2 virtual machine is bridged<div>When start a connection from one VM, everything is OK, but start a connection from another one VM, it can't establish a connection.</div><div><br></div><div>===========================/etc/ipsec.conf======================================</div>
<div><div>version 2.0 </div><div>config setup</div><div> </div><div> protostack=netkey</div><div> nat_traversal=yes</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a></div>
<div> oe=off</div><div> </div><div> nhelpers=0</div><div>include /etc/ipsec.d/*.conf</div></div><div><div><div>===============================================================================================</div>
</div><div><div>====================================/etc/ipsec.d/L2TP-PSK-NAT.conf===============================================</div><div></div></div><div><div>conn L2TP-PSK-NAT</div><div> rightsubnet=vhost:%priv</div>
<div> also=L2TP-PSK-noNAT</div><div><br></div><div>conn L2TP-PSK-noNAT</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div> keyingtries=3</div><div> rekey=no</div>
<div> ikelifetime=8h</div><div> keylife=1h</div><div> type=transport</div><div> left=216.23.52.34</div><div> leftprotoport=17/1701</div><div> right=%any</div><div> rightprotoport=17/%any</div>
<div><br></div></div><div><br></div><div><div>===============================================================================================</div><div></div></div><div><br></div><div><br></div><div>===================================successful============================================================</div>
</div><div><div>Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]</div><div>Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: received Vendor ID payload [RFC 3947] method set to=109 </div>
<div>Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</div><div>
Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: ignoring Vendor ID payload [FRAGMENTATION]</div><div>Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]</div>
<div>Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: ignoring Vendor ID payload [Vid-Initial-Contact]</div><div>Aug 11 11:03:41 moun pluto[5940]: packet from <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>: ignoring Vendor ID payload [IKE CGA version 1]</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: responding to Main Mode from unknown peer 125.33.176.240</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: Main mode peer ID is ID_IPV4_ADDR: '10.0.2.15'</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[16] 125.33.176.240 #18: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: deleting connection "L2TP-PSK-NAT" instance with peer 125.33.176.240 {isakmp=#0/ipsec=#0}</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: new NAT mapping for #18, was <a href="http://125.33.176.240:20073">125.33.176.240:20073</a>, now <a href="http://125.33.176.240:61846">125.33.176.240:61846</a></div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: the peer proposed: <a href="http://216.23.52.34/32:17/1701">216.23.52.34/32:17/1701</a> -> <a href="http://10.0.2.15/32:17/0">10.0.2.15/32:17/0</a></div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #18: NAT-Traversal: received 2 NAT-OA. using first, ignoring others</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: responding to Quick Mode proposal {msgid:01000000}</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701</div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: them: 125.33.176.240[10.0.2.15,+S=C]:17/1701===<a href="http://10.0.2.15/32">10.0.2.15/32</a></div>
<div>Aug 11 11:03:41 moun pluto[5940]: | NAT-OA: 32 tunnel: 1 </div><div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div>
<div>Aug 11 11:03:41 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div><div>Aug 11 11:03:42 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</div>
<div>Aug 11 11:03:42 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #19: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xc80359b8 <0xeab48ba1 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=<a href="http://125.33.176.240:61846">125.33.176.240:61846</a> DPD=none}</div>
<div><br></div><div>======================================================================================================</div><div><br></div><div><div>==========================================unsuccessful========================================================</div>
</div><div><div>Aug 11 11:04:23 moun pluto[5940]: packet from <a href="http://125.33.176.240:62093">125.33.176.240:62093</a>: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]</div><div>Aug 11 11:04:23 moun pluto[5940]: packet from <a href="http://125.33.176.240:62093">125.33.176.240:62093</a>: ignoring Vendor ID payload [FRAGMENTATION]</div>
<div>Aug 11 11:04:23 moun pluto[5940]: packet from <a href="http://125.33.176.240:62093">125.33.176.240:62093</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 </div><div>Aug 11 11:04:23 moun pluto[5940]: packet from <a href="http://125.33.176.240:62093">125.33.176.240:62093</a>: ignoring Vendor ID payload [Vid-Initial-Contact]</div>
