit.com. 203.43.75.103) <-> ISP <-> (router 
192.168.1.1/24) <-> (IPSEC host)

###### Config public host
conn chilli-aluminium
   leftid=@west
    left=203.43.75.103
        # rsakey AwEAAacqb
        leftrsasigkey=0sAwEAAacqbh2Uq....
    rightid=@east
    right=%any
    # rsakey AwEAAd8j4
        rightrsasigkey=0sAwEAAd8j4dyx
   authby=rsasig


Here you would want to add leftsubnet=10.19.96/20 but you would also
want something static for rightsubnet=. For example if your (IPSEC host)
is 192.168.1.13 on a static IP, you could use
rightsubnet=192.168.1.13/32


###### Config private hostconn chilli-aluminium
conn chilli-aluminium
    rightid=@east
    right=%defaultroute
    # rsakey AwEAAd8j4
        rightrsasigkey=0sAwEAAd8j4dyx...
    leftid=@west
    left=203.43.75.103
        # rsakey AwEAAacqb
        leftrsasigkey=0sAwEAAacqbh2Uq...
    authby=rsasig


You would add the subnets here too.


Dec  6 05:28:12 chilli pluto[20339]: "chilli-aluminium"[1] 143.225.60.18 #2: 
responding to AUTH message (ID 1) from
43.225.6
0.18:64916 with encrypted notification TS_UNACCEPTABLE


You get this because your TS (traffic selectors) are not acceptable. The
way the server is now setup, it will only allow right=postNAT-IP but
your client is proposing with its preNAT IP.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to