<font face="arial,helvetica,sans-serif">Roel,</font><div><font face="arial, helvetica, sans-serif">Willie,<br></font><div><font face="arial,helvetica,sans-serif"><br></font></div><div><font face="arial,helvetica,sans-serif">you are my heros =), </font>the tunnel has been established! It's ubelievable that in fact all that was wrong was stupid IP mistake and command to "rereadkeys".</div>
<div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">104 "conn" #2795: STATE_MAIN_I1: initiate<br>
003 "conn" #2795: received Vendor ID payload [Dead Peer Detection]<br>003 "conn" #2795: ignoring unknown Vendor ID payload []<br>106 "conn" #2795: STATE_MAIN_I2: sent MI2, expecting MR2<br>108 "conn" #2795: STATE_MAIN_I3: sent MI3, expecting MR3<br>
004 "conn" #2795: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}<br>117 "conn" #2796: STATE_QUICK_I1: initiate<br>004 "conn" #2796: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5d04057f <0xc472b051 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}</blockquote>
<div><br></div><div>But there was still iptables problem (I guess) which I cannot set... I am probably doing something wrong. I am trying to mess with DNAT and SNAT -> the virtual machine on my side (which is supposed to be communicating with the machine on the other side of the tunnel) has 192.168.56.111, but I told the other party to set my side as 192.168.5.2. </div>
<div><br></div><div>So I did the following:</div><div><div><br></div><div>sudo iptables -t nat -I PREROUTING -d 192.168.5.2 -j DNAT --to-destination 192.168.56.111</div><div>sudo iptables -t nat -I POSTROUTING -s 192.168.56.111 -j SNAT --to 192.168.5.2</div>
<div>sudo iptables -I FORWARD -d 192.168.5.2 -j ACCEPT</div><div>sudo iptables -I FORWARD -d 192.168.56.111 -j ACCEPT</div></div><div><br></div><div>And... it seems to be working =) At least I can ping the IP which is inside the VPN.</div>
<div><br></div><div>Thanks again!</div><div><br></div><div>Regards,</div><div>Jakub </div><div><br></div><br>
<br><br><div class="gmail_quote">2012/8/29 Roel van Meer <span dir="ltr"><<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@bokxing.nl</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Jakub Sobczak writes:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
A good sign is that we have a connection and that seems to be working, <br>
</blockquote>
<br></div>
No, not yet. The logs say:<div><br>
<br>
Aug 29 11:35:48 : "conn" #2076: the peer proposed: <a href="http://192.168.5.2/32:0/0" target="_blank">192.168.5.2/32:0/0</a> -> remote-ip-inside-vpn/32:0/0<br>
Aug 29 11:35:48 : "conn" #2076: cannot respond to IPsec SA request because no connection is known for <a href="http://192.168.5.2/32===my-gateway-ip" target="_blank">192.168.5.2/32===my-gateway-ip</a><u></u><<br>
<br></div>
So the peer has configured connection from <br>
remote-ip-inside-vpn/32 to <a href="http://192.168.5.2/32" target="_blank">192.168.5.2/32</a><br>
<br>
but your configuration has<br>
<br>
some_subnet to <a href="http://192.168.5.1/32" target="_blank">192.168.5.1/32</a><br>
<br>
You have to make sure these match exactly before the tunnel will be established.<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
but... am I right that there is a routing problem preventing the tunnel to work properly...? <br>
</blockquote>
<br></div>
No, your tunnel definition is not correct. <br><div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have a dedicated server with eth0 set to my-gateway-ip. There is also another subinterface: eth0:1 with ip 192.168.5.1. There is a virtual machine with 192.168.5.2 on this dedicated server which is supposed to be contacting "remote-ip-inside-vpn". Do you think it might be somehow related to the problem (output below)? <br>
<br>
I cannot ping "remote-ip-inside-vpn".<br>
</blockquote>
<br></div>
You probably will only be able to ping the remote from your virtual machine, because 192.168.5.1 is not included in the network range of the tunnel (unless you do some trickery with iptables).<br>
<br>
Regards,<br>
<br>
Roel<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
<br>
<br>
<br>
Aug 29 11:35:46 : "conn" #2075: sending encrypted notification INVALID_ID_INFORMATION to remote-gateway-ip:500<br>
