<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1498" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005>hi</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>I'm new to Openswan
VPN connection, but alreay struggle with it for a few days, please
help!</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>I want to set up a
VPN connection between two sites and authenticate by PSK.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>Both side are
running Fedora core 3</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>Kernel -version:
2.6.11</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>Openswan
2.3.0</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>ipsec-tools:
0.5.2</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>I can get the
host-host connection up with correct encryption. I use tcpdump and ping to get
the output below:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>[root@racoon ~]#
tcpdump dst host 194.0.1.138<BR>tcpdump: verbose output suppressed, use -v or
-vv for full protocol decode<BR>listening on eth0, link-type EN10MB (Ethernet),
capture size 96 bytes<BR>11:52:24.571218 IP 194.0.1.166 > 194.0.1.138:
ESP(spi=0xaeaa277f,seq=0x1)<BR>11:52:26.500382 IP 194.0.1.166 > 194.0.1.138:
ESP(spi=0xaeaa277f,seq=0x2)<BR>11:52:28.415432 IP 194.0.1.166 > 194.0.1.138:
ESP(spi=0xaeaa277f,seq=0x3)</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>And I assume it
means the VPN is fine</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>The ipsec.conf is
belwo: and both side have exactly the same ipsec.conf</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>[root@racoon ~]# cat
/etc/ipsec.conf<BR>version 2.0<BR>config
setup<BR>
interfaces=%defaultroute<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
overridemtu=1410<BR>
nat_traversal=yes<BR>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<BR>
uniqueids=no</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>conn
%default<BR>
#keyingtries=3<BR>
keyingtries=0<BR>
#compress=yes<BR>
#disablearrivalcheck=no<BR>
#authby=secret<BR>
#type=tunnel<BR>
#keyexchange=ike<BR>
#ikelifetime=240m<BR>
#keylife=60m<BR>
spi=0X200<BR>
esp=3des-md5-96<BR>
espenckey=0X123456789abcd<BR>
espauthkey=0X1234567<BR>
authby=rsasig</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>#VPN connection
between sites<BR>conn sitevpn<BR>
authby=secret<BR>
auto=start<BR>
left=194.0.1.166<BR>
#leftsubnet=192.168.2.0/24<BR>
leftnexthop=194.0.1.138<BR>
right=194.0.1.138<BR>
#rightsubnet=192.168.0.0/24<BR>
rightnexthop=194.0.1.166<BR>
type=tunnel</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>#Disable
Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>However, as soon as
I uncomment the two lines for leftsubnet and rightsubnet and restart the ipsec
service, it seems don't work any more. </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>I test with the
tcpdump and ping command, the output is below</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>[root@racoon ~]#
tcpdump dst host 194.0.1.138<BR>tcpdump: verbose output suppressed, use -v or
-vv for full protocol decode<BR>listening on eth0, link-type EN10MB (Ethernet),
capture size 96 bytes<BR>11:58:43.151349 IP 194.0.1.166 > 194.0.1.138: icmp
64: echo reply seq 0<BR>11:58:45.059510 IP 194.0.1.166 > 194.0.1.138: icmp
64: echo reply seq 1<BR>11:58:46.991116 IP 194.0.1.166 > 194.0.1.138: icmp
64: echo reply seq 2</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>sorry about the long
post, and I really appreciate for any hints, because I don't have much knowledge
about VPN and IPSEC, and actually just modified the script from some tutorial
and example in google.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=738073723-06062005>Thanks in
advance</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=738073723-06062005>willis</SPAN></FONT></DIV></BODY></HTML>