<div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: responding to Main Mode from unknown peer 125.33.176.240</div><div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed</div>
<div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div><div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: Main mode peer ID is ID_FQDN: '@john-af0f0acd'</div><div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[17] 125.33.176.240 #20: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"</div>
<div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div><div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: new NAT mapping for #20, was <a href="http://125.33.176.240:62093">125.33.176.240:62093</a>, now <a href="http://125.33.176.240:28712">125.33.176.240:28712</a></div>
<div>Aug 11 11:04:23 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}</div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: peer client type is FQDN</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: Applying workaround for MS-818043 NAT-T bug</div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: IDci was FQDN: \330S3\204, using NAT_OA=<a href="http://10.0.2.15/32">10.0.2.15/32</a> as IDci</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: the peer proposed: <a href="http://216.23.52.34/32:17/1701">216.23.52.34/32:17/1701</a> -> <a href="http://10.0.2.15/32:17/0">10.0.2.15/32:17/0</a></div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21: responding to Quick Mode proposal {msgid:7b632bb8}</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21: us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701</div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21: them: 125.33.176.240[@john-af0f0acd,+S=C]:17/1701===<a href="http://10.0.2.15/32">10.0.2.15/32</a></div><div>Aug 11 11:04:24 moun pluto[5940]: | NAT-OA: 4 tunnel: 1 </div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #21: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[17] 125.33.176.240 #19</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: peer client type is FQDN</div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: Applying workaround for MS-818043 NAT-T bug</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: IDci was FQDN: \330S3\204, using NAT_OA=<a href="http://10.0.2.15/32">10.0.2.15/32</a> as IDci</div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: the peer proposed: <a href="http://216.23.52.34/32:17/1701">216.23.52.34/32:17/1701</a> -> <a href="http://10.0.2.15/32:17/1701">10.0.2.15/32:17/1701</a></div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22: responding to Quick Mode proposal {msgid:7b632bb8}</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22: us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701</div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22: them: 125.33.176.240[@john-af0f0acd,+S=C]:17/1701===<a href="http://10.0.2.15/32">10.0.2.15/32</a></div><div>Aug 11 11:04:24 moun pluto[5940]: | NAT-OA: 4 tunnel: 1 </div>
<div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] 125.33.176.240 #22: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[17] 125.33.176.240 #19</div><div>Aug 11 11:04:24 moun pluto[5940]: "L2TP-PSK-NAT"[19] <a href="http://125.33.176.240">125.33.176.240</a>: deleting connection "L2TP-PSK-NAT" instance with peer 125.33.176.240 {isakmp=#0/ipsec=#0}</div>
<div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: peer client type is FQDN</div><div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: Applying workaround for MS-818043 NAT-T bug</div>
<div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: IDci was FQDN: \330S3\204, using NAT_OA=<a href="http://10.0.2.15/32">10.0.2.15/32</a> as IDci</div><div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[18] 125.33.176.240 #20: the peer proposed: <a href="http://216.23.52.34/32:17/1701">216.23.52.34/32:17/1701</a> -> <a href="http://10.0.2.15/32:17/1701">10.0.2.15/32:17/1701</a></div>
<div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23: responding to Quick Mode proposal {msgid:7b632bb8}</div><div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23: us: 216.23.52.34<216.23.52.34>[+S=C]:17/1701</div>
<div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23: them: 125.33.176.240[@john-af0f0acd,+S=C]:17/1701===<a href="http://10.0.2.15/32">10.0.2.15/32</a></div><div>Aug 11 11:04:26 moun pluto[5940]: | NAT-OA: 4 tunnel: 1 </div>
<div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] 125.33.176.240 #23: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[17] 125.33.176.240 #19</div><div>Aug 11 11:04:26 moun pluto[5940]: "L2TP-PSK-NAT"[20] <a href="http://125.33.176.240">125.33.176.240</a>: deleting connection "L2TP-PSK-NAT" instance with peer 125.33.176.240 {isakmp=#0/ipsec=#0}</div>
<div>===============================================================================================</div></div><div><br></div><div><br clear="all"><br>-- <br>Spacelee<br>
</div></div>