<div dir="ltr"><span style="font-weight: bold;"><div>this is my network structure</div><div><span style="font-weight: normal;">roadwarrior========Nat firewall=====DMZ====(eth1)vpnserver===== 192.168.1.xxxoffice network<br>
</span></div>
<div><span style="font-weight: normal;"> || ||(eth0) </span></div><div><span style="font-weight: normal;"> || ||</span></div>
<div><span style="font-weight: normal;"> || ||</span></div><div><span style="font-weight: normal;"> LAN=====================|| </span></div>
<div><br><br>eth1=219.93.36.xxx # connected to DMZ<br><span style="font-weight: bold;">eht0=192.168.1.xx #connected to LAN</span><br><br><br></div>this is my </span><span style="font-weight: bold;">/etc/ipsec.conf</span><div>
version 2.0 # conforms to second version of ipsec.conf specification<br></div><div><div><br></div>
<div># basic configuration</div><div>config setup</div><div> interfaces="ipsec1=eth1"</div><div> # interfaces=%defaultroute</div><div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div>
<div> # "raw crypt parsing emitting control klips pfkey natt x509 private"</div><div> # eg: plutodebug="control parsing"</div><div> #</div><div> # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!</div>
<div> #</div><div> # NAT-TRAVERSAL support, see README.NAT-Traversal</div><div> nat_traversal=yes</div><div> virtual_private=%v4:<a href="http://219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:%21192.168.1.0/24" target="_blank">219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24</a></div>
<div> plutodebug=none</div><div> plutostderrlog=/var/log/pluto.log</div><div> #</div><div> # enable this if you see "failed to find any available worker"</div><div> # nhelpers=0</div>
<div> # uniqueids=yes</div><div><br></div><div># Add connections here</div><div> </div><div>conn %default</div><div> authby=rsasig</div><div> keyingtries=1</div><div> compress=yes</div><div> disablearrivalcheck=no</div>
<div> ikelifetime=1h</div><div> leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol</div>
<div> leftcert=/etc/ipsec.d/private/vpnserverKey.pem</div><div> rightrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol</div>
<div> auto=ignore</div><div><br></div><div> </div><div> #conn roadwarrior-all</div><div> # leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div> # also=roadwarrior</div>
<div><br></div><div>
conn road</div><div> type=tunnel</div><div> forceencaps=yes</div><div> left=<a href="http://219.93.36.214/" target="_blank">219.93.36.214</a> # this is my eth1 connected to DMZ</div><div> # left=%defaultroute</div>
<div> leftcert=vpnserverKey.pem</div>
<div> leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net" target="_blank">danny@scan-associates.net</a>"</div><div> # leftid=@<a href="http://vpnserver.scan-associates.net/" target="_blank">vpnserver.scan-associates.net</a></div>
<div> # leftnexthop=<a href="http://219.93.36.193/" target="_blank">219.93.36.193</a></div><div> right=<a href="http://60.54.220.178/" target="_blank">60.54.220.178</a> # this is my public ip of the windows xp client</div>
<div> # right=%any</div><div>
# rightsubnet=vhost:%no,%priv</div><div> rightprotoport=17/1701</div><div> # rightnexthop=%defaultroute</div><div> leftprotoport=17/1701</div><div> leftsubnet=<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div>
<div> esp=aes128-sha1</div><div> ike=aes128-sha</div><div> rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net" target="_blank">danny@scan-associates.net</a>"</div>
<div> pfs=no</div><div> dpddelay=40</div><div> dpdtimeout=130</div><div> dpdaction=clear</div><div> leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh</div><div> rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh</div>
<div> auto=add</div><div><br></div><div>conn block<br></div><div> auto=ignore</div><div><br></div><div>conn private</div><div> auto=ignore</div><div><br></div><div>conn private-or-clear</div><div> auto=ignore</div>
<div><br></div><div>conn clear-or-private</div><div> auto=ignore</div><div><br></div><div>conn clear</div><div> auto=ignore</div><div><br></div><div>conn packetdefault</div><div> auto=ignore</div><div> </div>
<div># sample VPN connections, see /etc/ipsec.d/examples/</div><div><br></div><div>#Disable Opportunistic Encryption</div><div>include /etc/ipsec.d/examples/no_oe.conf</div><div><br></div><div><span style="font-weight: bold;">this is my ipsec auto --status</span></div>
<div>root@vpnserver:~# ipsec auto --status<br></div><div><div>000 interface eth0/eth0 2001:328:2002:5ca2:21b:11ff:fe51:751f</div><div>000 interface lo/lo ::1</div><div>000 interface lo/lo <a href="http://127.0.0.1/" target="_blank">127.0.0.1</a></div>
