<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Hi , <br>&nbsp;&nbsp; Could you run a traceroute from remote pc 10.3.15.60 to your pc 150.24.31.22. Which device in your network setup has the address 150.24.31.21 ?<br>&nbsp;&nbsp;&nbsp; Thanks .<br><br><span style="font-family: Tahoma,Helvetica,Sans-Serif; font-style: italic; font-weight: bold;">-<span style="font-family: Times New Roman,Times,Serif;"> Simon Charles - </span></span><br><br><br><br><br>&gt; Date: Fri, 2 Oct 2009 16:48:13 -0400<br>&gt; From: Donald.Goffe@GTECH.COM<br>&gt; To: users@openswan.org<br>&gt; Subject: [Openswan Users] Using Cisco VPN3000<br>&gt; <br>&gt; I read Paul and Kens' book, great job guys.<br>&gt; I am having an issue when I establish a tunnel thru a Cisco 3000<br>&gt; concentrator.<br>&gt; The tunnel uses netkey and is up. I can ping the concentrator and get an<br>&gt; echo reply just fine. Ethereal confirms the pings have been encrypted in<br>&gt; both directions. My pc is on the left with an address of 150.24.31.22,<br>&gt; the vpn server is 10.10.1.11 and the target Pc is 10.3.15.60 on the<br>&gt; private side of the network.<br>&gt; PROBLEM:<br>&gt; When I ping 10.3.15.60 I see the encrypted echo request get to the<br>&gt; concentrator, be decrypted, and the ICMP ping actually get to the<br>&gt; 10.3.15.60 PC. The response is an ICMP echo reply back to 150.24.31.21<br>&gt; as expected, which does not go back over the tunnel and as such is never<br>&gt; encrypted. Instead it simple appears on my terminal as a plain old non<br>&gt; encrypted ICMP reply. The Cisco concentrator indicates my tunnel has an<br>&gt; assigned source address of 255.255.255.255 and a public address of<br>&gt; 150.24.31.21. That can't be correct.<br>&gt; <br>&gt; Has anyone seen this issue?<br>&gt; Thanks in advance...<br>&gt; <br>&gt; Config:<br>&gt; # /etc/ipsec.conf - Openswan IPsec configuration file<br>&gt; # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $<br>&gt; <br>&gt; # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample<br>&gt; #<br>&gt; # Manual:     ipsec.conf.5<br>&gt; <br>&gt; <br>&gt; version        2.0        # conforms to second version of ipsec.conf specification<br>&gt; <br>&gt; # basic configuration<br>&gt; config setup<br>&gt;         # Do not set debug options to debug configuration issues!<br>&gt;         # plutodebug / klipsdebug = "all", "none" or a combation from<br>&gt; below:<br>&gt;         # "raw crypt parsing emitting control klips pfkey natt x509 dpd<br>&gt; private"<br>&gt;         # eg:<br>&gt;         # plutodebug="control parsing"<br>&gt;         #<br>&gt;         # enable to get logs per-peer<br>&gt;         # plutoopts="--perpeerlog"<br>&gt;         #<br>&gt;         # Again: only enable plutodebug or klipsdebug when asked by a<br>&gt; developer<br>&gt;         #<br>&gt;         # NAT-TRAVERSAL support, see README.NAT-Traversal<br>&gt;         #nat_traversal=yes<br>&gt;         # exclude networks used on server side by adding %v4:!a.b.c.0/24<br>&gt;         virtual_private=%v4:10.0.0.0/8<br>&gt;         # OE is now off by default. Uncomment and change to on, to<br>&gt; enable.<br>&gt;         #oe=off<br>&gt;         # which IPsec stack to use. netkey,klips,mast,auto or none<br>&gt;         protostack=netkey<br>&gt;         <br>&gt; <br>&gt; # Add connections here<br>&gt; <br>&gt; conn gtech<br>&gt; #               # Left security gateway, subnet behind it, nexthop<br>&gt; toward right.<br>&gt;                type=tunnel<br>&gt;                left=150.24.31.22<br>&gt;                leftsubnet=150.24.31.0/24<br>&gt; #               leftmodecfgclient=yes<br>&gt;              leftxauthclient=yes<br>&gt;                leftid=@gtech<br>&gt; #            # Right security gateway, subnet behind it, nexthop toward<br>&gt; left.<br>&gt;              right=10.10.1.11<br>&gt;              rightxauthserver=yes<br>&gt;              rightsubnet=10.3.15.0/24<br>&gt;                rightmodecfgserver=yes<br>&gt;              pfs=no<br>&gt; #               # To authorize this connection, but not actually start<br>&gt; it,<br>&gt; #               # at startup, uncomment this.<br>&gt; #               auto=add<br>&gt;                auto=route<br>&gt;                auth=esp<br>&gt;              esp=3des-md5<br>&gt;              ike=3des-md5-modp1024<br>&gt;                modecfgpull=yes<br>&gt;              authby=secret<br>&gt;              aggrmode=yes<br>&gt; <br>&gt; <br>&gt; <br>&gt; CONFIDENTIALITY NOTICE: The contents of this email are confidential<br>&gt; and for the exclusive use of the intended recipient. If you receive this<br>&gt; email in error, please delete it from your system immediately and <br>&gt; notify us either by email, telephone or fax. You should not copy,<br>&gt; forward, or otherwise disclose the content of the email.<br>&gt; <br>&gt; _______________________________________________<br>&gt; Users@openswan.org<br>&gt; http://lists.openswan.org/mailman/listinfo/users<br>&gt; Building and Integrating Virtual Private Networks with Openswan: <br>&gt; http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>                                               </body>
</html>