<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>This in a line in your status or logs indicates
that you have a phase 1 connection:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>STATE_MAIN_I4 (ISAKMP SA
established)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>This in a line in you status or logs indicates that you
have a phase 2 connection:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>STATE_QUICK_I2 (sent QI2, IPsec SA
established)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>Once you've received the IPsec SA established message
you know the connection is connected.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>If you cannot ping the remote side, it could be due to
firewall rules or your conn settings, among other things.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>You only get an ipsec0 interface if your using KLIPS,
which you only get if you specifically install it and turn of
NETKEY,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>since NETKEY is enabled by default in most modern
kernels. NETKEY is also sometimes known as NATIVE and does
not</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>have ipsec0 interface instead it reuses the public
interface whatever it is, in your case ppp0.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>ipsec version or ipsec verify will tell you which one
your using, and are also good info to send to the list with your
problem.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>Are your ping tests being done to and from the
servers themselves or from hosts on the subnets.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>Either do your ping tests to and from hosts on the
subnets or add leftsourceip=<left server LAN ip> and rightsourceip to your
conn.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>If you've done this and still can't ping, it may be
your firewall, are you running firewall software or iptables on either server or
between them?</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>If you you need to allow the ipsec traffic as
follows:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>protocol 17 (udp), port 500
(isakmp)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>protocol 50 (esp)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>protocol 17 (udp), port 4500 (nat-t) if your using nat
traversal to get through network address translation routers between the
hosts.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>You also need to allow the ping and other traffic that
utilizes the tunnels.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=467361715-28112007>And you cannot NAT any of this traffic if your SNATing
or MASQUERADEing your LAN(s) to the internet.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Phil Wild [mailto:philwild@gmail.com]
<BR><B>Sent:</B> November 28, 2007 10:14 AM<BR><B>To:</B> Paul Wouters;
petermcgill@goco.net; Users@openswan.org<BR><B>Subject:</B> Re: [Openswan
Users] Help required: Trouble setting up openswan<BR></FONT><BR></DIV>
<DIV></DIV>Hi <BR><BR>I have fixed the routing table and I think I have
progressed a little further. I have also turned off the
plutodebug.<BR><BR>netstat -rn shows<BR><BR>root@zulu:~# netstat -rn<BR>Kernel
IP routing table<BR>Destination
Gateway
Genmask Flags MSS
Window irtt Iface <BR><A
href="http://203.161.90.1">203.161.90.1</A> <A
href="http://0.0.0.0">0.0.0.0</A>
<A href="http://255.255.255.255">255.255.255.255</A>
UH 0
0 0 ppp0<BR><A
href="http://10.3.0.0">10.3.0.0</A>
<A
href="http://0.0.0.0">0.0.0.0</A>
<A href="http://255.255.255.0">255.255.255.0</A>
U 0
0 0 eth1<BR><A
href="http://192.168.10.0">192.168.10.0</A> <A
href="http://203.161.90.1">203.161.90.1 </A> <A
href="http://255.255.255.0">255.255.255.0</A>
UG 0
0 0 ppp0<BR><A
href="http://0.0.0.0">0.0.0.0</A>
<A
href="http://0.0.0.0">0.0.0.0</A>
<A
href="http://0.0.0.0">0.0.0.0</A>
U 0
0 0 ppp0
<BR><BR><BR>Should I see an ipsec interface here?<BR><BR>I am still unsure if
I am actually getting a valid connection. What I do know is that I can not
ping through the vpn<BR><BR>running ipsec auto --status gives
me:<BR><BR>root@bravo:/var/log# ipsec auto --status<BR>000 interface lo/lo
::1<BR>000 interface lo/lo <A href="http://127.0.0.1">127.0.0.1</A><BR>000
interface eth0/eth0 <A href="http://192.168.10.2">192.168.10.2</A><BR>000
interface eth1/eth1 <A href="http://202.72.167.27">202.72.167.27</A><BR>000
interface eth1:1/eth1:1 <A
href="http://202.72.167.29">202.72.167.29</A><BR>000 %myid = (none)<BR>000
debug none<BR>000<BR>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64 <BR>000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<BR>000 algorithm ESP