<div>000 interface lo/lo <a href="http://127.0.0.1/" target="_blank">127.0.0.1</a></div><div>000 interface eth0/eth0 <a href="http://192.168.1.148/" target="_blank">192.168.1.148</a></div><div>000 interface eth0/eth0 <a href="http://192.168.1.148/" target="_blank">192.168.1.148</a></div>
<div>000 interface eth1/eth1 <a href="http://219.93.36.214/" target="_blank">219.93.36.214</a></div><div>000 interface eth1/eth1 <a href="http://219.93.36.214/" target="_blank">219.93.36.214</a></div><div>000 %myid = (none)</div>
<div>000 debug none</div><div>
000 </div><div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</div><div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</div>
<div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256</div>
<div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div>
<div>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div><div>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0</div><div>000 </div><div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</div>
<div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div>
<div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div>
<div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div>
<div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 </div><div>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36} trans={0,4,480} attrs={0,4,320} </div><div>000 </div>
<div>000 "road": <a href="http://192.168.1.0/24===219.93.36.214%5BC=MY" target="_blank">192.168.1.0/24===219.93.36.214[C=MY</a>, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net" target="_blank">danny@scan-associates.net</a>]:17/1701...<a href="http://60.54.220.178/" target="_blank">60.54.220.178</a>[C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=<a href="mailto:danny@scan-associates.net" target="_blank">danny@scan-associates.net</a>]:17/1701; unrouted; eroute owner: #0</div>
<div>000 "road": srcip=unset; dstip=unset; srcup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh; dstup=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh;</div><div>000 "road": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1</div>
<div>000 "road": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP; prio: 24,32; interface: eth1; encap: udp;</div><div>000 "road": dpd: action:clear; delay:40; timeout:130; </div><div>000 "road": newest ISAKMP SA: #0; newest IPsec SA: #0; </div>
<div>000 "road": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5), AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=strict</div><div>000 "road": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)</div>
<div>000 "road": ESP algorithms wanted: AES(12)_128-SHA1(2); flags=strict</div><div>000 "road": ESP algorithms loaded: AES(12)_128-SHA1(2); flags=strict</div><div>000 </div><div>000 </div><div><br>
</div><div><span style="font-weight: bold;">this is my ipsec verify</span></div><div><div>root@vpnserver:~# ipsec verify</div><div>Checking your system to see if IPsec got installed and started correctly:</div>
<div>Version check and ipsec on-path [OK]</div><div>Linux Openswan U2.4.9/K2.6.24-16-server (netkey)</div><div>Checking for IPsec support in kernel [OK]</div><div>
NETKEY detected, testing for disabled ICMP send_redirects [OK]</div><div>NETKEY detected, testing for disabled ICMP accept_redirects [OK]</div><div>Checking for RSA private key (/etc/ipsec.secrets) [OK]</div>
<div>Checking that pluto is running [OK]</div><div>Two or more interfaces found, checking IP forwarding [OK]</div><div>Checking NAT and MASQUERADEing [OK]</div>
<div>Checking for 'ip' command [OK]</div><div>Checking for 'iptables' command [OK]</div><div>Opportunistic Encryption Support [DISABLED]</div>
<div><br></div></div></div><div><span style="font-weight: bold;">this is my error log when trying to up the connection..</span></div><div><br></div><div><div>"road" #3: initiating Main Mode</div>
<div>"road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for message to <a href="http://60.54.220.178/" target="_blank">60.54.220.178</a> port 500, complainant <a href="http://60.54.220.178/" target="_blank">60.54.220.178</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]</div>
<div>"road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for message to <a href="http://60.54.220.178/" target="_blank">60.54.220.178</a> port 500, complainant <a href="http://60.54.220.178/" target="_blank">60.54.220.178</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]</div>
<div>"road" #3: ERROR: asynchronous network error report on eth1 (sport=500) for message to <a href="http://60.54.220.178/" target="_blank">60.54.220.178</a> port 500, complainant <a href="http://60.54.220.178/" target="_blank">60.54.220.178</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]</div>
<div>"road" #3: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first
IKE message</div><div><br></div></div></div></div>