<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EstiloCorreo17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=ES link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><a name="OLE_LINK2"></a><a name="OLE_LINK1"><span
lang=EN-US>Hi Everyone,<o:p></o:p></span></a></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I’m experiencing problems to connect
to networks using openswan on two DEBIAN Servers both with two network
interfaces, iptables firewall and NAT rules. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>VPN connection starts but I’ve got the
following message on Firewall B:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>packet from 212.170.202.XXX:500: initial
Main Mode message received on 192.168.3.2:500 but no connection has been
authorized<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Please, any suggestion?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Thanks in advance.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Jorge Quiros<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Networks topology:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>SUBNET A <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>192.168.0.0/24<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>FIREWALL A (NAT ENABLED)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>192.168.0.5(eth3)|192.168.1.2(eth4)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ADSL ROUTER A (STATIC PUBLIC IP)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> 192.168.1.1 (212.170.202.XXX)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>INTERNET<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>ADSL ROUTER B (STATIC PUBLIC IP)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>192.168.3.1 (88.2.182.XXX)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>FIREWALL B (NAT ENABLED)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> 192.168.3.2(eth0)|192.168.1.3(eth1)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> |<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>SUBNET B <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> 192.168.1.0/24<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>/etc/ipsec.conf:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US># basic configuration<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>config setup<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> forwardcontrol=no<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> nat_traversal=yes<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> nhelpers=0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> plutodebug=none<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> klipsdebug=all<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> syslog=auth.debug<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Add connections here<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US># sample VPN connections, see
/etc/ipsec.d/examples/<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>#Disable Opportunistic Encryption<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>include /etc/ipsec.d/examples/no_oe.conf<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal>conn A-B<o:p></o:p></p>
<p class=MsoNormal> left=192.168.2.2<o:p></o:p></p>
<p class=MsoNormal> leftsubnet=192.168.0.0/24<o:p></o:p></p>
<p class=MsoNormal> leftid=@a.conA-B.es<o:p></o:p></p>
<p class=MsoNormal> leftrsasigkey=0sAQOaU3oaT1wSGWCzD0yfmYE0QI1toL/baZfy1RGiIdnceM….<o:p></o:p></p>
<p class=MsoNormal> leftnexthop=212.170.202.XXX<o:p></o:p></p>
<p class=MsoNormal> <span lang=EN-US>right=88.2.182.XXX<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> rightsubnet=192.168.1.0/24<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> rightid=@b.conA-B.es<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>
rightrsasigkey=0sAQPBm59puhrn6MUGY3ZbNX8ovBWK4uNuwRyrTHIdk…<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> rightnexthop=192.168.3.2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US> auto=add<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Firewall A:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Generated by iptables-save v1.3.6 on Fri
May 9 19:24:55 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>*nat<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:PREROUTING ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:OUTPUT ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:POSTROUTING ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Escritorio Remoto<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A PREROUTING -p tcp -m tcp -s YYY.YYY.YYY.YYY-i
eth4 --dport 3389 -j DNAT --to-destination 192.168.0.2<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A POSTROUTING -s 192.168.0.0/24 ! -d
192.168.1.0/24 -o eth3 -j MASQUERADE<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A POSTROUTING -s 192.168.0.0/24 ! -d
192.168.1.0/24 -o eth4 -j MASQUERADE<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>COMMIT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Completed on Fri May 9 19:24:55 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Generated by iptables-save v1.3.6 on Fri
May 9 19:24:55 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>*mangle<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:PREROUTING ACCEPT [25:1951]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:INPUT ACCEPT [24:1911]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:FORWARD ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:OUTPUT ACCEPT [21:6351]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:POSTROUTING ACCEPT [21:6351]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>COMMIT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Completed on Fri May 9 19:24:55 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Generated by iptables-save v1.3.6 on Fri
May 9 19:24:55 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>*filter<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:FORWARD ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:INPUT DROP [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:OUTPUT ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:LOG_ACCEPT - [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p icmp -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 127.0.0.1/8 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 88.2.182.XXX -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 192.168.0.0/24 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 192.168.1.0/24 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 192.168.3.0/24 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p tcp -m tcp -i eth4 --dport 80
-j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p esp -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p ah -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p udp -m udp -m multiport --ports
500 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p udp -m udp -m multiport --ports
4500 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A LOG_ACCEPT -j LOG --log-prefix
"LOG_ACCEPT " --log-level 4 --log-ip-options --log-tcp-options
--log-tcp-sequence<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A LOG_ACCEPT -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT ! -p icmp -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT -p esp -j LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT -p ah -j LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT -p udp -m udp --sport 500 -j
LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT -p udp -m udp --sport 4500 -j
LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>COMMIT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Completed on Fri May 9 19:24:55 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Firewall B:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Generated by iptables-save v1.3.6 on Tue
Aug 26 15:57:57 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>*nat<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:PREROUTING ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:OUTPUT ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:POSTROUTING ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A POSTROUTING -s 192.168.1.0/24 ! -d
192.168.0.0/24 -o eth0 -j MASQUERADE<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A POSTROUTING -s 192.168.1.0/24 ! -d
192.168.0.0/24 -o eth1 -j MASQUERADE<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>COMMIT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Completed on Tue Aug 26 15:57:57 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Generated by iptables-save v1.3.6 on Tue
