cat /e / $ cat /etc/ipse / $ cat /etc/ipsec.co / $ cat /etc/ipsec.conf  version 2.0 # conforms to second version of ipsec.conf specification config setup klipsdebug=none plutodebug=none nat_traversal=yes interfaces="%defaultroute" include /etc/ipsec.d/examples/no_oe.conf conn net-to-net left=%defaultroute leftsubnet=192.168.0.0/24 leftnexthop=%defaultroute leftcert=/etc/ipsec.d/mycert2.pem leftrsasigkey=%cert right=211.78.84.93 rightsubnet=10.2.111.0/24 rightid="@SSG550.sti.com.tw" rightnexthop=%defaultroute auto=add pfs=no / $ / $ / $ insmo / $ insmod /lib / $ insmod /lib/mo / $ insmod /lib/modules/ip / $ insmod /lib/modules/ipsec.o  klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.4.9 klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251) klips_info:ipsec_alg_init: calling ipsec_alg_static_init() ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0 ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 / $ / $ / $ /e / $ /etc/ini / $ /etc/init. / $ /etc/init.d/ipse / $ /etc/init.d/ipsec start ipsec_setup: Starting Openswan IPsec 2.4.9... / $ pluto[1134]: Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI) pluto[1134]: Setting NAT-Traversal port-4500 floating to on pluto[1134]: port floating activation criteria nat_t=1/port_fload=1 pluto[1134]: including NAT-Traversal patch (Version 0.6c) pluto[1134]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) pluto[1134]: starting up 1 cryptographic helpers pluto[1134]: started helper pid=1139 (fd:5) pluto[1134]: Using KLIPS IPsec interface code on 2.4.19-rmk4 pluto[1134]: Changing to directory '/etc/ipsec.d/cacerts' pluto[1134]: loaded CA cert file 'caserver.pem' (1054 bytes) pluto[1134]: Changing to directory '/etc/ipsec.d/aacerts' pluto[1134]: Changing to directory '/etc/ipsec.d/ocspcerts' pluto[1134]: Changing to directory '/etc/ipsec.d/crls' pluto[1134]: Warning: empty directory pluto[1134]: loaded host cert file '/etc/ipsec.d/mycert2.pem' (3887 bytes) pluto[1134]: added connection description "net-to-net" pluto[1134]: listening for IKE messages pluto[1134]: NAT-Traversal: ESPINUDP(1) not supported by kernel for family IPv4 pluto[1134]: adding interface ipsec0/eth0 192.168.0.200:500 pluto[1134]: NAT-Traversal: ESPINUDP(2) not supported by kernel for family IPv4 pluto[1134]: NAT-Traversal port floating turned off pluto[1134]: NAT-Traversal is turned OFF due to lack of KERNEL support: 0/0 pluto[1134]: adding interface ipsec0/eth0 192.168.0.200:4500 pluto[1134]: loading secrets from "/etc/ipsec.secrets" pluto[1134]: loaded private key file '/etc/ipsec.d/clientkey1.pem' (3683 bytes) / $ / $ / $ ipse / $ ipsec auto --add net-to-net pluto[1134]: attempt to redefine connection "net-to-net" 020 attempt to redefine connection "net-to-net" / $ / $ / $ / $ ipsec auto --add net-to-netdd net-to-net  net-to-net  net-to-net u net-to-netp net-to-net net-to-net pluto[1134]: "net-to-net" #1: initiating Main Mode 104 "net-to-net" #1: STATE_MAIN_I1: initiate pluto[1134]: "net-to-net" #1: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000] pluto[1134]: "net-to-net" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off pluto[1134]: "net-to-net" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] pluto[1134]: "net-to-net" #1: received Vendor ID payload [Dead Peer Detection] pluto[1134]: "net-to-net" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100] 003 "net-to-net" #1: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000] 003 "net-to-net" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off 003 "net-to-net" #1: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection] 003 "net-to-net" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100] pluto[1134]: "net-to-net" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 pluto[1134]: "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2 pluto[1134]: "net-to-net" #1: ignoring CERT_NONE certificate request payload pluto[1134]: "net-to-net" #1: ignoring CERT_NONE certificate request payload pluto[1134]: "net-to-net" #1: I am sending my cert pluto[1134]: "net-to-net" #1: I am sending a certificate request pluto[1134]: "net-to-net" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 pluto[1134]: "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "net-to-net" #1: ignoring CERT_NONE certificate request payload 003 "net-to-net" #1: ignoring CERT_NONE certificate request payload 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 pluto[1134]: "net-to-net" #1: Main mode peer ID is ID_FQDN: '@SSG550.sti.com.tw' pluto[1134]: "net-to-net" #1: no crl from issuer "C=TW, ST=Taiwan, L=Taipei, O=Dawningtech, OU=Support, CN=Dawningtech" found (strict=no) pluto[1134]: "net-to-net" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 pluto[1134]: "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} pluto[1134]: "net-to-net" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1} 117 "net-to-net" #2: STATE_QUICK_I1: initiate pluto[1134]: "net-to-net" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 003 "net-to-net" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME pluto[1134]: "net-to-net" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 pluto[1134]: "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xf566fabc <0x9b6685e0 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none} 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xf566fabc <0x9b6685e0 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none} / $ / $ / $ / $ / $ / $ / $ rou / $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 10.2.111.0 192.168.0.1 255.255.255.0 UG 0 0 0 ipsec0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 / $ / $ / $ / $ ping 10.2.111.2 PING 10.2.111.2 (10.2.111.2): 56 data bytes 84 bytes from 10.2.111.2: icmp_seq=0 ttl=253 time=40.0 ms 84 bytes from 10.2.111.2: icmp_seq=1 ttl=253 time=40.0 ms 84 bytes from 10.2.111.2: icmp_seq=2 ttl=253 time=40.0 ms --- 10.2.111.2 ping statistics --- 4 packets transmitted, 3 packets received, 25% packet loss round-trip min/avg/max = 40.0/40.0/40.0 ms / $ / $ / $ ftp 10.2.121.81 / $ / $ / $ ping 10.2.121.81 PING 10.2.121.81 (10.2.121.81): 56 data bytes --- 10.2.121.81 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss / $ / $ ping 10.2.121.81     11.0 PING 10.2.111.0 (10.2.111.0): 56 data bytes --- 10.2.111.0 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss / $ / $ ping 10.2.111.0 2 PING 10.2.111.2 (10.2.111.2): 56 data bytes 84 bytes from 10.2.111.2: icmp_seq=0 ttl=253 time=50.0 ms 84 bytes from 10.2.111.2: icmp_seq=1 ttl=253 time=40.0 ms --- 10.2.111.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 40.0/45.0/50.0 ms / $