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448<BR>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0 <BR>000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256<BR>000 algorithm ESP encrypt: id=252,
name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<BR>000 algorithm ESP
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
<BR>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128<BR>000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<BR>000 algorithm
ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256 <BR>000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<BR>000 algorithm
ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<BR>000<BR>000
algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
<BR>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128<BR>000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16<BR>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20<BR>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024 <BR>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536<BR>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048<BR>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072 <BR>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096<BR>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144<BR>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192 <BR>000<BR>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}<BR>000<BR>000 "bravo-zulu": <A
href="http://192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24">192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24</A>;
erouted; eroute owner: #3<BR>000 "bravo-zulu":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; <BR>000
"bravo-zulu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0<BR>000 "bravo-zulu":
policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; <BR>000
"bravo-zulu": newest ISAKMP SA: #1; newest IPsec SA: #3;<BR>000
"bravo-zulu": IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536<BR>000<BR>000 #3: "bravo-zulu":500 STATE_QUICK_I2
(sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28026s; newest IPSEC;
eroute owner <BR>000 #3: "bravo-zulu" <A
href="mailto:esp.2549d809@203.161.71.190">esp.2549d809@203.161.71.190</A> <A
href="mailto:esp.f6c5b82a@202.72.167.27">esp.f6c5b82a@202.72.167.27</A> <A
href="mailto:tun.0@203.161.71.190">tun.0@203.161.71.190</A> <A
href="mailto:tun.0@202.72.167.27">tun.0@202.72.167.27</A><BR>000 #2:
"bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26858s<BR>000 #2: "bravo-zulu" <A
href="mailto:esp.b72ad41a@203.161.71.190">esp.b72ad41a@203.161.71.190</A> <A
href="mailto:esp.e40902a@202.72.167.27">esp.e40902a@202.72.167.27</A> <A
href="mailto:tun.0@203.161.71.190">tun.0@203.161.71.190</A> <A
href="mailto:tun.0@202.72.167.27">tun.0@202.72.167.27</A><BR>000 #1:
"bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
1543s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<BR>000<BR><BR><BR>ifconfig
-a does not show an ipsec0 interface, should I see an ipsec interface on the
hosts? <BR><BR>Cheers<BR><BR>Phil<BR><BR>
<DIV><SPAN class=gmail_quote>On 27/11/2007, <B class=gmail_sendername>Paul
Wouters</B> <<A href="mailto:paul@xelerance.com">paul@xelerance.com</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">On
Mon, 26 Nov 2007, Phil Wild wrote:<BR><BR>> I posted the below to the
list about a week ago and did not get any<BR>> responses. Does anyone
have any ideas what is going wrong with my<BR>> configuration as I have
not been able to get any further. <BR><BR>> > Nov 20 14:25:15 bravo
ipsec__plutorun: ...could not start conn "bravo-zulu"<BR>> > netstat
-rn on host zulu shows:<BR>> ><BR>> >
Destination
Gateway
Genmask Flags
MSS Window irtt Iface <BR>> > <A
href="http://203.161.90.1">203.161.90.1</A> <A
href="http://0.0.0.0">0.0.0.0</A>
<A href="http://255.255.255.255">255.255.255.255</A>
UH 0
0 0 ppp0<BR>>
> <A
href="http://10.3.0.0">10.3.0.0</A> <A
href="http://0.0.0.0">0.0.0.0</A>
<A href="http://255.255.255.0">255.255.255.0</A>
U 0
0 0 eth1<BR>>
> <A
href="http://192.168.10.0">192.168.10.0</A> <A
href="http://203.161.90.1"> 203.161.90.1</A> <A
href="http://255.255.255.0">255.255.255.0</A>
UG 0
0 0 ppp0<BR>>
> <A
href="http://0.0.0.0">0.0.0.0</A>
<A
href="http://0.0.0.0">0.0.0.0</A>
<A
href="http://0.0.0.0">0.0.0.0</A>
U 0
0 0
ppp0<BR><BR>Blame your ISP if that is really the default route you got. Try
changing to<BR>something that might make sense. Run a traceroute and check
what your real gateway<BR>is, then do a "route add -host ipofgw dev ppp0"
and "route add default gw ipofgw"<BR><BR>Paul<BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Tel: 0400 466 952<BR>Fax: 0433 123 226<BR>email: <A
href="mailto:philwild@gmail.com">philwild@gmail.com</A>
</BLOCKQUOTE></BODY></HTML>