Thank you Paul. It's finally working now. One more question, is the virtual_private required? When I omit it, things are still working in my setting. What's the default behavior when it's missing. I cannot find it in the man page of ipsec.conf.
Thanks, Xinwei On Tue, Apr 18, 2017 at 5:12 PM, Paul Wouters <[email protected]> wrote: > On Tue, 18 Apr 2017, Xinwei Hong wrote: > > Hi Paul, >> Sorry for taking a long time to get back (I was out of office last week). >> >> I have uploaded the latest log files at: >> https://file.town/download/7wt9a05p7mwym05mzr4dox4q7 >> https://file.town/download/fxn6861zvcra5qu3q9cv9c3l0 >> >> On the non-natt'ed side, I see: >> >> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: >> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: >> no suitable connection for peer '10.0.3.3' >> >> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: | vpn-5483483: complete v1 >> state transition with INVALID_ID_INFORMATION >> >> Apr 18 22:52:26 vvr-10-69-244-1 pluto[8148]: vpn-5483483: >> "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.0.0.0/24" #2: >> sending encrypted notification INVALID_ID_INFORMATION to >> 199.204.218.98:500 >> >> It recognizes the ip 10.0.3.3 which is behind NAT on the other end. >> Tcpdump on non-natt'ed side only see packets from the public IP, not >> 10.0.3.3 >> > > When behind NAT, try avoiding using IP addresses as ID's because the > endpoint behind NAT would have to specify the public IP as its leftid= > > In this case 10.0.3.3 is NATed to 199.204.218.98 but it is using a > leftid=10.0.3.3 (possibly because no leftid= is specified, which then > defaults to the IP address). > > You can make up ID's as long as they are the same on both ends. For > literal strings, prefix with an @, eg leftid=@MyServer > > Paul > > > Thanks, >> Xinwei >> >> >> >> >> >> >> On Sat, Apr 8, 2017 at 3:09 PM, Paul Wouters <[email protected]> wrote: >> On Fri, 7 Apr 2017, Xinwei Hong wrote: >> >> I just upgraded it to 3.20. I built libreswan without >> specifying any parameter. I don't need klips in my setting anyway. I also >> added virtual-private=%v4:10.0.0.0/8. Still not working. >> The NAT part, I'm not sure why you say that. I still see same >> "no suitable connection for peer '10.0.3.3'" error, but I believe it's >> found inside of isakmp pkts. >> I did tcpdump on both >> machines, the ip was nat'ed. e.g. only see 10.0.3.3 on one >> side and 199.204.218.98 on the peer side. >> >> I can upload new log if needed. >> >> >> I can have a look if you upload new logs. But please do not use that >> dropbox API because I cannot search and scroll through that. A link >> the actual files would be better so I can download these and have a >> look. >> >> Paul >> >> >> >> >>
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
