<div dir="ltr"><br>Hello everyone,<br><br>I am trying to set the below config without success.<br><br>From a64&nbsp; &lt;=&gt;&nbsp; peace-dk<br><br>&nbsp;[<a href="http://169.173.0.0/24">169.173.0.0/24</a>] a64 [<a href="http://169.173.0.64">169.173.0.64</a> ] =&gt; [<a href="http://169.173.0.1">169.173.0.1</a>] adsl modem [<a href="http://118.92.238.50">118.92.238.50</a>] ==========&nbsp; [<a href="http://202.78.240.7">202.78.240.7</a>] linux-fw [<a href="http://192.168.2.1">192.168.2.1</a>] =&gt; [<a href="http://192.168.2.252">192.168.2.252</a>] peace-dk<br>
<br clear="all">I have configured the adsl modem to forward IKE trafic (udp 4500 and 500) to a64 (<a href="http://169.173.0.64">169.173.0.64</a>). But I did not do (do not want to) set it on linux-fw the same way. I want the connection initiated from&nbsp; peace-dk and join <a href="http://169.173.0.0/24">169.173.0.0/24</a> with <a href="http://192.168.2.252/32">192.168.2.252/32</a>. The exact setup work with racoon (in a64 set passive on). Now I am trying to do it with openswan with following config:<br>
<br>on a64 <br><br>conn for-peace<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; left=<a href="http://169.173.0.64">169.173.0.64</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #leftid=a64<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftnexthop=%defaultroute<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authby=secret<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type=tunnel<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; forceencaps=yes<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftsubnet=<a href="http://169.173.0.0/24">169.173.0.0/24</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightnexthop=<a href="http://202.78.240.7">202.78.240.7</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; right=<a href="http://192.168.2.252">192.168.2.252</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightsubnet=<a href="http://192.168.2.252/32">192.168.2.252/32</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp=blowfish-sha1<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; keyexchange=ike<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=add<br><br>on peace-dk<br><br>conn home1<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type=tunnel<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; forceencaps=yes<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authby=secret<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; left=<a href="http://192.168.2.252">192.168.2.252</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftnexthop=%defaultroute<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; leftsubnet=<a href="http://192.168.2.252/32">192.168.2.252/32</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightnexthop=<a href="http://118.92.238.50">118.92.238.50</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; right=<a href="http://169.173.0.64">169.173.0.64</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rightsubnet=<a href="http://169.173.0.0/24">169.173.0.0/24</a><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; esp=blowfish-sha1<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=start<br><br>It does not work, seems the phase 1 get through but phase 2 is pending<br><br>root@peace:~# ipsec auto --status | grep home<br>
000 &quot;home1&quot;: <a href="http://192.168.2.252/32===192.168.2.252---192.168.2.1...118.92.238.50---169.173.0.64===169.173.0.0/24">192.168.2.252/32===192.168.2.252---192.168.2.1...118.92.238.50---169.173.0.64===169.173.0.0/24</a>; erouted HOLD; eroute owner: #0<br>
000 &quot;home1&quot;:&nbsp;&nbsp;&nbsp;&nbsp; srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 &quot;home1&quot;:&nbsp;&nbsp; ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 &quot;home1&quot;:&nbsp;&nbsp; policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1; encap: udp;<br>
000 &quot;home1&quot;:&nbsp;&nbsp; newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 &quot;home1&quot;:&nbsp;&nbsp; IKE algorithms wanted: BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5), BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict<br>000 &quot;home1&quot;:&nbsp;&nbsp; IKE algorithms found: BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5), BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict<br>
000 &quot;home1&quot;:&nbsp;&nbsp; ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2); flags=strict<br>000 &quot;home1&quot;:&nbsp;&nbsp; ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2); flags=strict<br>000 #1: &quot;home1&quot;:500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 13s; nodpd<br>
000 #1: pending Phase 2 for &quot;home1&quot; replacing #0<br><br><br>root@a64:~# ipsec auto --status|grep peace<br>000 &quot;for-peace&quot;: <a href="http://169.173.0.0/24===169.173.0.64---169.173.0.1...202.78.240.7---192.168.2.252===192.168.2.252/32">169.173.0.0/24===169.173.0.64---169.173.0.1...202.78.240.7---192.168.2.252===192.168.2.252/32</a>; unrouted; eroute owner: #0<br>
000 &quot;for-peace&quot;:&nbsp;&nbsp;&nbsp;&nbsp; srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 &quot;for-peace&quot;:&nbsp;&nbsp; ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 &quot;for-peace&quot;:&nbsp;&nbsp; policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; interface: eth0; encap: udp;<br>000 &quot;for-peace&quot;:&nbsp;&nbsp; newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 &quot;for-peace&quot;:&nbsp;&nbsp; ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2); flags=strict<br>
000 &quot;for-peace&quot;:&nbsp;&nbsp; ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2); flags=strict<br>000 #1: &quot;for-peace&quot;:500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 29s; nodpd<br>000 #1: pending Phase 2 for &quot;for-peace&quot; replacing #0<br>
<br><br>Any idea what I did wrong? That is the only case I got trouble to setup openswan, and racoon works, all other ; I can easily get openswan to work without any problem at all (tested with winXP, and cisco PIX, other linux)<br>
<br>Thanks in advance,<br><br>Regards,<br><br><br>-- <br>Steve Kieu<br><br>
</div>