<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:v =
"urn:schemas-microsoft-com:vml" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word" xmlns:x =
"urn:schemas-microsoft-com:office:excel" xmlns:p =
"urn:schemas-microsoft-com:office:powerpoint" xmlns:a =
"urn:schemas-microsoft-com:office:access" xmlns:dt =
"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s =
"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs =
"urn:schemas-microsoft-com:rowset" xmlns:z = "#RowsetSchema" xmlns:b =
"urn:schemas-microsoft-com:office:publisher" xmlns:ss =
"urn:schemas-microsoft-com:office:spreadsheet" xmlns:c =
"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa =
"urn:schemas-microsoft-com:office:activation" xmlns:html =
"http://www.w3.org/TR/REC-html40" xmlns:q =
"http://schemas.xmlsoap.org/soap/envelope/" XMLNS:D = "DAV:" xmlns:x2 =
"http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois =
"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir =
"http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds =
"http://www.w3.org/2000/09/xmldsig#" xmlns:dsp =
"http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc =
"http://schemas.microsoft.com/data/udc" xmlns:xsd =
"http://www.w3.org/2001/XMLSchema" xmlns:sub =
"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec =
"http://www.w3.org/2001/04/xmlenc#" xmlns:sp =
"http://schemas.microsoft.com/sharepoint/" xmlns:sps =
"http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi =
"http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf =
"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf =
"http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver =
"http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m =
"http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels =
"http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t =
"http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m =
"http://schemas.microsoft.com/exchange/services/2006/messages"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR><!--[if !mso]>
<STYLE>v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
PRE {
FONT-SIZE: 10pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Courier New"; mso-style-priority: 99; mso-style-link: "HTML Preformatted Char"
}
SPAN.HTMLPreformattedChar {
FONT-FAMILY: "Courier New"; mso-style-priority: 99; mso-style-link: "HTML Preformatted"; mso-style-name: "HTML Preformatted Char"
}
SPAN.EmailStyle19 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle21 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle22 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
</STYLE>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></HEAD>
<BODY lang=EN-US vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>I cannot find anything wrong with your
setup.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>Yes your correct the Ubuntu firewall is blocking/altering
nothing.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>(This is as it should be if you turned it
off.)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>When you get things working you should be able to turn the
firewall</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>back on, so long as it allows -p 50 and -p 17 -d 500
inbound/outbound,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>and excludes your remote subnet from NAT
MASQUERADE/SNAT.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>iptables -t nat -I POSTROUTING -d 192.168.36.0/24 -j
ACCEPT</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>The pictures cleared a few questions
up.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>Your linksys configs look just fine to
me.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>You put your key in the Ubuntu in /etc/ipsec.secrets, like
this right?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>66.225.UbuntuIP : PSK "my secret text
key"</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>Your Cisco 2950 Series isn't by any chance firewall
filtering or</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>network address translating the IPSec traffic, or trying to
intercept it?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>My only other suggestion is to do an ipsec barf and post
it's output</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>to the list, in an attachment.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>Maybe someone else can see what your problem
is.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>Best to post in plain text, not everyone can read html
mail, and</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>the list digests strip out html mail to links... which I
never used to</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=208135818-14032008><FONT face=Arial
color=#0000ff size=2>bother to read, others might do the
same.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Chris Thomas
[mailto:cthomas@harkinsbuilders.com] <BR><B>Sent:</B> March 14, 2008 2:19
PM<BR><B>To:</B> users@openswan.org; petermcgill@goco.net<BR><B>Subject:</B>
RE: [Openswan Users] Getting there....<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal>Sorry about that. Here’s the info:<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>When I run <SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">the command you
gave me below, I get this:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">root@gatekeeper:/home/administrator#
iptables -t filter -L -n -v<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain INPUT (policy
ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain FORWARD
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain OUTPUT
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">root@gatekeeper:/home/administrator#
iptables -t nat -L -n -v<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain PREROUTING
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain POSTROUTING
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain OUTPUT
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">root@gatekeeper:/home/administrator#
iptables -t mangle -L -n -v<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain PREROUTING
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out source
destination
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain INPUT (policy
ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain FORWARD
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out source
destination
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain OUTPUT
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Chain POSTROUTING
(policy ACCEPT 0 packets, 0 bytes)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"> pkts bytes
target prot opt in
out
source
destination <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">root@gatekeeper:/home/administrator#<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">I guess this is telling me
that nothing is blocked and there are no rules?<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">I am connecting through the
internet. My company is actually the ISP for other companies in our
building and the building next to us, so I am using a separate IP space
outside of our network to put the Linksys box and set up my test remote
site. My Linux server is using an IP in the same subnet as my Check
Point firewall, but it is going “around” the firewall. To help explain
all of this, I have thrown together a quick diagram of everything. You
can access it here: <A
href="http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.jpg.html">http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.jpg.html</A>.