Aug 26 15:57:57 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>*mangle<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:PREROUTING ACCEPT [11:1820]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:INPUT ACCEPT [11:1820]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:FORWARD ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:OUTPUT ACCEPT [10:3637]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:POSTROUTING ACCEPT [10:3637]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>COMMIT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Completed on Tue Aug 26 15:57:57 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Generated by iptables-save v1.3.6 on Tue
Aug 26 15:57:57 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>*filter<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:FORWARD ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:INPUT DROP [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:OUTPUT ACCEPT [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>:LOG_ACCEPT - [0:0]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p icmp -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 127.0.0.1/18 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 212.170.202.150 -j LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 192.168.2.0/24 -j LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -s 192.168.0.0/24 -j LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p udp -m udp -m multiport -s
212.170.202.XXX --ports 500 -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p tcp -m tcp -i eth0 --dport 80
-j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p esp -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT -p esp -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A OUTPUT -p ah -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A LOG_ACCEPT -j LOG --log-prefix
"LOG_ACCEPT " --log-level 4 --log-ip-options --log-tcp-options
--log-tcp-sequence<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A LOG_ACCEPT -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p ah -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -p udp -m udp --dport 4500 -j
LOG_ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>-A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>COMMIT<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># Completed on Tue Aug 26 15:57:57 2008<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>A’s auth.log:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec_setup: KLIPS
ipsec0 on eth4 192.168.2.2/255.255.255.0 broadcast 192.168.2.255 <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec__plutorun:
Starting Pluto subsystem...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
Setting NAT-Traversal port-4500 floating to on<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
port floating activation criteria nat_t=1/port_fload=1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
including NAT-Traversal patch (Version 0.6c)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate
sources of random<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
WARNING: Using /dev/urandom as the source of random<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: no
helpers will be started, all cryptographic operations will be done inline<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: Using
Linux 2.6 IPsec interface code on 2.6.18-6-686<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: Changing
to directory '/etc/ipsec.d/cacerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
Changing to directory '/etc/ipsec.d/aacerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
Changing to directory '/etc/ipsec.d/ocspcerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
Changing to directory '/etc/ipsec.d/crls'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
Warning: empty directory<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec_setup:
...Openswan IPsec started<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec_setup:
Starting Openswan IPsec 2.4.6...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/key/af_key.ko <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/ipv4/xfrm4_tunnel.ko <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/xfrm/xfrm_user.ko <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: added
connection description "A-B"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
listening for IKE messages<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface eth3/eth3 192.168.0.5:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface eth3/eth3 192.168.0.5:4500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface eth4/eth4 192.168.2.2:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface eth4/eth4 192.168.2.2:4500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface lo/lo 127.0.0.1:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface lo/lo 127.0.0.1:4500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]: adding
interface lo/lo ::1:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:52 bastion pluto[4554]:
loading secrets from "/etc/ipsec.secrets"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>B’s auth.log:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:04 bastion2 ipsec_setup: KLIPS
ipsec0 on eth0 192.168.3.2/255.255.255.0 broadcast 192.168.3.255 <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:04 bastion2 ipsec__plutorun:
Starting Pluto subsystem...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:04 bastion2 pluto[23887]:
Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Setting NAT-Traversal port-4500 floating to on<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
port floating activation criteria nat_t=1/port_fload=1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
including NAT-Traversal patch (Version 0.6c)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate
sources of random<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
WARNING: Using /dev/urandom as the source of random<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]: no
helpers will be started, all cryptographic operations will be done inline<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Using Linux 2.6 IPsec interface code on 2.6.18-6-686<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 ipsec_setup:
...Openswan IPsec started<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 ipsec_setup:
Starting Openswan IPsec 2.4.6...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 ipsec_setup:
insmod /lib/modules/2.6.18-6-686/kernel/net/key/af_key.ko <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 ipsec_setup:
insmod /lib/modules/2.6.18-6-686/kernel/net/ipv4/xfrm4_tunnel.ko <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 ipsec_setup:
insmod /lib/modules/2.6.18-6-686/kernel/net/xfrm/xfrm_user.ko <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Changing to directory '/etc/ipsec.d/cacerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Changing to directory '/etc/ipsec.d/aacerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Changing to directory '/etc/ipsec.d/ocspcerts'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Changing to directory '/etc/ipsec.d/crls'<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
Warning: empty directory<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
added connection description "A-B"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
listening for IKE messages<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface eth0/eth0 192.168.3.2:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface eth0/eth0 192.168.3.2:4500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface eth1/eth1 192.168.1.3:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface eth1/eth1 192.168.1.3:4500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface lo/lo 127.0.0.1:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface lo/lo 127.0.0.1:4500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
adding interface lo/lo ::1:500<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:14:05 bastion2 pluto[23887]:
loading secrets from "/etc/ipsec.secrets"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload [Openswan (this
version) 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload [Dead Peer
Detection]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload [RFC 3947] method
set to=110 <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Sep 26 10:15:17 bastion2 pluto[23887]:
packet from 212.170.202.XXX:500: initial Main Mode message received on
192.168.3.2:500 but no connection has been authorized<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>That’s all …<o:p></o:p></span></p>
</div>
</body>
</html>