On Mon, 11 Oct 2021, Phil Nightowl wrote:
A brief summary:
server --------------- NAT1 -------- internet --- NAT2 ------ roadwarrior
172.16.0.129 172.16.0.254/1.2.3.4 10.0.0.x 10.0.0.y
Both server and roadwarrior are going to use certificates in production;
but to make debugging simpler, I temporarily switched to PSKs. The current
configs are as follows:
You are getting:
pluto[15505]: "roadw"[1] 9.8.7.6 #1: responding to AUTH message (ID 1)
from 9.8.7.6:4500 with
encrypted notification TS_UNACCEPTABLE
It means your subnets/IPs are not matching. The easiest IKEv2 solution
is for the server to give the roadwarrior an IP to use.
Server (responder):
-------------------
conn roadw
type=tunnel
left=%defaultroute
leftid=@server
leftsubnet=0.0.0.0/0
right=%any
rightid=@roadw
rightsubnet=vhost:%priv,%no
vhost is only used for IKEv1, instead use:
rightaddresspool=100.64.0.1-100.64.0.10
and add:
narrowing=yes
auto=add
ikev2=insist
authby=secret
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
rekey=no
Roadwarrior (initiator):
------------------------
conn server
left=%defaultroute
leftid=@roadw
right=1.2.3.4
rightid=@server
ikev2=insist
auto=ondemand
authby=secret
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
on the client add:
narrowing=yes
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
Once authenticated the server will give the "narrowed" tunnel of
100.64.01/32 <-> 0.0.0.0/0, which the client will accept.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