Aug 29 11:35:47 : packet from remote-gateway-ip:500: received Vendor ID payload [Dead Peer Detection]<br>
Aug 29 11:35:47 : packet from remote-gateway-ip:500: ignoring unknown Vendor ID payload [xxx]<br>
Aug 29 11:35:47 : "conn" #2076: responding to Main Mode<br>
Aug 29 11:35:47 : "conn" #2076: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Aug 29 11:35:47 : "conn" #2076: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Aug 29 11:35:47 : "conn" #2076: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Aug 29 11:35:47 : "conn" #2076: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Aug 29 11:35:47 : "conn" #2076: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>
Aug 29 11:35:47 : "conn" #2076: Main mode peer ID is ID_IPV4_ADDR: 'remote-gateway-ip'<br>
Aug 29 11:35:47 : "conn" #2076: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Aug 29 11:35:47 : "conn" #2076: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}<br></div>
Aug 29 11:35:48 : "conn" #2076: the peer proposed: <URL:<a href="http://192.168.5.2/32:0/0" target="_blank">http://192.168.5.2/32:0/0</a><u></u>><a href="http://192.168.5.2/32:0/0" target="_blank">192.168.5.2/32:0/0</a> -> remote-ip-inside-vpn/32:0/0<br>
Aug 29 11:35:48 : "conn" #2076: cannot respond to IPsec SA request because no connection is known for <URL:<a href="http://192.168.5.2/32===my-gateway-ip" target="_blank">http://192.168.5.2/32===<u></u>my-gateway-ip</a>><a href="http://192.168.5.2/32===my-gateway-i" target="_blank">192.168.5.2/32==<u></u>=my-gateway-i</a> p< my-gateway-ip >[+S=C]...<u></u>remote-gateway-ip<remote-<u></u>gateway-ip>[+S=C]===rem ote-ip-inside-vpn/32<div>
<br>
<br>
<br>
<br>
<br>
Regards,<br>
Jakub<br>
<br>
<br>
<br>
2012/8/29 Roel van Meer <<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><br>
<br>
Jakub Sobczak writes:<br></div><div>
Each time I changed something I did:<br>
ipsec auto --delete conn<br>
ipsec auto --add conn<br>
ipsec auto --up conn<br>
This reloads the connection config, but not the shared secrets.<br>
But it seems that it has failed to work. After this command:<br>
ipsec auto --rereadsecrets<br>
I think it has negotiated the first phase, but there seems to be a problem with the second phase. Do you have any logs of openswan? E.g. the output of:<br>
ipsec auto --delete conn<br>
ipsec auto --add conn<br>
ipsec auto --up conn<br>
or recent content of the log file you posted before..<br>
Regards,<br>
Roel<br>
11:01:19.533205 IP remote-ip > my-ip.500: isakmp: phase 1 I ident<br>
11:01:19.533365 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident<br>
11:01:20.127518 IP remote-ip > my-ip.500: isakmp: phase 1 I ident<br>
11:01:20.128536 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident<br>
11:01:20.210036 IP remote-ip > my-ip.500: isakmp: phase 1 I ident[E]<br>
11:01:20.210213 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident[E]<br>
11:01:20.303975 IP remote-ip > my-ip.500: isakmp: phase 2/others I oakley-quick[E]<br>
11:01:20.304176 IP my-ip.500 > remote-ip: isakmp: phase 2/others R inf[E]<br></div>
Thanks for the info about UDP port, I was expecting it to rather look like this: <URL:<URL:<a href="http://1.2.3.4:500" target="_blank">http://1.2.3.4:500</a>><a href="http://1.2.3.4:500" target="_blank">h<u></u>ttp://1.2.3.4:500</a>><URL:<a href="http://1.2.3.4:50" target="_blank">http://<u></u>1.2.3.4:50</a> 0><a href="http://1.2.3.4:500" target="_blank">1.2.3.4:500</a> and not separated wit the dot (.). Regards,<br>
Jakub <div><br>
2012/8/29 Roel van Meer <<URL:mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>>roel.<u></u>vanmeer@bokxing. nl><URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><br>
Jakub Sobczak writes:<br></div>
tcpdump shows:<br>
10:37:<URL:tel:<URL:tel:<a href="tel:17.007960" value="+4817007960" target="_blank">17.007960</a>><a href="tel:17.007960" value="+4817007960" target="_blank">17.007960</a>><<u></u>URL:tel:<a href="tel:17.007960" value="+4817007960" target="_blank">17.007960</a>>17.007 960 IP remote-ip.500 > my-ip.500 : isakmp: phase 1 I ident<br>
