Re: [Swan] libreswan/racoon interoperability problem with NAT-T

Tue, 18 Apr 2017 17:13:01 -0700 

On Tue, 18 Apr 2017, Xinwei Hong wrote:


Hi Paul,
Sorry for taking a long time to get back (I was out of office last week). 

I have uploaded the latest log files at:
https://file.town/download/7wt9a05p7mwym05mzr4dox4q7
https://file.town/download/fxn6861zvcra5qu3q9cv9c3l0

On the non-natt'ed side, I see:

Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: 
"conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: no 
suitable connection for peer '10.0.3.3'

Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: | vpn-5483483: complete v1 state 
transition with INVALID_ID_INFORMATION

Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: 
"conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: sending 
encrypted notification INVALID_ID_INFORMATION to
199.204.218.98:500

It recognizes the ip 10.0.3.3 which is behind NAT on the other end. Tcpdump on 
non-natt'ed side only see packets from the public IP, not 10.0.3.3


When behind NAT, try avoiding using IP addresses as ID's because the
endpoint behind NAT would have to specify the public IP as its leftid=

In this case 10.0.3.3 is NATed to 199.204.218.98 but it is using a
leftid=10.0.3.3 (possibly because no leftid= is specified, which then
defaults to the IP address).

You can make up ID's as long as they are the same on both ends. For
literal strings, prefix with an @, eg leftid=@MyServer

Paul


Thanks,
Xinwei






On Sat, Apr 8, 2017 at 3:09 PM, Paul Wouters <[email protected]> wrote:
      On Fri, 7 Apr 2017, Xinwei Hong wrote:

            I just upgraded it to 3.20. I built libreswan without specifying 
any parameter. I don't need klips in my setting anyway. I also
            added virtual-private=%v4:10.0.0.0/8. Still not working. 
            The NAT part, I'm not sure why you say that. I still see same "no 
suitable connection for peer '10.0.3.3'" error, but I believe it's found inside of 
isakmp pkts.
            I did tcpdump on both
            machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one side and 
199.204.218.98 on the peer side.

            I can upload new log if needed.


      I can have a look if you upload new logs. But please do not use that
      dropbox API because I cannot search and scroll through that. A link
      the actual files would be better so I can download these and have a
      look.

      Paul





_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to