> On Jan 5, 2020, at 08:54, Alex <[email protected]> wrote:
>
> Hi,
>
> I've made a few changes, but it still appears to be failing. From
> wyckoff (right side):
> Jan 5 08:53:35.989421: "orion-wyckoff/1x1": We cannot identify
> ourselves with either end of this connection. 68.195.193.42 or
> 96.56.24.210 are not usable
If both ends are behind NAT, you have to make the change I mentioned on both
ends specific for that end. The local (left) part MUST be %defaultroute or an
IP/DNS that refers to a local IP present on the machine and not it’s “going to
be NATed to IP/DNS”
Paul
>
> Jan 5 08:50:42.782307: "orion-wyckoff/2x2" #1: STATE_PARENT_I1:
> retransmission; will wait 8 seconds for response
> Jan 5 08:50:42.782719: "orion-wyckoff/2x2" #1: IKE SA initiator
> received a message with I(Initiator) flag set; dropping packet
> Jan 5 08:50:50.791864: "orion-wyckoff/2x2" #1: IKE SA initiator
> received a message with I(Initiator) flag set; dropping packet
> Jan 5 08:50:53.838729: packet from 68.195.193.42:500: initial parent
> SA message received on 10.201.2.2:500 but no suitable connection found
> with IKEv2 policy
> Jan 5 08:50:53.838789: packet from 68.195.193.42:500: responding to
> IKE_SA_INIT (34) message (Message ID 0) from 68.195.193.42:500 with
> unencrypted notification NO_PROPOSAL_CHOSEN
>
> It appears it's still confused about which side is which?
>
>>> I managed to convince the admin to port forward both 4500 and 500,
>>> along with AH and ESP to my 10.201.2.2 IP from the static external
>>> 96.56.24.210 (wyckoff) IP but I still can't get it to work.
>>>
>>> Both sides are now static IPs. On wyckoff (96.56.24.210 externally,
>>> 10.201.2.2 on the server itself), I'm seeing the following:
>>> # ipsec auto --up orion-wyckoff
>>> 000 initiating all conns with alias='orion-wyckoff'
>>> 022 "orion-wyckoff/2x2": We cannot identify ourselves with either end
>>> of this connection. 68.195.193.42 or 96.56.24.210
>>
>> You need to use a real IP address or %defaultroute for the local end (eg
>> left=) and not the address it will get NATed to
>
> I believe that I am. The address that it's NATed to is 10.201.2.2, an
> internal unroutable IP.
>
>>> dpddelay=10
>>> dpdtimeout=90
>>> dpdaction=clear
>>> rightsubnets={192.168.11.0/24,192.168.10.0/24}
>>> rightid=@wyckoff-orion
>>> right=96.56.24.210
>>> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk...
>>> leftid=@orion-wyckoff
>>> left=orion.guardiandigital.com
>>
>> If this is on orion, use left=%defaultroute
>
> This is on the right side. Previously this side had a dynamic IP, so I
> could now conceivably enter the IPs directly on both sides?
>
> Here is the config for the left side (orion, 68.195.193.42):
> conn orion-wyckoff
> ikev2=insist
> authby=rsasig
> auto=add
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> rightid=@wyckoff-orion
> rightsubnets={192.168.11.0/24,192.168.10.0/24}
> right=96.56.24.210
> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfz...
> leftid=@orion-wyckoff
> left=68.195.193.42
> leftsubnets={192.168.1.0/24,192.168.6.0/24}
> leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN...
>
> Here is the config for the right side (wyckoff, 96.56.24.210):
> conn orion-wyckoff
> ikev2=insist
> authby=rsasig
> auto=start
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> rightsubnets={192.168.11.0/24,192.168.10.0/24}
> rightid=@wyckoff-orion
> right=96.56.24.210
> rightrsasigkey=0sAwEAAd4EeKjbFI7mmwxfztoH9AfzQUlk7...
> leftid=@orion-wyckoff
> left=%defaultroute
> leftsubnets={192.168.1.0/24,192.168.6.0/24}
> leftrsasigkey=0sAwEAAeSMFxvoJaP54tr660XAjQN35fCKMhi6...
>
> I've also tried hardcoding the IP on each side for left= and right=.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