10:37:<URL:tel:<URL:tel:<a href="tel:17.008104" value="+4817008104" target="_blank">17.008104</a>><a href="tel:17.008104" value="+4817008104" target="_blank">17.008104</a>><<u></u>URL:tel:<a href="tel:17.008104" value="+4817008104" target="_blank">17.008104</a>>17.008 104 IP my-ip.500 > remote-ip.500 : isakmp: phase 1 R inf<br>
I do not know where this .500 comes from, it looks like this: <URL:tel:<URL:tel:<a href="tel:1.2.3.4.500" value="+481234500" target="_blank">1.2.3.4.500</a>><a href="tel:1.2.3.4.500" value="+481234500" target="_blank">1.2.3.4.500</a>><URL:tel:<a href="tel:1.2.3.4.500" value="+481234500" target="_blank">1.2.3.4.500</a><u></u>>1.2.3. 4.500, but anyway it seems fine. What worries me however is:<div>
<br>
.500 is the udp port that is used for setting up the connection.<br>
104 "conn" #1806: STATE_MAIN_I1: initiate<br>
003 "conn" #1806: received Vendor ID payload [Dead Peer Detection]<br>
003 "conn" #1806: ignoring unknown Vendor ID payload [<u></u>699369228741c6d4ca094c93e242c9<u></u>de19e7b7c60000000500000500]<br>
003 "conn" #1806: Can't authenticate: no preshared key found for `my-ip' and `remote-ip'. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
Ok, you do receive traffic from the remote, so the firewall is not the problem. It can't find a secret for your configured connection, however.<br>
Openswan does not pick up changes in your secrets file automatically.<br>
Have you restarted openswan since you put the secret in ipsec.secrets? You can also run<br>
ipsec auto --rereadsecrets<br>
to make sure Openswan picks up any changes there.<br>
Regards,<br>
Roel<br>
003 "conn" #1806: no acceptable Oakley Transform<br>
214 "conn" #1806: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN<br>
Again, my ipsec.secrets looks like this (copy-paste): my-ip remote-ip : PSK "some-presharedkey"<br>
What is going on? Maybe I have to install something?<br>
Regards,<br>
Jakub <br></div><div>
2012/8/29 Roel van Meer <<URL:mailto:<URL:mailto:<<u></u>URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>>roel.van <a href="mailto:meer@bokxing.nl" target="_blank">meer@bokxing.nl</a>>roel.vanmeer@<u></u>bokxing. nl><URL:mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">ro<u></u>el.vanmeer@bokxing.nl</a>>roel.<u></u>vanmeer@bokxi <a href="http://ng.nl" target="_blank">ng.nl</a>><URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>><br>
Jakub Sobczak writes:<br></div>
Yes, the shared key line is formatted in the following way: 1.2.3.4 <URL:<URL:<URL:<URL:<a href="http://5.6.7.8/" target="_blank"><u></u>http://5.6.7.8/</a>><a href="http://5.6.7.8/" target="_blank">http://5.6.7.<u></u>8/</a>><URL:htt p://<a href="http://5.6.7.8/" target="_blank">5.6.7.8/</a>><a href="http://5.6.7.8/" target="_blank">http://5.6.7.8/</a>><<u></u>URL:<URL:<a href="http://5" target="_blank">http://5</a>><a href="http://5" target="_blank">http://5</a>. 6.7.8/><URL:<a href="http://5.6.7.8/" target="_blank">http://5.6.7.8/</a>><a href="http://5.6.7.8/" target="_blank">h<u></u>ttp://5.6.7.8/</a>><URL:<URL:<URL:<a href="http://5.6" target="_blank"><u></u>http://5.6</a> .7.8><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><URL:<a href="http://5.6.7.8" target="_blank">http:<u></u>//5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>> <URL:<URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">htt<u></u>p://5.6.7.8</a>><URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.<u></u>8</a>><a href="http://5.6.7.8" target="_blank">5.6.7.8</a>: PSK "sharedkey" . I changed auto=add to auto=start hoping it would help, but it didn't:<div>
<br>
ipsec auto --up conn<br>
104 "conn" #1616: STATE_MAIN_I1: initiate<br>
010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 20s for response<br>
010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 40s for response<br>
031 "conn" #1616: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<br>
The other side is not responding. Your firewall might not be set up correctly. Can you see anything in the logs that indicate the other side is trying to make a connection? If not, you could try to see if there is traffic coming in from the other side.<br>
With a command like<br>
tcpdump -nli eth0 host 1.2.3.4<br>
