<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">as far as I know, also from other devices,
you need to have a separate IPSec SA for each left/right subnet pair.</font>
<br><font size=2 face="sans-serif">E.g. with a Cisco router given the access
list</font>
<br><font size=2 face="sans-serif"> permit
ip 172.16.10.0 0.0.0.255 172.16.30.0 0.0.0.255</font>
<br><font size=2 face="sans-serif"> permit
ip 172.16.10.0 0.0.0.255 172.16.60.0 0.0.0.255</font>
<br><font size=2 face="sans-serif">as a pendant to left/right subnets,
the Cisco device would automatically establish </font>
<br><font size=2 face="sans-serif"> -
one IPSec SA for 172.16.10.0/24 <=> 172.16.30.0/24, and</font>
<br><font size=2 face="sans-serif"> -
one IPSec SA for 172.16.10.0/24 <=> 172.16.60.0/24</font>
<br>
<br><font size=2 face="sans-serif">I've never been working with FreeS/WAN,
but do you think, FreeS/WAN might have behaved similarly? Can you maybe
check how many IPSEC SAs FreeS/WAN establishes for each of your connections?</font>
<br>
<br><font size=2 face="sans-serif">With Openswan, the only thing that ever
worked for me was configuring a separate connection for each pair of left/right
subnets. Openswan will, then, establish only one ISAKMP SA with the Peer,
but will establish one IPSEC SA per connection defined.... maybe not the
ideal solution.</font>
<br>
<br><font size=2 face="sans-serif">Something that might be worth looking
into would be tunnelling over IPSec:</font>
<br><font size=2 face="sans-serif">you establish a host-to-host IPSec Tunnel,
and inside that IPSEC tunnel you define e.g. a GRE (IP-over-IP- or whatever)
tunnel.</font>
<br><font size=2 face="sans-serif">That tunnelling device, then, can be
used for routing as many subnets as you like without needing to change
the IPSec configuration at all.</font>
<br>
<br><font size=2 face="sans-serif">Best Regards,</font>
<br><font size=2 face="sans-serif"> Frank<br>
</font>
<br><font size=2 face="sans-serif">(Please forgive the long signature,
but it's required for company policies).</font>
<br><font size=2 face="sans-serif">Mit freundlichen Grüßen<br>
<br>
Frank Mayer <br>
Computer Technologies Group<br>
-----------------------------<br>
Phone: +43 316 495-5640 <br>
Mobile: +43 664 80495 5640<br>
Fax: +43 316 491 395 <br>
frank.mayer@knapp.com <br>
</font><a href=www.KNAPP.com><font size=2 face="sans-serif">www.KNAPP.com</font></a><font size=2 face="sans-serif">
<br>
-----------------------------<br>
KNAPP Logistik Automation GmbH <br>
Guenter-Knapp-Str. 5-7 <br>
8075 Hart bei Graz, Austria <br>
-----------------------------<br>
Commercial register number: FN 36404k<br>
Commercial register court: Graz<br>
-----------------------------<br>
The information in this e-mail (including any attachment) is confidential
and intended to be for the use of the addressee(s) only. If you have received
the e-mail by mistake, any disclosure, copy, distribution or use of the
contents of the e-mail is prohibited, and you must delete the e-mail from
your system. As e-mail can be changed electronically KNAPP assumes no responsibility
for any alteration to this e-mail or its attachments. KNAPP has taken every
reasonable precaution to ensure that any attachment to this e-mail has
been swept for virus. However, KNAPP does not accept any liability for
damage sustained as a result of such attachment being virus infected and
strongly recommend that you carry out your own virus check before opening
any attachment. <br>
<br>
</font>
<br><tt><font size=2>> ----- Message from Mattias Mattsson <mm4748190@gmail.com>
on Wed, 11<br>
> Feb 2009 09:15:31 -0800 -----</font></tt>
<br><tt><font size=2>> <br>
> To:</font></tt>
<br><tt><font size=2>> <br>
> hiren joshi <joshihirenn@gmail.com></font></tt>
<br><tt><font size=2>> <br>
> cc:</font></tt>
<br><tt><font size=2>> <br>
> users@openswan.org</font></tt>
<br><tt><font size=2>> <br>
> Subject:</font></tt>
<br><tt><font size=2>> <br>
> Re: [Openswan Users] Hub and spoke routing issue when using Openswan</font></tt>
<br><tt><font size=2>> <br>
> Hi Hiren,<br>
> <br>
> Thanks for your answer.<br>
> <br>
> I tried the configuration you suggested but I cannot get the tunnels<br>
> to establish if the hub does not actually own the subnet being <br>
> configured in ipsec.conf.<br>
> <br>
> Is this kind of setup supported in Openswan? If others have this <br>
> working then maybe my issue lies elsewhere?<br>
> <br>
> Thanks / Mattias<br>
> <br>
</font></tt>
<br><tt><font size=2>> On Wed, Feb 11, 2009 at 2:59 AM, hiren joshi
<joshihirenn@gmail.com> wrote:</font></tt>
<br><tt><font size=2>> Are you sure leftsubnet/rightsubnet configuration
is right?<br>
> I think it should be something like:<br>
> <br>
> y'<br>
> |<br>
> x' -- X -- Y -- Z -- z'<br>
> <br>
> X(spoke-1):<br>
> leftsubnet x'<br>
> rightsubnect z'<br>
> left X<br>
> right Y<br>
> <br>
> Z(spoke-2):<br>
> leftsubnet z'<br>
> rightsubnect x'<br>
> left Z<br>
> right Y<br>
> <br>
> Y: C-1
Y: C-2<br>
> leftsubnet x'
leftsubnet z'<br>
> rightsubnect z'
rightsubnect x'<br>
> left Y
left Y<br>
> right Z
right X<br>
> <br>
> Regards,<br>
> hiren</font></tt>
<br><tt><font size=2>> <br>
> On Tue, Feb 10, 2009 at 10:09 PM, Mattias Mattsson <mm4748190@gmail.com<br>
> > wrote:<br>
> > Hi All,<br>
> ><br>
> > I'm having a problem when trying to upgrade from FreeS/WAN 1.99
to Openswan<br>
> > 2.6.18 (klips).<br>
> ><br>
> > The setup is a hub and spoke VPN where two spoke sites (B and
C) are<br>
> > connecting into the hub site (A). The protected subnets are all
different<br>
> > (i.e. this is not an 'extruded subnet' setup) and eroutes are
used to route<br>
> > from B to C and vice versa.<br>
> ><br>
> > On each of the spokes, an additional eroute is added with the
local subnet<br>
> > as the source and the other spokes subnet as the destination
and the hub as<br>
> > the gateway.<br>
> ><br>
> > On the hub, two eroutes are added, each having one spoke as the
source and<br>
> > the other spoke as the destination.<br>
> ><br>
> > This works fine when using Freeswan, but when using Openswan
for the hub,<br>
> > the Hub does not even accept the incoming traffic from the spoke,
i.e. if I<br>
> > do a tcpdump on ipsec0 I do not see the incoming traffic.<br>
> ><br>
> > I'm including the configuration for the two setups, as well as
some ping and<br>
> > tcpdump output, note that they have different IP addresses (I
set up two<br>
> > setups to be able to run the tests at the same time). For both
setups, the<br>
> > WAN addresses are on the 192.168.1.x network and the LAN addresses
are on<br>
> > different 172.16.x.x subnets. Also note that in the Openswan
setup, only the<br>
> > hub is using Openswan, the two spokes are still Freeswan.<br>
> ><br>
> > How do I make this work in Openswan?<br>
> ><br>
> > Thanks / Mattias<br>
> ><br>
> ><br>
> ><br>
> > <br>
> -------------------------------------------------------------------------------------------------------------------------------------<br>
> > For the Freeswan setup, the IP addresses are as follows:<br>
> > Hub - 172.16.10.110 - 192.168.1.10<br>
> > Spoke1 - 172.16.30.130 - 192.168.1.30<br>
> > Spoke2 - 172.16.60.160 - 192.168.1.60<br>
> ><br>
> > Hub's ipsec.conf<br>
> > -----------------------<br>
> > config setup<br>
> > interfaces = "ipsec0=eth1"<br>
> > klipsdebug = none<br>
> > plutodebug = none<br>
> > plutoload = %search<br>
> > plutostart = %search<br>
> > uniqueids = yes<br>
> > hidetos = no<br>
> > conn t10to30<br>
> > type = tunnel<br>
> > left = 192.168.1.10<br>
> > right = 192.168.1.30<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.10.0/24<br>
> > rightsubnet = 172.16.30.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.10<br>
> > rightid = 192.168.1.30<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> > conn t10to60<br>
> > type = tunnel<br>
> > left = 192.168.1.10<br>
> > right = 192.168.1.60<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.10.0/24<br>
> > rightsubnet = 172.16.60.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.10<br>
> > rightid = 192.168.1.60<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> ><br>
> > Hub's eroutes<br>
> > -----------------------<br>
> > 0 172.16.10.0/24
-> 172.16.30.0/24 =><br>
> > tun0x101b@192.168.1.30<br>
> > 0 172.16.10.0/24
-> 172.16.60.0/24 =><br>
> > tun0x101f@192.168.1.60<br>
> > 26 172.16.30.0/24 ->
172.16.60.0/24 =><br>
> > tun0x101f@192.168.1.60<br>
> > 26 172.16.60.0/24 ->
172.16.30.0/24 =><br>
> > tun0x101b@192.168.1.30<br>
> ><br>
> > Spoke1's ipsec.conf<br>
> > -----------------------<br>
> > config setup<br>
> > interfaces = "ipsec0=eth1"<br>
> > klipsdebug = none<br>
> > plutodebug = none<br>
> > plutoload = %search<br>
> > plutostart = %search<br>
> > uniqueids = yes<br>
> > hidetos = no<br>
> > conn t30to10<br>
> > type = tunnel<br>
> > left = 192.168.1.30<br>
> > right = 192.168.1.10<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.30.0/24<br>
> > rightsubnet = 172.16.10.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.30<br>
> > rightid = 192.168.1.10<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> ><br>
> > Spoke1's eroutes<br>
> > -----------------------<br>
> > 0 172.16.30.0/24
-> 172.16.10.0/24 =><br>
> > tun0x1004@192.168.1.10<br>
> > 26 172.16.30.0/24 ->
172.16.60.0/24 =><br>
> > tun0x1004@192.168.1.10<br>
> ><br>
> ><br>
> > Spoke2's ipsec.conf<br>
> > -----------------------<br>
> > config setup<br>
> > interfaces = "ipsec0=eth1"<br>
> > klipsdebug = none<br>
> > plutodebug = none<br>
> > plutoload = %search<br>
> > plutostart = %search<br>
> > uniqueids = yes<br>
> > hidetos = no<br>
> > conn t60to10<br>
> > type = tunnel<br>
> > left = 192.168.1.60<br>
> > right = 192.168.1.10<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.60.0/24<br>
> > rightsubnet = 172.16.10.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.60<br>
> > rightid = 192.168.1.10<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> ><br>
> > Spoke2's eroutes<br>
> > -----------------------<br>
> > 0 172.16.60.0/24
-> 172.16.10.0/24 =><br>
> > tun0x1004@192.168.1.10<br>
> > 62 172.16.60.0/24 ->
172.16.30.0/24 =><br>
> > tun0x1004@192.168.1.10<br>
> ><br>
> ><br>
> > When pinging from spoke1 to hub:<br>
> > # ping -I 172.16.30.130 172.16.10.110<br>
> > PING 172.16.10.110 (172.16.10.110): 56 data bytes<br>
> > 64 bytes from 172.16.10.110: icmp_seq=0 ttl=64 time=3.2 ms<br>
> > 64 bytes from 172.16.10.110: icmp_seq=1 ttl=64 time=2.3 ms<br>
> ><br>
> > When pinging from spoke1 to spoke2:<br>
> > # ping -I 172.16.30.130 172.16.60.160<br>
> > PING 172.16.60.160 (172.16.60.160): 56 data bytes<br>
> > 64 bytes from 172.16.60.160: icmp_seq=0 ttl=63 time=12.7 ms<br>
> > 64 bytes from 172.16.60.160: icmp_seq=1 ttl=63 time=4.6 ms<br>
> ><br>
> > Tcpdump on spoke1 when pinging from spoke1 to spoke2:<br>
> > # tcpdump -ni ipsec0 icmp<br>
> > tcpdump: listening on ipsec0<br>
> > 00:34:17.262268 172.16.30.130 > 172.16.60.160: icmp: echo
request (DF)<br>
> > 00:34:17.266201 172.16.60.160 > 172.16.30.130: icmp: echo
reply<br>
> ><br>
> > And tcpdump on hub when pinging from spoke1 to spoke2:<br>
> > # tcpdump -ni ipsec0 icmp<br>
> > tcpdump: listening on ipsec0<br>
> > 16:29:56.543048 172.16.30.130 > 172.16.60.160: icmp: echo
request (DF)<br>
> > 16:29:56.543527 172.16.30.130 > 172.16.60.160: icmp: echo
request (DF)<br>
> > 16:29:56.545636 172.16.60.160 > 172.16.30.130: icmp: echo
reply<br>
> > 16:29:56.546168 172.16.60.160 > 172.16.30.130: icmp: echo
reply<br>
> ><br>
> ><br>
> > <br>
> -------------------------------------------------------------------------------------------------------------------------------------<br>
> > For the Openswan setup, the IP addresses are as follows:<br>
> > Hub - 172.16.50.150 - 192.168.1.50<br>
> > Spoke1 - 172.16.40.140 - 192.168.1.40<br>
> > Spoke2 - 172.16.20.120 - 192.168.1.20<br>
> ><br>
> > Hub's ipsec.conf<br>
> > -----------------------<br>
> > config setup<br>
> > interfaces = "ipsec0=eth1"<br>
> > klipsdebug = none<br>
> > plutodebug = none<br>
> > uniqueids = yes<br>
> > hidetos = no<br>
> > conn t50to40<br>
> > type = tunnel<br>
> > left = 192.168.1.50<br>
> > right = 192.168.1.40<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.50.0/24<br>
> > rightsubnet = 172.16.40.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.50<br>
> > rightid = 192.168.1.40<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> > conn t50to20<br>
> > type = tunnel<br>
> > left = 192.168.1.50<br>
> > right = 192.168.1.20<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.50.0/24<br>
> > rightsubnet = 172.16.20.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.50<br>
> > rightid = 192.168.1.20<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> ><br>
> > Hub's eroutes<br>
> > -----------------------<br>
> > 0 172.16.20.0/24
-> 172.16.40.0/24 =><br>
> > tun0x1016@192.168.1.40<br>
> > 0 172.16.40.0/24
-> 172.16.20.0/24 =><br>
> > tun0x1014@192.168.1.20<br>
> > 2 172.16.50.0/24
-> 172.16.20.0/24 =><br>
> > tun0x1014@192.168.1.20<br>
> > 12 172.16.50.0/24 ->
172.16.40.0/24 =><br>
> > tun0x1016@192.168.1.40<br>
> ><br>
> ><br>
> > Spoke1's ipsec.conf<br>
> > -----------------------<br>
> > config setup<br>
> > interfaces = "ipsec0=eth1"<br>
> > klipsdebug = none<br>
> > plutodebug = none<br>
> > plutoload = %search<br>
> > plutostart = %search<br>
> > uniqueids = yes<br>
> > hidetos = no<br>
> > conn t40to50<br>
> > type = tunnel<br>
> > left = 192.168.1.40<br>
> > right = 192.168.1.50<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.40.0/24<br>
> > rightsubnet = 172.16.50.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.40<br>
> > rightid = 192.168.1.50<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> ><br>
> > Spoke1's eroutes<br>
> > -----------------------<br>
> > 2 172.16.20.0/24
-> 172.16.40.0/24 =><br>
> > tun0x1008@192.168.1.50<br>
> > 2 172.16.20.0/24
-> 172.16.50.0/24 =><br>
> > tun0x1008@192.168.1.50<br>
> ><br>
> > Spoke2's ipsec.conf<br>
> > -----------------------<br>
> > config setup<br>
> > interfaces = "ipsec0=eth1"<br>
> > klipsdebug = none<br>
> > plutodebug = none<br>
> > plutoload = %search<br>
> > plutostart = %search<br>
> > uniqueids = yes<br>
> > hidetos = no<br>
> > conn t20to50<br>
> > type = tunnel<br>
> > left = 192.168.1.20<br>
> > right = 192.168.1.50<br>
> > leftnexthop = 192.168.1.1<br>
> > leftsubnet = 172.16.20.0/24<br>
> > rightsubnet = 172.16.50.0/24<br>
> > auto = start<br>
> > keyexchange = ike<br>
> > authby = secret<br>
> > auth = esp<br>
> > keyingtries = 0<br>
> > esp = AES128-SHA1<br>
> > pfs = yes<br>
> > rekey = yes<br>
> > leftid = 192.168.1.20<br>
> > rightid = 192.168.1.50<br>
> > ike = 3DES-SHA-MODP1024<br>
> > ikelifetime = 28800s<br>
> > keylife = 86400s<br>
> > rekeymargin = 10m<br>
> > rekeyfuzz = 20%<br>
> ><br>
> > Spoke2's eroutes<br>
> > -----------------------<br>
> > 549 172.16.40.0/24 ->
172.16.20.0/24 =><br>
> > tun0x100c@192.168.1.50<br>
> > 12 172.16.40.0/24 ->
172.16.50.0/24 =><br>
> > tun0x100c@192.168.1.50<br>
> ><br>
> ><br>
> > When pinging from spoke1 to hub:<br>
> > # ping -I 172.16.20.120 172.16.50.150<br>
> > PING 172.16.50.150 (172.16.50.150): 56 data bytes<br>
> > 64 bytes from 172.16.50.150: icmp_seq=0 ttl=64 time=12.4 ms<br>
> > 64 bytes from 172.16.50.150: icmp_seq=1 ttl=64 time=10.4 ms<br>
> ><br>
> > When pinging from spoke1 to spoke2:<br>
> > # ping -I 172.16.20.120 172.16.40.140<br>
> > PING 172.16.40.140 (172.16.40.140): 56 data bytes<br>
> ><br>
> > --- 172.16.40.140 ping statistics ---<br>
> > 8 packets transmitted, 0 packets received, 100% packet loss<br>
> ><br>
> > Tcpdump on spoke1 when pinging from spoke1 to spoke2:<br>
> > # tcpdump -ni ipsec0 icmp<br>
> > tcpdump: listening on ipsec0<br>
> > 16:33:49.927435 172.16.20.120 > 172.16.40.140: icmp: echo
request (DF)<br>
> > 16:33:50.927440 172.16.20.120 > 172.16.40.140: icmp: echo
request (DF)<br>
> ><br>
> > And tcpdump on hub when pinging from spoke1 to spoke2:<br>
> > # tcpdump -ni ipsec0 icmp<br>
> > tcpdump: listening on ipsec0<br>
> ><br>
> > 0 packets received by filter<br>
> > 0 packets dropped by kernel<br>
> ><br>
> ><br>
> > I can ping from the hub to spoke2:<br>
> > # ping -I 172.16.50.150 172.16.40.140<br>
> > PING 172.16.40.140 (172.16.40.140): 56 data bytes<br>
> > 64 bytes from 172.16.40.140: icmp_seq=0 ttl=64 time=3.3 ms<br>
> > 64 bytes from 172.16.40.140: icmp_seq=1 ttl=64 time=2.1 ms<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ></font></tt>
<br><tt><font size=2>> > _______________________________________________<br>
> > Users@openswan.org<br>
> > </font></tt><a href=http://lists.openswan.org/mailman/listinfo/users><tt><font size=2>http://lists.openswan.org/mailman/listinfo/users</font></tt></a><tt><font size=2><br>
> > Building and Integrating Virtual Private Networks with Openswan:<br>
> > </font></tt><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"><tt><font size=2>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</font></tt></a><tt><font size=2><br>
> ><br>
> ></font></tt>
<br><tt><font size=2>> _______________________________________________<br>
> Users@openswan.org<br>
> </font></tt><a href=http://lists.openswan.org/mailman/listinfo/users><tt><font size=2>http://lists.openswan.org/mailman/listinfo/users</font></tt></a><tt><font size=2><br>
> Building and Integrating Virtual Private Networks with Openswan: <br>
> </font></tt><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"><tt><font size=2>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</font></tt></a><tt><font size=2><br>
</font></tt>