<div dir="ltr"><br>Hi, I solved problem myself by looking at the wiki. It is not actually clearly documented on the man page that the right should be the public accessible IP of the left rather than the VPN endpoints. Also the man page does not give an example of such setup otherwise I would not lose nearly 5 hours to figure it out. :-)<br>
<br>But openswan is really, much better than racoon in my experience.<br><br><br><br><br><br><div class="gmail_quote">On Fri, Sep 19, 2008 at 1:05 PM, Steve Kieu <span dir="ltr"><<a href="mailto:msh.computing@gmail.com">msh.computing@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr"><br>Hello everyone,<br><br>I am trying to set the below config without success.<br>
<br>From a64 <=> peace-dk<br><br> [<a href="http://169.173.0.0/24" target="_blank">169.173.0.0/24</a>] a64 [<a href="http://169.173.0.64" target="_blank">169.173.0.64</a> ] => [<a href="http://169.173.0.1" target="_blank">169.173.0.1</a>] adsl modem [<a href="http://118.92.238.50" target="_blank">118.92.238.50</a>] ========== [<a href="http://202.78.240.7" target="_blank">202.78.240.7</a>] linux-fw [<a href="http://192.168.2.1" target="_blank">192.168.2.1</a>] => [<a href="http://192.168.2.252" target="_blank">192.168.2.252</a>] peace-dk<br>
<br clear="all">I have configured the adsl modem to forward IKE trafic (udp 4500 and 500) to a64 (<a href="http://169.173.0.64" target="_blank">169.173.0.64</a>). But I did not do (do not want to) set it on linux-fw the same way. I want the connection initiated from peace-dk and join <a href="http://169.173.0.0/24" target="_blank">169.173.0.0/24</a> with <a href="http://192.168.2.252/32" target="_blank">192.168.2.252/32</a>. The exact setup work with racoon (in a64 set passive on). Now I am trying to do it with openswan with following config:<br>
<br>on a64 <br><br>conn for-peace<br> left=<a href="http://169.173.0.64" target="_blank">169.173.0.64</a><br> #leftid=a64<br> leftnexthop=%defaultroute<br> authby=secret<br> type=tunnel<br>
forceencaps=yes<br>
leftsubnet=<a href="http://169.173.0.0/24" target="_blank">169.173.0.0/24</a><br> rightnexthop=<a href="http://202.78.240.7" target="_blank">202.78.240.7</a><br> right=<a href="http://192.168.2.252" target="_blank">192.168.2.252</a><br>
rightsubnet=<a href="http://192.168.2.252/32" target="_blank">192.168.2.252/32</a><br>
esp=blowfish-sha1<br> keyexchange=ike<br> auto=add<br><br>on peace-dk<br><br>conn home1<br> type=tunnel<br> forceencaps=yes<br> authby=secret<br> left=<a href="http://192.168.2.252" target="_blank">192.168.2.252</a><br>
leftnexthop=%defaultroute<br> leftsubnet=<a href="http://192.168.2.252/32" target="_blank">192.168.2.252/32</a><br> rightnexthop=<a href="http://118.92.238.50" target="_blank">118.92.238.50</a><br> right=<a href="http://169.173.0.64" target="_blank">169.173.0.64</a><br>
rightsubnet=<a href="http://169.173.0.0/24" target="_blank">169.173.0.0/24</a><br> esp=blowfish-sha1<br> auto=start<br><br>It does not work, seems the phase 1 get through but phase 2 is pending<br><br>
root@peace:~# ipsec auto --status | grep home<br>
000 "home1": <a href="http://192.168.2.252/32===192.168.2.252---192.168.2.1...118.92.238.50---169.173.0.64===169.173.0.0/24" target="_blank">192.168.2.252/32===192.168.2.252---192.168.2.1...118.92.238.50---169.173.0.64===169.173.0.0/24</a>; erouted HOLD; eroute owner: #0<br>
000 "home1": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "home1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "home1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1; encap: udp;<br>
000 "home1": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "home1": IKE algorithms wanted: BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5), BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict<br>000 "home1": IKE algorithms found: BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5), BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict<br>
000 "home1": ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2); flags=strict<br>000 "home1": ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2); flags=strict<br>000 #1: "home1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 13s; nodpd<br>
000 #1: pending Phase 2 for "home1" replacing #0<br><br><br>root@a64:~# ipsec auto --status|grep peace<br>000 "for-peace": <a href="http://169.173.0.0/24===169.173.0.64---169.173.0.1...202.78.240.7---192.168.2.252===192.168.2.252/32" target="_blank">169.173.0.0/24===169.173.0.64---169.173.0.1...202.78.240.7---192.168.2.252===192.168.2.252/32</a>; unrouted; eroute owner: #0<br>
000 "for-peace": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "for-peace": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "for-peace": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; interface: eth0; encap: udp;<br>000 "for-peace": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "for-peace": ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2); flags=strict<br>
000 "for-peace": ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2); flags=strict<br>000 #1: "for-peace":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 29s; nodpd<br>000 #1: pending Phase 2 for "for-peace" replacing #0<br>
<br><br>Any idea what I did wrong? That is the only case I got trouble to setup openswan, and racoon works, all other ; I can easily get openswan to work without any problem at all (tested with winXP, and cisco PIX, other linux)<br>
<br>Thanks in advance,<br><br>Regards,<br><br><br>-- <br>Steve Kieu<br><br>
</div>
</blockquote></div><br><br clear="all"><br>-- <br>Steve Kieu<br><br>
</div>