we require peer to have ID ‘x.x.x.x’, but peer declares ‘x.x.x.x’

Posted on October 28, 2014



At my side we have installed and configured VYATTA firewall and at the other side there was a hardware based firewall (May be CISCO or JUNIPER). We have created many site to site VPNs with different companies and they all are running fine. This time we were facing the subjected matter.

At the other side the Firewall was configured to use a NATTED ip address. Means if someone connects with that firewall, it shows a Private IP instead of Public IP. So when we configured the site to site VPN at our side the VPN logs were showing the subjected message.

vyatta@vyatta:~$ show log vpn ipsec

we require peer to have ID ‘PUBLIC_IP‘, but peer declares ‘PRIVATE_IP


vyatta@vyatta:~$ configure

vyatta@vyatta# edit vpn ipsec site-to-site peer authentication

vyatta@vyatta# set remote-id NATTED_IP_OF_DESTINATION_SIDE

save and commit


Example Result

show vpn ipsec sa detail

Peer IP:                PUBLIC_IP
Peer ID:                PRIVATE_IP
Local IP:               LOCAL_PUBLIC_IP
Local ID:               LOCAL_PUBLIC_IP
NAT Traversal:          yes
NAT Source Port:        4500
NAT Dest Port:          4500


You may also need to do the below   (Not confirmed this step)

vyatta@vyatta# set vpn ipsec nat-traversal enable


Helpful links


Posted in: Linux