If I have left something out, please let me know.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">The Ubuntu server and the
Linksys router do indeed have their own external IP addresses. Here is
my Linksys config: <A
href="http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.jpg.html">http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.jpg.html</A>
and <A
href="http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.jpg.html">http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.jpg.html</A>.
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">I am hoping these pics look
OK. If you need me to provide additional information, please let me
know.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">Thanks again for all of your
help.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d">-Chris<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Peter McGill
[mailto:petermcgill@goco.net] <BR><B>Sent:</B> Friday, March 14, 2008 12:50
PM<BR><B>To:</B> Chris Thomas; users@openswan.org<BR><B>Subject:</B> RE:
[Openswan Users] Getting there....<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Firewall
was merely a place to check, not guaranteed to be the problem.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">If you
can get a console on your Ubuntu, you can check firewall with...</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">iptables
-t filter -L -n -v</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">iptables
-t nat -L -n -v</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">iptables
-t mangle -L -n -v</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Are
you connecting through the internet, or are you testing
internally?</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Do
both the Ubuntu server and linksys router have public internet ip
addresses?</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">(Not
172.16...172.32... or 10... or 192.168..., etc...)</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">I
cannot tell as you completely edited them from your posts.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Next
time try just masking the end like: 66.11.x.x</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Testing
internally sometimes needs different settings than production
internet.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Is
linksys using DES or 3DES? Should be 3DES & MD5 matching your
openswan.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Can
you show us your linksys ipsec configuration?</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Peter
McGill</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: blue 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p> </o:p></SPAN></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <B>On Behalf
Of </B>Chris Thomas<BR><B>Sent:</B> March 14, 2008 12:19 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> Re: [Openswan Users] Getting
there....</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">OK, I have hit a brick wall
here and it’s getting a bit frustrating. I have disabled the Linux
firewall and the Shoreline firewall on my server and I’m still getting the
same error below when I attempt to establish the tunnel. Is this
absolutely positively due to a firewall issue or is it possible that I’ve
got something else incorrectly configured somewhere? I am fairly new
to Linux so I am administering my Ubuntu server with Webmin. That is
what I am using to verify that the firewall(s) are turned off.
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">I have also disabled the
firewall on the Linksys box and have examined it’s logs. This is what
shows up after I hit “connect” to initiate the tunnel:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 09:33:34 - [VPN
Log]: "pax_square" #2: initiating Main Mode<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 09:33:43 - [VPN
Log]: initiate on demand from 192.168.36.100:0 to 192.168.0.30:0 proto=0
state: fos_start because: acquire<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 09:34:44 - [VPN
Log]: "pax_square" #2: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE
message<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 10:08:54 - [VPN
Log]: "pax_square" #3: initiating Main Mode<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 10:10:04 - [VPN
Log]: "pax_square" #3: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE
message<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 10:53:58 - [VPN
Log]: "pax_square" #4: initiating Main Mode<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 14 10:55:08 - [VPN
Log]: "pax_square" #4: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first IKE
message<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">If it helps, this is my
ipsec.conf file on the Ubuntu server running OpenSwan:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">version
2.0 # conforms to
second version of ipsec.conf specification<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">config
setup<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
interfaces=%defaultroute<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
uniqueids=yes<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">include
/etc/ipsec.d/examples/no_oe.conf<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">conn
pax_square<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
also=central-site<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
right=%any<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
rightid=@pax_square<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
rightsubnet=192.168.36.0/24<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
also=linksys-policy<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"> auto=add
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">conn
central-site<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
left=(external IP of Linux server)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
leftsubnet=192.168.0.0/24<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
leftsourceip=192.168.0.20<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">conn
linksys-policy<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">
ike=3des-md5-modp1024 <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
esp=3des-md5
<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">
compress=no<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">
authby=secret </SPAN><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>If it’s definitely the firewall, I’ll go back to the
drawing board and see what I can see.<o:p></o:p></P>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal>As before, I appreciate the help and
patience.<o:p></o:p></P>
<P class=MsoNormal>Thanks<o:p></o:p></P>
<P class=MsoNormal>-Chris<o:p></o:p></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Peter McGill
[mailto:petermcgill@goco.net] <BR><B>Sent:</B> Thursday, March 13, 2008 4:14
PM<BR><B>To:</B> Chris Thomas; users@openswan.org<BR><B>Subject:</B> RE:
