Hi, I should have mentioned that I read the FAQ on this NO_PROTOCOL_CHOSEN error, but I don't believe it's a configuration mismatch between libreswan and the remote IPsec server. The configuration hasn't changed from what was previously working with the same systems.
The wyckoff server was moved from having a public IP address on its external interface to an internal IP with ports 4500 and 500 being forwarded to that internal IP address. https://libreswan.org/wiki/FAQ#error:_ignoring_informational_payload.2C_type_NO_PROPOSAL_CHOSEN_msgid.3D00000000 I'm hoping someone has an obvious solution for me. On Sat, Jan 4, 2020 at 9:28 PM Alex <mysqlstud...@gmail.com> wrote: > > Hi, > > I managed to convince the admin to port forward both 4500 and 500, > along with AH and ESP to my 10.201.2.2 IP from the static external > 96.56.24.210 (wyckoff) IP but I still can't get it to work. > > Both sides are now static IPs. On wyckoff (96.56.24.210 externally, > 10.201.2.2 on the server itself), I'm seeing the following: > # ipsec auto --up orion-wyckoff > 000 initiating all conns with alias='orion-wyckoff' > 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end > of this connection. 68.195.193.42 or 96.56.24.210 are not usable > 022 "orion-wyckoff/2x1": We cannot identify ourselves with either end > of this connection. 68.195.193.42 or 96.56.24.210 are not usable > 022 "orion-wyckoff/1x2": We cannot identify ourselves with either end > of this connection. 68.195.193.42 or 96.56.24.210 are not usable > 022 "orion-wyckoff/1x1": We cannot identify ourselves with either end > of this connection. 68.195.193.42 or 96.56.24.210 are not usable > > Jan 4 21:27:00.402928: packet from 68.195.193.42:40384: initial Main > Mode message received on 10.201.2.2:500 but no connection has been > authorized with policy PSK+IKEV1_ALLOW > Jan 4 21:21:21.836883: packet from 68.195.193.42:500: initial parent > SA message received on 10.201.2.2:500 but no suitable connection found > with IKEv2 policy > Jan 4 21:21:21.836908: packet from 68.195.193.42:500: responding to > IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with > unencrypted notification NO_PROPOSAL_CHOSEN > > Here is my config again. I've tried to hardcode the IP just in case, > but I'm not sure that really matters, since it's a static IP and has a > DNS entry. > > conn orion-wyckoff > ikev2=insist > authby=rsasig > auto=start > interfaces=%defaultroute > dpddelay=10 > dpdtimeout=90 > dpdaction=clear > rightsubnets={192.168.11.0/24,192.168.10.0/24} > rightid=@wyckoff-orion > right=96.56.24.210 > rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk... > leftid=@orion-wyckoff > left=orion.guardiandigital.com > leftsubnets={192.168.1.0/24,192.168.6.0/24} > leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6Ax... > > > On Sat, Jan 4, 2020 at 4:25 AM Nick Howitt <n...@howitts.co.uk> wrote: > > > > Try changing right to %any. Also check that your firewall allows udp:4500. > > If you use different configs at either end, then auto should be "add" at > > orion and can be "start" at wyckoff. > > > > Nick > > > > On 03/01/2020 21:57, Alex wrote: > > > > Hi, > > I've had a site-to-site VPN using libreswan built and working between > > two Optonline/Altice systems, one with a dynamic IP and the other with > > a static IP, for quite some time, but we've had to move the satellite > > office with the dynamic IP to one where we're only given a private > > 192.168.1.0/24 network and have no access to the outside public IP > > interface. > > > > Can I use NAT traversal for this? If so, how do I convert my existing > > configuration to use it? > > > > In this config, "wyckoff" is the dynamic (now private IP) side and > > "orion" is the static IP side. > > > > conn orion-wyckoff > > ikev2=insist > > authby=rsasig > > auto=add > > dpddelay=10 > > dpdtimeout=90 > > dpdaction=clear > > rightid=@wyckoff-orion > > rightsubnets={192.168.11.0/24,192.168.10.0/24} > > right=wyckoff.example.com > > rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7ffvgDNNbj... > > leftid=@orion-wyckoff > > left=orion.example.com > > leftsubnets={192.168.1.0/24,192.168.6.0/24} > > leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6AxnXMP8iu... > > _______________________________________________ > > Swan mailing list > > Swan@lists.libreswan.org > > https://lists.libreswan.org/mailman/listinfo/swan > > > > > > _______________________________________________ > > Swan mailing list > > Swan@lists.libreswan.org > > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan