Hi, I managed to convince the admin to port forward both 4500 and 500, along with AH and ESP to my 10.201.2.2 IP from the static external 96.56.24.210 (wyckoff) IP but I still can't get it to work.
Both sides are now static IPs. On wyckoff (96.56.24.210 externally, 10.201.2.2 on the server itself), I'm seeing the following: # ipsec auto --up orion-wyckoff 000 initiating all conns with alias='orion-wyckoff' 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end of this connection. 68.195.193.42 or 96.56.24.210 are not usable 022 "orion-wyckoff/2x1": We cannot identify ourselves with either end of this connection. 68.195.193.42 or 96.56.24.210 are not usable 022 "orion-wyckoff/1x2": We cannot identify ourselves with either end of this connection. 68.195.193.42 or 96.56.24.210 are not usable 022 "orion-wyckoff/1x1": We cannot identify ourselves with either end of this connection. 68.195.193.42 or 96.56.24.210 are not usable Jan 4 21:27:00.402928: packet from 68.195.193.42:40384: initial Main Mode message received on 10.201.2.2:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW Jan 4 21:21:21.836883: packet from 68.195.193.42:500: initial parent SA message received on 10.201.2.2:500 but no suitable connection found with IKEv2 policy Jan 4 21:21:21.836908: packet from 68.195.193.42:500: responding to IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with unencrypted notification NO_PROPOSAL_CHOSEN Here is my config again. I've tried to hardcode the IP just in case, but I'm not sure that really matters, since it's a static IP and has a DNS entry. conn orion-wyckoff ikev2=insist authby=rsasig auto=start interfaces=%defaultroute dpddelay=10 dpdtimeout=90 dpdaction=clear rightsubnets={192.168.11.0/24,192.168.10.0/24} rightid=@wyckoff-orion right=96.56.24.210 rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk... leftid=@orion-wyckoff left=orion.guardiandigital.com leftsubnets={192.168.1.0/24,192.168.6.0/24} leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax... On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <n...@howitts.co.uk> wrote: > > Try changing right to %any. Also check that your firewall allows udp:4500. If > you use different configs at either end, then auto should be "add" at orion > and can be "start" at wyckoff. > > Nick > > On 03/01/2020 21:57, Alex wrote: > > Hi, > I've had a site-to-site VPN using libreswan built and working between > two Optonline/Altice systems, one with a dynamic IP and the other with > a static IP, for quite some time, but we've had to move the satellite > office with the dynamic IP to one where we're only given a private > 192.168.1.0/24 network and have no access to the outside public IP > interface. > > Can I use NAT traversal for this? If so, how do I convert my existing > configuration to use it? > > In this config, "wyckoff" is the dynamic (now private IP) side and > "orion" is the static IP side. > > conn orion-wyckoff > ikev2=insist > authby=rsasig > auto=add > dpddelay=10 > dpdtimeout=90 > dpdaction=clear > rightid=@wyckoff-orion > rightsubnets={192.168.11.0/24,192.168.10.0/24} > right=wyckoff.example.com > rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj... > leftid=@orion-wyckoff > left=orion.example.com > leftsubnets={192.168.1.0/24,192.168.6.0/24} > leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu... > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan > > > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan