<pre>Hi Paul, sorry about the delay! I lost your e-mail response...<br><br>On Fri, 5 Jun 2009, Joćo Kuchnier wrote:<br><br> right=192.168.1.224<br> #rightnexthop=<br> rightsubnet=<a href="http://192.168.1.224/32">192.168.1.224/32</a><br>
#rightid=<br> left=200.x.x.x<br> #leftnexthop=<br> leftsubnet=<a href="http://192.168.102.0/24">192.168.102.0/24</a><br> keyexchange=ike<br> ike=3des-md5-modp1024<br> esp=3des-md5<br>
#ah=3des-md5<br> ikelifetime=28800s<br> #keylife=28800s<br> pfs=no<br> compress=no<br> authby=secret<br> auto=start<br> aggrmode=no<br><br><br>If both ends are openswan, use pfs=yes<br>
--> The other end they have a french appliance.<br><br>conn 2<br> right=192.168.1.224<br> #rightnexthop=<br> rightsubnet=<a href="http://192.168.1.224/32">192.168.1.224/32</a><br> #rightid=<br>
left=200.x.x.x<br> #leftnexthop=<br> leftsubnet=<a href="http://10.201.136.0/21">10.201.136.0/21</a><br><br><br>"conn1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>"conn1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established<br>
{ESP=>0x0d243b91 <0x964680c9 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500<br>DPD=none}<br>"conn2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>"conn2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established<br>
{ESP=>0x09bf8953 <0xea5fc696 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500<br>DPD=none}<br><br><br>Both tunnels establish, so my guess is this is a firewalling or<br>routing issues. Are you excluding packets that are going to be<br>
tunneled from getting NAT'ed?<br><br>--> Like I said on the first e-mail (I lost it too), I have a firewall with two zones, tunnels an hosts to both subnets on that end. <br>Everythin coming from or going to that end is accepted on firewall an nat'ed to the DMZ Openswan server.<br>
<br>--> On the Openswan server there is another firewall (shorewall to) nat'ing some specific packages for two other servers on DMZ.<br>--> /etc/shorewall/rules is like this: DNAT net net:192.168.1.x tcp 2xxx<br>
--> maybe this is the problem at all<br><br>Jun 5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...<br><br>Could use an update to openswan 2.4.14.<br>--> I'm using an Ubuntu Server 8.10. This version is the newest on available in repositories...<br>
<br>Jun 5 16:03:44 conn2 ipsec__plutorun: 104 "conn2" #1: STATE_MAIN_I1:<br>initiate<br>Jun 5 16:03:44 conn2 ipsec__plutorun: ...could not start conn "conn2"<br><br><br>That's an oddness where at first it does not start, but on the second<br>
attempt it does. you can ignore that for now.<br><br>What does 'ipsec verify' say?<br><br>--> ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>
Linux Openswan U2.4.9/K2.6.24-19-server (netkey)<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br>
or NETKEY will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br>
<br>Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]<br> ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing <br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support [DISABLED]<br><br><br>Paul<br><br>Joćo K.<br></pre>