<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Miriam;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
text-align:justify;
font-size:11.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Times New Roman";
color:windowtext;
font-weight:normal;
font-style:normal;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Dear Developers,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I am trying to enable WinXP/SP2 (with the registry fix) clients to
access my Openswan server on a Linux FC5. Since my roadwarriors are NAT-ed, I
required the </span></font><font size=3><span style='font-size:12.0pt'>"rightsubnet=vhost:%no,%priv"
option. I tried the option both in 2.4.4 (installed from a bin RPM) and 2.4.5
compiled from sources. In both cases, the option caused error messages and for
Pluto to die.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>You may note that without " rightsubnet=vhost:%no,%priv",
there are no problems in bringing up Pluto or in the ipsec verify output.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Your help would be greatly appreciated. I already posted in the Users
list, and they couldn’t find anything wrong in theory in my setup.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I am enclosing below relevant files and oputput.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>TIA,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Lavie <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Please find below
the output of /var/log.messages:<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>=======================================================<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:56
lavie010 ipsec_setup: ...Openswan IPsec started Jul 17 09:26:57 lavie010
ipsec_setup: Restarting Openswan IPsec 2.4.5...<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:57
lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:57
lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:57
lavie010 ipsec_setup: insmod /lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:57
lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device Jul 17 09:26:57 lavie010 ipsec_setup: insmod /lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:57
lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:58
lavie010 ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 211: 10237
Aborted
/usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-control --debug-parsing --use-auto --uniqueids
--nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:58
lavie010 ipsec__plutorun: 003 ASSERTION FAILED at connections.c:1382:
isanyaddr(&c->spd.that.host_addr) Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 %myid = (none) Jul 17 09:26:58 lavie010 ipsec__plutorun:
000 debug parsing+control Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=2,
name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP
encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP encrypt: id=12,
name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,
keysizemax=256 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth
attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 Jul 17 09:26:58
lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm ESP auth attr: id=251,
name=(null), keysizemin=0, keysizemax=0 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm
IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 Jul
17 09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20 Jul 17 09:26:58 lavie010 ipsec__plutorun: 000
algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536 Jul 17 09:26:58 lavie010 ipsec__plutorun:
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072 Jul 17 09:26:58 lavie010 ipsec__plutorun:
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144 Jul 17 09:26:58 lavie010 ipsec__plutorun:
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 Jul 17
09:26:58 lavie010 ipsec__plutorun: 000 Jul 17 09:26:58 lavie010
ipsec__plutorun: 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0} Jul 17 09:26:58 lavie010 ipsec__plutorun:
000 Jul 17 09:26:59 lavie010 ipsec__plutorun: 000
"L2TP-PSK-EXTERNAL":
%any[@myhost.myworkdomain.com]:17/%any...10.0.0.138---10.0.0.1:17/%any;
unrouted; eroute owner: #0<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL": srcip=unset;
dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 3<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL":
policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; interface: ; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 "L2TP-PSK-EXTERNAL": newest
ISAKMP SA: #0; newest IPsec SA: #0; <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: 000 Jul 17 09:26:59 lavie010 ipsec__plutorun: 000 Jul
17 09:26:59 lavie010 ipsec__plutorun: ...could not add conn
"L2TP-PSK-EXTERNAL"<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: whack: is Pluto running? connect() for
"/var/run/pluto/pluto.ctl" failed (111 Connection refused) Jul 17
09:26:59 lavie010 ipsec__plutorun: ...could not add conn
"L2TP-PSK-INTERNAL"<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:26:59
lavie010 ipsec__plutorun: whack: is Pluto running? connect() for
"/var/run/pluto/pluto.ctl" failed (111 Connection refused) Jul 17 09:26:59
lavie010 ipsec__plutorun: !pluto failure!: exited with error status 134
(signal 6) Jul 17 09:26:59 lavie010 ipsec__plutorun: restarting IPsec after
pause...<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:09
lavie010 kernel: NET: Unregistered protocol family 15 Jul 17 09:27:09 lavie010
ipsec_setup: ...Openswan IPsec stopped Jul 17 09:27:09 lavie010 ipsec_setup:
Stopping Openswan IPsec...<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:09
lavie010 ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:09
lavie010 kernel: NET: Registered protocol family 15 Jul 17 09:27:10 lavie010
kernel: padlock: VIA PadLock not detected.<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:10
lavie010 ipsec_setup: KL<st1:PersonName w:st="on">IPS</st1:PersonName> ipsec0
on eth0 10.0.0.1/255.0.0.0 broadcast 10.255.255.255 Jul 17 09:27:10 lavie010
ipsec_setup: ...Openswan IPsec started Jul 17 09:27:11 lavie010 ipsec_setup:
Restarting Openswan IPsec 2.4.5...<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:11
lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/key/af_key.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:11
lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/net/ipv4/xfrm4_tunnel.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:11
lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:11
lavie010 ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/char/hw_random.ko): No such
device Jul 17 09:27:11 lavie010 ipsec_setup: insmod
/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Jul 17 09:27:11
lavie010 ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.17-1.2145_FC5/kernel/drivers/crypto/padlock.ko): No such
device<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div style='mso-element:para-border-div;border:none;border-bottom:double windowtext 2.25pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Below is the output fro
ipsec verify:<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking your
system to see if IPsec got installed and started correctly:<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Version check and
ipsec
on-path
[OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span lang=NL style='font-size:12.0pt'>Linux
Openswan U2.4.5/K2.6.17-1.2145_FC5 (netkey)<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking for IPsec
support in
kernel
[OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>NETKEY detected,
testing for disabled ICMP send_redirects
[OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>NETKEY detected,
testing for disabled ICMP accept_redirects [OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking for RSA
private key
(/etc/ipsec.secrets)
[OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking that
pluto is
running
[FAILED]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'> whack: is
Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Two or more
interfaces found, checking IP
forwarding
[FAILED]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'> whack: is
Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed
(111 Connection refused)<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking NAT and
MASQUERADEing
<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking for 'ip'
command
[OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Checking for
'iptables'
command
[OK]<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>Opportunistic
Encryption
Support
[DISABLED]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div style='mso-element:para-border-div;border:none;border-bottom:double windowtext 2.25pt;
padding:0in 0in 1.0pt 0in'>
<p class=MsoNormal style='border:none;padding:0in'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Below is my ipsec.config:<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>version
2.0 # conforms to second version of ipsec.conf
specification<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'># basic
configuration<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>config setup<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
# Debug-logging controls: "none" for (almost) none,
"all" for lots.<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
# klipsdebug=none<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
plutodebug="control parsing"<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
nat_traversal=yes<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>conn
L2TP-PSK-INTERNAL<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
authby=secret<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
pfs=no <o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
rekey=no<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
keyingtries=3<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
left=192.168.1.254<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
leftprotoport=17/%any<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
right=%any<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
rightprotoport=17/%any<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
auto=add<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>conn
L2TP-PSK-EXTERNAL<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
authby=secret<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
pfs=no<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
rekey=no<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
keyingtries=3<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
left=10.0.0.1<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
leftnexthop=10.0.0.138<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'> leftid=10.0.0.1<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
leftprotoport=17/%any<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
right=%any<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
rightsubnet=vhost:%no,%priv<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
rightprotoport=17/%any<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
rightid=@NATted.hostname.com<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>
auto=add<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>#include
/etc/ipsec.d/*.conf<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>#Disable
Opportunistic Encryption<o:p></o:p></span></font></p>
<p class=MsoNormal align=left style='text-align:left;text-autospace:none'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt'>include
/etc/ipsec.d/examples/no_oe.conf<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>