<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6001.18294" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" leftMargin=0
topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV><FONT face=Arial size=2>Hi everyone,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have since abandoned V-IPSecure... Quite frankly
it sucks and I have worked almost a month on trying to get it to sync up with
Openswan. I want to connect networks 192.168.122.0/24 (left) and
192.168.133.0/24 (right) bidirectionally via VPN.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have moved since to using Openswan behind a NAT
Firewall as seen in this illustration:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here is the ipsec.conf:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>conn
ait-2-torden-xen<BR>
type=tunnel<BR>
aggrmode=no<BR>
compress=no<BR>
authby=secret<BR> right=22.123.34.56
#Public IP of local Openswan
server<BR> rightid=22.123.34.56
#Public IP of local Openswan
server<BR> rightnexthop=22.123.34.1
#Public IP of Gateway front of local Openswan
server<BR>
rightsubnet=192.168.122.0/24 # Subnet on local Openswan server
virbr0<BR> rightsourceip=192.168.122.1
# IP address within 192.168.122.0/24
network<BR>
left=192.168.1.250 #LAN IP of remote Openswan
server<BR> leftid=12.234.22.224
#Public IP of router in front of Openswan
server<BR> leftnexthop=12.234.22.1
#Public IP of Gateway of router in front of remote Openswan
server<BR> leftsubnet=192.168.133.0/24
# Subnet on remote Openswan server
virbr0<BR> leftsourceip=192.168.133.1
# IP address within 192.168.133.0/24
network<BR> auto=start<BR></FONT><FONT
face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2>And here is the securelog from the Openswan server
behind the NAT route:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Sep 21 09:50:25 aitdemo5 sshd[31697]: Accepted
password for root from 192.168.1.19 port 59919 ssh2<BR>Sep 21 09:50:25 aitdemo5
sshd[31697]: pam_unix(sshd:session): session opened for user root by
(uid=0)<BR>Sep 21 09:51:18 aitdemo5 userhelper[31737]:
pam_timestamp(system-config-samba:session): updated timestamp file
`/var/run/sudo/root/unknown'<BR>Sep 21 09:51:18 aitdemo5 userhelper[31740]:
running '/usr/share/system-config-samba/system-config-samba.py' with root
privileges on behalf of 'root'<BR>Sep 21 09:54:36 aitdemo5 ipsec__plutorun:
Starting Pluto subsystem...<BR>Sep 21 09:54:36 aitdemo5 pluto[31907]: Starting
Pluto (Openswan Version 2.6.14; Vendor ID OEoSJUweaqAX) pid:31907<BR>Sep 21
09:54:36 aitdemo5 pluto[31907]: Setting NAT-Traversal port-4500 floating to
on<BR>Sep 21 09:54:36 aitdemo5 pluto[31907]: port floating
activation criteria nat_t=1/port_float=1<BR>Sep 21 09:54:36 aitdemo5
pluto[31907]: including NAT-Traversal patch (Version
0.6c)<BR>Sep 21 09:54:36 aitdemo5 pluto[31907]: using /dev/urandom as source of
random entropy<BR>Sep 21 09:54:36 aitdemo5 pluto[31907]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>Sep 21 09:54:36 aitdemo5
pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
(ret=0)<BR>Sep 21 09:54:36 aitdemo5 pluto[31907]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>Sep 21 09:54:36 aitdemo5
pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)<BR>Sep 21 09:54:39 aitdemo5 pluto[31907]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>Sep 21 09:54:39 aitdemo5
pluto[31907]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
(ret=0)<BR>Sep 21 09:54:39 aitdemo5 pluto[31907]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>Sep 21 09:54:39 aitdemo5 pluto[31907]:
starting up 3 cryptographic helpers<BR>Sep 21 09:54:44 aitdemo5 pluto[31921]:
using /dev/urandom as source of random entropy<BR>Sep 21 09:54:44 aitdemo5
pluto[31907]: started helper pid=31921 (fd:7)<BR>Sep 21 09:54:54 aitdemo5
pluto[31922]: using /dev/urandom as source of random entropy<BR>Sep 21 09:54:54
aitdemo5 pluto[31907]: started helper pid=31922 (fd:8)<BR>Sep 21 09:54:59
aitdemo5 pluto[31923]: using /dev/urandom as source of random entropy<BR>Sep 21
09:54:59 aitdemo5 pluto[31907]: started helper pid=31923 (fd:9)<BR>Sep 21
09:55:04 aitdemo5 pluto[31907]: Using Linux 2.6 IPsec interface code on
2.6.18-128.el5xen (experimental code)<BR>Sep 21 09:55:05 aitdemo5 pluto[31907]:
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Sep 21 09:55:05 aitdemo5 pluto[31907]:
ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<BR>Sep 21 09:55:05
aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Sep 21 09:55:05 aitdemo5 pluto[31907]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Sep 21 09:55:05 aitdemo5
pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<BR>Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names <BR>Sep 21
09:55:05 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already
exists<BR>Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<BR>Sep 21 09:55:05 aitdemo5
pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Sep 21 09:55:05 aitdemo5 pluto[31907]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Sep 21 09:55:05 aitdemo5
pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<BR>Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names <BR>Sep 21
09:55:10 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already
exists<BR>Sep 21 09:55:10 aitdemo5 pluto[31907]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)<BR>Sep 21 09:55:10 aitdemo5
pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names <BR>Sep 21 09:55:10 aitdemo5 pluto[31907]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Sep 21 09:55:10 aitdemo5
pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<BR>Sep 21 09:55:10 aitdemo5 pluto[31907]: Changed path to directory
'/etc/ipsec.d/cacerts'<BR>Sep 21 09:55:10 aitdemo5 pluto[31907]: Changed path to
directory '/etc/ipsec.d/aacerts'<BR>Sep 21 09:55:15 aitdemo5 pluto[31907]:
Changed path to directory '/etc/ipsec.d/ocspcerts'<BR>Sep 21 09:55:15 aitdemo5
pluto[31907]: Changing to directory '/etc/ipsec.d/crls'<BR>Sep 21 09:55:20
aitdemo5 pluto[31907]: Warning: empty directory<BR>Sep 21 09:55:25
aitdemo5 pluto[31907]: Changing back to directory '/' failed - (2 No such file
or directory)<BR>Sep 21 09:55:25 aitdemo5 pluto[31907]: Changing back to
directory '/' failed - (2 No such file or directory)<BR>Sep 21 09:55:30 aitdemo5
pluto[31907]: added connection description "ait-2-torden-xen"<BR>Sep 21 09:55:35
aitdemo5 pluto[31907]: listening for IKE messages<BR>Sep 21 09:55:35 aitdemo5
pluto[31907]: adding interface vnet0/vnet0 192.168.133.1:500<BR>Sep 21 09:55:35
aitdemo5 pluto[31907]: adding interface vnet0/vnet0 192.168.133.1:4500<BR>Sep 21
09:55:35 aitdemo5 pluto[31907]: adding interface eth0/eth0
192.168.133.2:500<BR>Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface
eth0/eth0 192.168.133.2:4500<BR>Sep 21 09:55:35 aitdemo5 pluto[31907]: adding
interface eth0/eth0 192.168.1.250:500<BR>Sep 21 09:55:35 aitdemo5 pluto[31907]:
adding interface eth0/eth0 192.168.1.250:4500<BR>Sep 21 09:55:35 aitdemo5
pluto[31907]: adding interface lo/lo 127.0.0.1:500<BR>Sep 21 09:55:35 aitdemo5
pluto[31907]: adding interface lo/lo 127.0.0.1:4500<BR>Sep 21 09:55:35 aitdemo5
pluto[31907]: adding interface lo/lo ::1:500<BR>Sep 21 09:55:35 aitdemo5
pluto[31907]: loading secrets from "/etc/ipsec.secrets"<BR>Sep 21 09:55:35
aitdemo5 pluto[31907]: loading secrets from "/etc/ipsec.d/ipsec.secrets"<BR>Sep
21 09:55:35 aitdemo5 pluto[31907]: "ait-2-torden-xen": request to add a
prospective erouted policy with netkey kernel --- experimental<BR>Sep 21
09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen": route-client output:
/usr/libexec/ipsec/_updown.netkey: doroute `ip route replace 192.168.122.0/24
via 12.234.22.1 dev eth0 src 192.168.133.1' failed (RTNETLINK answers:
Network is unreachable)<BR>Sep 21 09:55:41 aitdemo5 pluto[31907]:
"ait-2-torden-xen" #1: initiating Main Mode<BR>Sep 21 09:55:41 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: ignoring unknown Vendor ID payload
[4f456d406b6753464548407f]<BR>Sep 21 09:55:41 aitdemo5 pluto[31907]:
"ait-2-torden-xen" #1: received Vendor ID payload [Dead Peer Detection]<BR>Sep
21 09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: received Vendor ID
payload [RFC 3947] method set to=109 <BR>Sep 21 09:55:46 aitdemo5 pluto[31907]:
"ait-2-torden-xen" #1: enabling possible NAT-traversal with method 4<BR>Sep 21
09:55:46 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Sep 21 09:55:51 aitdemo5 pluto[31907]:
"ait-2-torden-xen" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>Sep 21 09:55:56
aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: discarding duplicate packet;
already STATE_MAIN_I2<BR>Sep 21 09:55:56 aitdemo5 pluto[31907]:
"ait-2-torden-xen" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i
am NATed<BR>Sep 21 09:56:01 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>Sep 21 09:56:06
aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: STATE_MAIN_I3: sent MI3, expecting
MR3<BR>Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: discarding
duplicate packet; already STATE_MAIN_I3<BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: received Vendor ID payload
[CAN-IKEv2]<BR>Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1:
Main mode peer ID is ID_IPV4_ADDR: '22.123.34.56'<BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4<BR>Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen"
#1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp2048}<BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to
malloc 0 bytes for st_skey_ar in duplicate_state, please report to <A
href="mailto:dev@openswan.org">dev@openswan.org</A><BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to
malloc 0 bytes for st_skey_er in duplicate_state, please report to <A
href="mailto:dev@openswan.org">dev@openswan.org</A><BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to
malloc 0 bytes for st_skey_pi in duplicate_state, please report to <A
title="mailto:dev@openswan.org CTRL + Click to follow link"
href="mailto:dev@openswan.org">dev@openswan.org</A><BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to
malloc 0 bytes for st_skey_pr in duplicate_state, please report to <A
href="mailto:dev@openswan.org">dev@openswan.org</A><BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:5c78e672
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}<BR>Sep 21 09:56:06 aitdemo5
pluto[31907]: "ait-2-torden-xen" #2: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2<BR>Sep 21 09:56:06 aitdemo5 pluto[31907]:
"ait-2-torden-xen" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xa74ab6c6 <0x961f7c94 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Do I have this ipsec.conf correct? It seems I have
having routing problems.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks in advance all.</DIV>
<DIV><BR></DIV></FONT>
<DIV><FONT face=Arial size=2>JT</FONT></DIV></BODY></HTML>