On Fri, 7 Apr 2017, Xinwei Hong wrote:
Thank you Paul. I tried ikepad=no, it does not work.Meanwhile, I tried to setup
natt between two mathine running libreswan. It also failed, but probably for
different reason.
The log files are here:
https://www.dropbox.com/s/2381ktqrmshp57s/natt1.log?dl=0
https://www.dropbox.com/s/0uzx62mgwq2krgw/natt2.log?dl=0
Did you compile without KLIPS support? That broke NAT-T and was fixed in
3.19, while you are running 3.18.
configs:
one side is nat'ed. 199.204.218.98 nat to 10.0.3.3
config setup
protostack=netkey
plutodebug=all
listen=10.0.3.3
conn conn_natt
authby=secret
left=10.0.3.3
right=199.204.217.159
ike=3des-md5;modp1024
phase2alg=3des-md5;modp1024
ikelifetime=28800s
salifetime=3600s
leftsubnet=10.0.0.0/24
rightsubnet=10.0.1.0/24
type=tunnel
auto=start
on the peer:
config setup
protostack=netkey
plutodebug=all
listen=199.204.217.159
This is missing a virtual-private=%v4:10.0.0.0/8
conn conn_vpn-5483483-tunnel
authby=secret
left=199.204.217.159
right=199.204.218.98
ike=3des-md5;modp1024
phase2alg=3des-md5;modp1024
ikelifetime=28800s
salifetime=3600s
conn conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24
also=conn_vpn-5483483-tunnel
leftsubnet=10.0.1.0/24
rightsubnet=10.0.0.0/24
It's always a little tricky to build a subnet tunnel for the subnet you
are. It should work but its easy for some tuning to be missing.
Apr 7 12:14:07 xenial33 pluto[5964]: | Notify Message Type:
INVALID_ID_INFORMATION (0x12)
The logs you posted show the original error being:
Apr 7 19:14:07 vvr-10-69-244-11 pluto[24396]: vpn-5483483:
"conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no
suitable connection for peer '10.0.3.3'
Looks like your 10.0.3.3 did not get NAT'ed to 199.204.218.98 and so the
conncetion's right= IP value does not match the observed IP.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
