PROBLEM
At my side we have installed and configured VYATTA firewall and at the other side there was a hardware based firewall (May be CISCO or JUNIPER). We have created many site to site VPNs with different companies and they all are running fine. This time we were facing the subjected matter.
At the other side the Firewall was configured to use a NATTED ip address. Means if someone connects with that firewall, it shows a Private IP instead of Public IP. So when we configured the site to site VPN at our side the VPN logs were showing the subjected message.
vyatta@vyatta:~$ show log vpn ipsec
we require peer to have ID ‘PUBLIC_IP‘, but peer declares ‘PRIVATE_IP‘
RESOLUTION
vyatta@vyatta:~$ configure
vyatta@vyatta# edit vpn ipsec site-to-site peer 202.154.233.19 authentication
vyatta@vyatta# set remote-id NATTED_IP_OF_DESTINATION_SIDE
save and commit
Example Result
show vpn ipsec sa detail
Peer IP: PUBLIC_IP
Peer ID: PRIVATE_IP
Local IP: LOCAL_PUBLIC_IP
Local ID: LOCAL_PUBLIC_IP
NAT Traversal: yes
NAT Source Port: 4500
NAT Dest Port: 4500
===========
You may also need to do the below (Not confirmed this step)
vyatta@vyatta# set vpn ipsec nat-traversal enable
Helpful links
Christian P Appel
March 12, 2016
Thanks for sharing this, just saved me hours on troubleshoot – besides the ones already spent. Have a great weekend!