(assuming eth0 is the network device of your internet connection, and replacing 1.2.3.4 by the ip address of the remote endpoint) you can see what is happening on the wire.<br>
Can you try to start the connection while running the tcpdump command and post its output?<br>
I'm not sure if that's correct: ike=aes256-sha1-<u></u>modp1536, but if they say: Key Exchange Encryption: AES256 Data integrity: SHA1 and DH group 5, do you think this line is not correct (ike=aes256-sha1-modp1536)? I cannot influence that, I have to adjust... I am using: Linux Openswan U2.6.23/K2.6.32-31-server (netkey) Maybe the problem is that I am not using certificates but psk?<br>
The config details say the you need to use a shared key, so I assume the problem is not related to certificates.<br>
How do I check if I can use klips (which I believe I should use instead of netkey). You are already using klips, since you have this in your config:<br>
protostack=klips<br>
Regards,<br>
Roel<br>
Kind regards,<br>
Jakub<br></div>
2012/8/29 Roel van Meer <<URL:mailto:<URL:mailto:<<u></u>URL:mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxin" target="_blank">roel.<u></u>vanmeer@bokxin</a> <a href="http://g.nl" target="_blank">g.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@bokxing.nl</a>><u></u>roel.van <URL:mailto:<a href="mailto:meer@bokxing.nl" target="_blank">meer@bokxing.nl</a>><a href="mailto:meer@bokxing.nl" target="_blank">m<u></u>eer@bokxing.nl</a>>roel.vanmeer@<u></u>bokxing. nl><URL:mailto:<URL:mailto:<<u></u>URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>>roel. <a href="mailto:vanmeer@bokxing.nl" target="_blank">vanmeer@bokxing.nl</a>>roel.<u></u>vanmeer@bokxi <URL:<a href="http://ng.nl" target="_blank">http://ng.nl</a>><a href="http://ng.nl" target="_blank">ng.nl</a>><URL:<u></u>mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxing" target="_blank">roel.<u></u>vanmeer@bokxing</a>. nl><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@bokxing.nl</a>><<u></u>URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="http://roel.va" target="_blank">roel.va</a> <a href="mailto:nmeer@bokxing.nl" target="_blank">nmeer@bokxing.nl</a>><div>
<br>
Jakub Sobczak writes:<br>
I have never setup a live openSwan VPN tunnel, so please be understanding =)<br>
I received the following config details to establish connection to the other<br>
company's gateway:<br>
Key Exchange Encryption: AES256 Data integrity: SHA1<br>
IKE SA renegotiation: 8 hrs Aggresive mode: No<br>
Use DH group: 1536 (group 5)<br>
Authentication: PSK<br>
IKE phase 2<br>
Data Encryption: AES256 Data integrity: SHA1<br>
IPSec SA renegotiation: 1 hr Aggresive mode: No<br>
Perfect forward secrecy: Yes<br>
Use DH group (Perfect forward secrecy) : 1536 (group 5)<br>
This is my config from ipsec.conf (below). Apart from that, I also have<br>
ipsec.secret with the following content: left_IP(mine)<br>
right_IP(othercompany) "PSK"<br>
Just to be sure, the format of this needs to be:<br></div>
1.2.3.4 <URL:<URL:<URL:<URL:<a href="http://5.6.7.8" target="_blank">http://<u></u>5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><URL:<a href="http://5.6.7" target="_blank">ht<u></u>tp://5.6.7</a>. 8><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><URL:<URL:<a href="http://5.6.7.8" target="_blank">htt<u></u>p://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><u></u>http ://<URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>>5.6.7.<u></u>8><URL:<URL:<URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.<u></u>8</a>><a href="http://5" target="_blank">http://5</a> .6.7.8><URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">htt<u></u>p://5.6.7.8</a>><URL:<URL:<a href="http://5.6.7.8" target="_blank">http://<u></u>5.6.7.8</a>>htt p://<a href="http://5.6.7.8" target="_blank">5.6.7.8</a> ><URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">5.6.7.8</a>: PSK "sharedkey"<br>
config setup<br>
nat_traversal=yes<br>