[Openswan Users] Getting there....<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Check
your firewall(s) on both ends, and check the linksys logs.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">You
must allow ipsec (and ipsec encapsulated traffic) in your
firewalls.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">protocol
port description</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">17
500 udp:isakmp</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">50 esp</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">You
must allow the above inbound and outbound on your internet
interfaces.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">You
must also allow the subnet-to-subnet traffic.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Peter
McGill</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: blue 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p> </o:p></SPAN></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <B>On
Behalf Of </B>Chris Thomas<BR><B>Sent:</B> March 13, 2008 4:06
PM<BR><B>To:</B> users@openswan.org<BR><B>Subject:</B> Re: [Openswan
Users] Getting there....</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal>OK, I changed my Linksys box to 1024 bit and I now have
this:<o:p></o:p></P>
<P class=MsoNormal><SPAN
style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring
unknown Vendor ID payload [4f4540454371496d7a684644]<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor
ID payload [Dead Peer Detection]<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor
ID payload [RFC 3947] meth=110, but port floating is
off<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is
off<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: packet from (remote site IP):500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is
off<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: packet from (remote site IP):500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-00]<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: responding
to Main Mode from unknown peer (remote site IP)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:01:48
gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #9:
STATE_MAIN_R1: sent MR1, expecting MI2<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Mar 13 16:02:28
gatekeeper pluto[11850]: "pax_square"[5] (remote site IP) #7: max number
of retransmissions (2) reached STATE_MAIN_R1<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Thanks<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">-Chris<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="COLOR: #1f497d"><o:p> </o:p></SPAN></P>
<DIV>
<DIV
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; BORDER-LEFT: medium none; PADDING-TOP: 3pt; BORDER-BOTTOM: medium none">
<P class=MsoNormal><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'"> Peter McGill
[mailto:petermcgill@goco.net] <BR><B>Sent:</B> Thursday, March 13, 2008
3:50 PM<BR><B>To:</B> Chris Thomas; users@openswan.org<BR><B>Subject:</B>
RE: [Openswan Users] Getting there....<o:p></o:p></SPAN></P></DIV></DIV>
<P class=MsoNormal><o:p> </o:p></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">There
is a mismatch in your options, specifically your DH/modp
Group.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Diffie-Hellman
(DH) Group needs to match openswan's ike=*-modp????</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">I'm
guessing that your linksys is sending Diffie-Hellmen (DH) Group 1
(768-bit).</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">Openswan
will not allow this because it's too weak of security.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">If
you have ike=3des-md5-modp1024 or ike=aes-sha1-modp1024 as I
suggested,</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Arial','sans-serif'">then
change your linksys to use Group 2 (1024-bit) to match it.</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial','sans-serif'">Peter
McGill</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"> <o:p></o:p></SPAN></P></DIV>
<BLOCKQUOTE
style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: blue 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p> </o:p></SPAN></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'">
<HR align=center width="100%" SIZE=2>
</SPAN></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">From:</SPAN></B><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Tahoma','sans-serif'">
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <B>On
Behalf Of </B>Chris Thomas<BR><B>Sent:</B> March 13, 2008 3:40
PM<BR><B>To:</B> users@openswan.org<BR><B>Subject:</B> [Openswan Users]
Getting there....</SPAN><SPAN
style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman','serif'"><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Hello again,
everyone. I have configured my Linksys box to connect to my Ubuntu
server running OpenSwan, but when I attempt to initiate the connection,
my logs on the server at HQ get full of this
stuff:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote site external IP):500:
ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote site external IP):500:
received Vendor ID payload [Dead Peer Detection]<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote site external IP):500:
received Vendor ID payload [RFC 3947] meth=110, but port floating is
off<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote site external IP):500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
port floating is off<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote site external IP):500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
port floating is off<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: packet from (remote site external IP):500:
ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1:
responding to Main Mode from unknown peer (remote site external
IP)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1:
only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.
Attribute OAKLEY_GROUP_DESCRIPTION<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1:
no acceptable Oakley Transform<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP) #1:
sending notification NO_PROPOSAL_CHOSEN to (remote site external
IP):500<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">Mar 13 15:31:54
gatekeeper pluto[11850]: "pax_square"[1] (remote site external IP):
deleting connection "pax_square" instance with peer (remote site
external IP) {isakmp=#0/ipsec=#0}<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">I am assuming that it
has something to do with the Preshared key that I am using, but I am not
too sure how to go about fixing it. I do not want to be a
nuisance, but can anyone give me a (another) push in the right
direction? <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt"><o:p> </o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt">I appreciate your
patience.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt">-Chris</SPAN><o:p></o:p></P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML>