<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>OpenSWAN node to node connection</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>You must have the subnets set for your ping
tests.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>The only traffic that uses the tunnel is what matches your
subnet lines.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>If you want to ping from the openswan machine to the
openswan machine, then</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>either remove the subnet lines in the conf, or add
left/rightsourceip parameters which match</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>your private ip's used for you ping
tests.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>Note anytime you change your conf's you will need to reload
your conn for the changes to take effect.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>You can either:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>ipsec auto --replace net-to-net</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>on both openswan's followed by a:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>ipsec auto --up net-to-net</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>on one side, or reset both ipsec
daemons:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>ipsec restart</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=567030318-11102007><FONT face=Arial
color=#0000ff size=2>Try reading the man pages and doc files in the distribution
all this information is there.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Vuppula, Srinivas
[mailto:srinivas.vuppula@intel.com] <BR><B>Sent:</B> October 11, 2007 1:58
PM<BR><B>To:</B> petermcgill@goco.net<BR><B>Cc:</B>
users@openswan.org<BR><B>Subject:</B> RE: [Openswan Users] OpenSWAN node to
node connection<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>It was typo in the email only. The conf file was having
defaultroute.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>I do get the SA established successfully....don't know
why it worked today and not yesterday..may be reboot
helped..</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>But the ther thing i saw was that, once the SA tunnel
established....i cannot pinch the 2 systems from each other...the ping
hangs//</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>But while its hang, tcpdump does show the packets with
ESP. So the tunnel is fine and packets does cross...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>Why is the ping fails from one to other
system....</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>Do i need to have 2 NIC on one linux box and get another
system connected on the 2nd NIC and ping that from other linux
box...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2>Why can't the ping from laptop ot gateway or viceversa do
not works...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=290295417-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Peter McGill
[mailto:petermcgill@goco.net] <BR><B>Sent:</B> Thursday, October 11, 2007
10:44 AM<BR><B>To:</B> Vuppula, Srinivas;
users@openswan.org<BR><B>Subject:</B> RE: [Openswan Users] OpenSWAN node to
node connection<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>Well for one thing I don't think you can have the same
subnet on both sides of the tunnel.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>I suggest removing the subnet lines in the conf, for
a host to host tunnel.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>Also you spelt left=%defaultroute incorrectly as
left=%defaultroot in your Left ipsec.conf.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>ie)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>Left ipsec.conf:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>conn net-to-net</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2> left=%defaultroute</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff
size=2>leftnexthop=%defaultroute</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2><A
href="mailto:leftid=@left.com">leftid=@left.com</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>leftrsasigkey=...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial><FONT color=#0000ff size=2># leftsubnet=192.168.1.100/32 #
defaults to left</FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>right=192.168.1.101</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2><A
href="mailto:rightid=@right.com">rightid=@right.com</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2> rightrsasigkey=...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial><FONT color=#0000ff size=2># rightsubnet=192.168.1.101/32 #
defaults to right</FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2> auto=add</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>Right ipsec.conf:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2>conn net-to-net</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>left=%defaultroute</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff
size=2>leftnexthop=%defaultroute</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2><A
href="mailto:leftid=@right.com">leftid=@right.com</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>leftrsasigkey=...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2># leftsubnet=192.168.1.101/32 # defaults
to left</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>right=192.168.1.100</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2><A
href="mailto:rightid=@left.com">rightid=@left.com</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>rightrsasigkey=...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2># rightsubnet=192.168.1.100 # defaults
to right</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007>
<FONT face=Arial color=#0000ff size=2>auto=add</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=910523017-11102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Vuppula,
Srinivas<BR><B>Sent:</B> October 11, 2007 12:40 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] OpenSWAN node to node
connection<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/rtf format --><FONT face=Arial
color=#0000ff size=2></FONT><FONT face=Arial color=#0000ff
size=2></FONT><FONT face=Arial color=#0000ff size=2></FONT><BR>
<P><FONT face=Arial size=2>I am trying to connect two linux systems through
router (both are directly conncted to LinkSys router).</FONT> <BR><FONT
face=Arial size=2>The IP of each system are 192.168.1.100 and
192.168.1.101.</FONT> <BR><FONT face=Arial size=2>The gateway IP of the
router is 192.168.1.1</FONT> <BR><FONT face=Arial size=2>I also named the 2
linux boxes as box1@left.com and box2@right.com</FONT> <BR><FONT face=Arial
size=2>Both of them has openSWAN installed. Ipsec is started on both.</FONT>
<BR><FONT face=Arial size=2>Attached are the 2 IPSec.conf files.</FONT>
<BR><FONT face=Arial size=2>When I run the command on the left system as
described at </FONT><A
href="http://wiki.openswan.org/index.php/Openswan/Configure"><U><FONT
face=Arial color=#0000ff
size=2>http://wiki.openswan.org/index.php/Openswan/Configure</FONT></U></A>
<BR><FONT face=Arial size=2>I do not get tunnel established. It retries
retransimission and hangs.</FONT> </P>
<P><FONT face=Arial size=2>The command used is</FONT> <BR><FONT face=Arial
size=2>Ipsec auto --up net-to-net</FONT> </P>
<P><FONT face=Arial size=2>My goal is to get 2 systems connected as client
-server over VPN tunnel using IPSec.</FONT> <BR><FONT face=Arial size=2>Can
any one comment on the config. Is it correct? What is to be changed?</FONT>
</P>
<P><FONT face=Arial size=2>The left system has IP with DHCP configured. The
right system has static IP configured, as suggested in the document.</FONT>
<BR><FONT face=Arial size=2>Thanks,</FONT> <BR><FONT face=Arial
size=2>Srinivas</FONT> </P>
<P><FONT face=Arial size=2>Left system IPSec.conf:</FONT> <BR><FONT
face="Courier New" size=2>conn net-to-net</FONT>
<BR> <FONT face="Courier New"
size=2>left=%defaultroot # also tried with 192.168.1.100 but
same result</FONT> <BR> <FONT
face="Courier New" size=2>leftid=@left.com</FONT>
<BR> <FONT face="Courier New"
size=2>leftsubnet=192.168.1.1/24</FONT>
<BR> <FONT face="Courier New"
size=2>leftrsasigkey=0sAQOE4rLjh9bL3szKqCwxSoHT84l+jGbfPcUfNs9BDL2UAwEITq1MVmHIQHwo2UX8aQ5ObSnDQYVODwf5gYIGzmShqpt0FEFN8ewYIdxkPvcSLiC5AgLsGBO0Lu4o2A4VOx6btaiTygcFtpyrvNGdpWFJiLe5TeExV+TaaxS8Uq3x4b/3FUsFsH3AfS3CN7qnKeCpZN54y3qOBzxxmQNKR/scV5pLIQr60FFOG1O5GYqhFAZR9gTIC998V5USMz0LpB6aNir7avE5dTdWcypunyZFWPDyZXyDt6gtNgaX/1G+b1yCKGOGZD+5pIdOBnzp1wArmo+Rmvuw9ifisM/DI6rT8tEI0ZgcxsV5RR6tLlaOg3dd</FONT></P>
<P><FONT face="Courier New"
size=2> right=192.168.1.101</FONT>
<BR> <FONT face="Courier New"
size=2>rightid=@right.com</FONT>
<BR> <FONT face="Courier New"
size=2>rightsubnet=192.168.1.1/24</FONT> <BR><FONT face="Courier New"
size=2>rightrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdNGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePqrP1uvTOFJ89RcFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wtKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFKR0p1gdwWXWfWVPDktpSVV6MxmyDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY2SgygQ6BO/Ua70MoIAxyy76N</FONT></P>
<P> <FONT face="Courier New"
size=2>auto=add</FONT> </P><BR>
<P><FONT face=Arial size=2>Right system IPSec.conf : I switched the setting
as mentioned in RoadWarrior configuration</FONT> </P>
<P><FONT face="Courier New" size=2>conn net-to-net</FONT>
<BR> <FONT face="Courier New"
size=2>left=192.168.1.101</FONT>
<BR> <FONT face="Courier New"
size=2>leftid=@right.com</FONT>
<BR> <FONT face="Courier New"
size=2>leftsubnet=192.168.1.1/24</FONT>
<BR> <FONT face="Courier New"
size=2>leftrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdNGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePqrP1uvTOFJ89RcFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wtKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFKR0p1gdwWXWfWVPDktpSVV6MxmyDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY2SgygQ6BO/Ua70MoIAxyy76N</FONT></P>
<P><FONT face="Courier New"
size=2>
rightnexthop=%defaultroute</FONT> <BR><FONT face="Courier New"
size=2> right=192.168.1.100</FONT>
<BR> <FONT face="Courier New"
size=2>rightid=@left.com</FONT>
<BR> <FONT face="Courier New"
size=2>rightrsasigkey=0sAQOE4rLjh9bL3szKqCwxSoHT84l+jGbfPcUfNs9BDL2UAwEITq1MVmHIQHwo2UX8aQ5ObSnDQYVODwf5gYIGzmShqpt0FEFN8ewYIdxkPvcSLiC5AgLsGBO0Lu4o2A4VOx6btaiTygcFtpyrvNGdpWFJiLe5TeExV+TaaxS8Uq3x4b/3FUsFsH3AfS3CN7qnKeCpZN54y3qOBzxxmQNKR/scV5pLIQr60FFOG1O5GYqhFAZR9gTIC998V5USMz0LpB6aNir7avE5dTdWcypunyZFWPDyZXyDt6gtNgaX/1G+b1yCKGOGZD+5pIdOBnzp1wArmo+Rmvuw9ifisM/DI6rT8tEI0ZgcxsV5RR6tLlaOg3dd</FONT></P>
<P> <FONT face="Courier New"
size=2>auto=add</FONT> </P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>