we require peer to have ID ‘x.x.x.x’, but peer declares ‘x.x.x.x’

Posted on October 28, 2014

1


PROBLEM

At my side we have installed and configured VYATTA firewall and at the other side there was a hardware based firewall (May be CISCO or JUNIPER). We have created many site to site VPNs with different companies and they all are running fine. This time we were facing the subjected matter.

At the other side the Firewall was configured to use a NATTED ip address. Means if someone connects with that firewall, it shows a Private IP instead of Public IP. So when we configured the site to site VPN at our side the VPN logs were showing the subjected message.

vyatta@vyatta:~$ show log vpn ipsec

we require peer to have ID ‘PUBLIC_IP‘, but peer declares ‘PRIVATE_IP

RESOLUTION

vyatta@vyatta:~$ configure

vyatta@vyatta# edit vpn ipsec site-to-site peer 202.154.233.19 authentication

vyatta@vyatta# set remote-id NATTED_IP_OF_DESTINATION_SIDE

save and commit

 

Example Result

show vpn ipsec sa detail

Peer IP:                PUBLIC_IP
Peer ID:                PRIVATE_IP
Local IP:               LOCAL_PUBLIC_IP
Local ID:               LOCAL_PUBLIC_IP
NAT Traversal:          yes
NAT Source Port:        4500
NAT Dest Port:          4500

===========

You may also need to do the below   (Not confirmed this step)

vyatta@vyatta# set vpn ipsec nat-traversal enable

 

Helpful links

http://www.carbonwind.net/blog/post/Fun-with-Vyatta-VC5-and-IPsec-tunnel-mode-s2s-VPN-when-both-Vyattas-BPN-gateways-are-behind-NAT-devices-using-dynamic-public-IP-addresses.aspx

Advertisements
Posted in: Linux