virtual_private=%v4:<URL:<<u></u>URL:<URL:<URL:<a href="http://10.0.0.0/8,%v4:192.1" target="_blank">http://10.0.0.0/<u></u>8,%v4:192.1</a> 68.0.0><a href="http://10.0.0.0/8,%v4:192.168.0.0" target="_blank">http://10.0.0.0/8,%v4:<u></u>192.168.0.0</a> /16,%v><URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v" target="_blank">http://10.0.0.0/<u></u>8,%v4:192.168.0.0/16,%v</a>><a href="http://10.0.0.0/8" target="_blank">http:/<u></u>/10.0.0.0/8</a> ,%v4:<a href="http://192.168.0.0/16,%v" target="_blank">192.168.0.0/16,%v</a> 4:172><URL:<URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172" target="_blank">http://10.0.<u></u>0.0/8,%v4:192.168.0.0/16,%v4:<u></u>172</a>>http:// <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,<u></u>%v4:172</a>><URL:<a href="http://10.0.0" target="_blank">http://10.0.0</a>><a href="http://10.0.0" target="_blank">htt<u></u>p://10.0.0</a> .0/8,%v4:<URL:<a href="http://192.168.0.0/16,%v4:172" target="_blank">http://192.168.<u></u>0.0/16,%v4:172</a>><a href="http://192.168.0.0/16,%v4:172" target="_blank">192.168.0.0/16,<u></u>%v4:172</a>. 16.0.0/12><URL:<URL:<URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:1" target="_blank">ht<u></u>tp://10.0.0.0/8,%v4:192.168.0.<u></u>0/16,%v4:1</a> 72.16><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16" target="_blank">http://10.0.0.0/8,%v4:<u></u>192.168.0.0/16,%v4:172.16</a>. 0.0/12><URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://10.0.0.0/<u></u>8,%v4:192.168.0.0/16,%v4:172.<u></u>16.0.0/12</a>>ht tp://<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.<u></u>0/16,%v4:172.16.0.0/12</a> ><URL:<URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://10.0.0.0/<u></u>8,%v4:192.168.0.0/16,%v4:172.<u></u>16.0.0/12</a>>ht tp://<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.<u></u>0/16,%v4:172.16.0.0/12</a>>10.0.0.<u></u>0 /8,%v4:<URL:<a href="http://192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://192.168.0.<u></u>0/16,%v4:172.16.0.0/12</a>><a href="http://192.168.0.0/16,%v" target="_blank">192.<u></u>168.0.0/16,%v</a> 4:<a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a><div>
<br>
oe=off<br>
protostack=klips<br>
conn abc<br>
#General<br>
keyingtries=1<br>
auto=add<br>
If you specify "auto=add" the other end will have to initiate the connection. Can you post the logs that show what happens during this time?<br>
#IKE Params<br>
authby=secret<br>
keyexchange=ike<br>
This parameter does not occur in my manpage. Which version of openswan are you using?<br>
ikelifetime=8h<br>
ike=aes256-sha1-modp1536<br>
#IPSec Params<br>
type=tunnel<br>
auth=esp<br>
pfs=yes<br>
compress=no<br>
keylife=60m<br>
esp=aes256-sha1<br>
#pfsgroup=modp1536<br>
# Left security gateway, subnet behind it, nexthop toward right.<br>
left=my_IP<br></div>
leftsubnet=<URL:<URL:<URL:<<u></u>URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a>><a href="http://192.168" target="_blank">http<u></u>://192.168</a>. 5.1/32><URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.<u></u>1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a> ><URL:<URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.<u></u>1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a>><<u></u>URL:<a href="http://19" target="_blank">http://19</a> <a href="http://2.168.5.1/32" target="_blank">2.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.168.5.<u></u>1/32</a>><URL: <URL:<URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.<u></u>1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a>><<u></u>URL:<a href="http://19" target="_blank">http://19</a> <a href="http://2.168.5.1/32" target="_blank">2.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.168.5.<u></u>1/32</a>><URL:<URL:<a href="http://192.168" target="_blank">http://192.168</a>><a href="http://192" target="_blank"><u></u>http://192</a> .168. 5.1/32><URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.<u></u>1/32</a>><a href="http://192.168.5.1/32" target="_blank">192.168.5.1/32</a> right=other_comp_IP<div>
<br>
rightsubnet=some_subnet<br>
As far as I can see, this is all correct.<br>
A general remark: in my experience it is often easier to begin with less specific configuration, for example:<br>
ike=aes<br>
instead of<br>
ike=aes256-sha1-modp1536<br>
The second phase does not seem to be established. What is wrong? I believe<br>
something with pfsgroup? How to properly set DH group?<br>
Best regards,<br>
Roel<br>
<br>
<br>
</div></blockquote>
</blockquote></div><br></div>
</div>