<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Saved from the spam bucket, please remember to register to the list before posting to it.<br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="color: rgb(127, 127, 127); "><b>From: </b></span>"Renzo Dani" <<a href="mailto:renzo.dani@logobject.ch">renzo.dani@logobject.ch</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Problem with vpn connection and leftsubnet</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">28 September, 2012 2:59:39 PM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br>
<meta http-equiv="Content-Type" content="text/html;charset=us-ascii">
<style>BODY{font:10pt Tahoma, Verdana, sans-serif}</style><div>
<font size="2">
Hi,</font><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">we recently replace our firewall with a linux box and we are using openswan for our VPNs.</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">We are really happy, everything works fine except for one of our VPNs.</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">The tunnel is established but when I try to connect to a machine on the other side of the tunnel I don't receive any package back.</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">The vpn is working on the old firewall ( I've tried to place it back shortly just to test the vpn is still working )</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">Our local network is 10.11.1.0/24.</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; ">We need to map our network to a single address </span><span style="font-size: 10pt; ">74.54.90.100, we are doing SNAT in iptables:</span></div><div>[0:0] -A POSTROUTING -d 41.156.64.0/24 -j SNAT --to-source 74.54.90.100</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">Here our ipsec.conf:</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><div>conn nonWorkingConnection</div><div> authby=secret</div><div> disablearrivalcheck=no</div><div> # Local</div><div> left=xxx.xxx.xxx.xxx</div><div> leftid=<span style="font-size: 10pt; ">xxx.xxx.xxx.xxx</span></div><div> # virtual host (SNAT iptables)</div><div> leftsubnet=74.54.90.100/32</div><div><span style="font-size: 10pt; "> # Remote (Distant)</span></div><div> right=aaa.aaa.aaa.aaa</div><div> rightid=<span style="font-size: 10pt; ">196.7.66.129</span></div><div> rightsubnet=41.156.64.0/24</div><div> # PHASE 1</div><div> # negothiation mode</div><div> aggrmode=no</div><div> ike=3des-sha1;modp1024</div><div> # PHASE 2</div><div> type=tunnel</div><div> phase2=esp</div><div> phase2alg=3des-sha1</div><div> salifetime=1h</div><div> pfs=no</div><div> auto=start</div></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">Some notes: the only differences we have from other working connections are:</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "> - <span style="font-size: 10pt; ">right and </span><span style="font-size: 10pt; ">rightid values are not the same</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "> - our peer accept request only from ip <span style="font-size: 10pt; ">74.54.90.100 (that's why we use it in </span><span style="font-size: 10pt; ">leftsubnet and SNAT)</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; "><br></span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">Here an extract of <span style="font-size: 10pt; ">ipsec auto --status:</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; ">000 "nonWorkingConnection": 74.54.90.100/32===xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>...aaa.aaa.aaa.aaa<aaa.aaa.aaa.aaa>[196.7.66.129]===41.156.64.0/24; erouted; eroute owner: #434</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><div>000 "nonWorkingConnection": myip=74.54.90.100; hisip=unset;</div><div>000 "nonWorkingConnection": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 </div><div>000 "nonWorkingConnection": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: wan; </div><div>000 "cenonWorkingConnectionlc": newest ISAKMP SA: #424; newest IPsec SA: #434; </div><div>000 "nonWorkingConnection": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict</div><div>000 "nonWorkingConnection": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div><div>000 "nonWorkingConnection": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</div><div>000 "nonWorkingConnection": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict</div><div>000 "nonWorkingConnection": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160</div><div>000 "nonWorkingConnection": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<N/A></div></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">...</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><div>000 #434: "nonWorkingConnection":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1430s; newest IPSEC; eroute owner; isakmp#424; idle; import:admin initiate</div><div>000 #434: "nonWorkingConnection" <a href="mailto:esp.e84b4ee@41.156.1.6">esp.e84b4ee@</a>aaa.aaa.aaa.aaa <a href="mailto:esp.bba1f074@81.7.230.226">esp.bba1f074@</a>aaa.aaa.aaa.aaa <a href="mailto:tun.0@41.156.1.6">tun.0@</a>aaa.aaa.aaa.aaa <a href="mailto:tun.0@81.7.230.226">tun.0@</a>aaa.aaa.aaa.aaa ref=0 refhim=4294901761</div><div>000 #424: "nonWorkingConnection":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1037s; newest ISAKMP; nodpd; idle; import:admin initiate</div></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">the tunnel looks goog, and when I'm trying to connect to the remote host I can see the ESP package leave my box but no answer coming back:</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><div>tcpdump -i wan -n host aaa.aaa.aaa.aaa </div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode </div><div>listening on wan, link-type EN10MB (Ethernet), capture size 65535 bytes </div><div>20:47:28.704575 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x1), length 92 </div><div>20:47:29.702905 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x2), length 92 </div><div>20:47:31.706959 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x3), length 92 </div><div>20:47:35.718936 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x4), length 92</div></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; ">....</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; "><br></span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; "><br></span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; ">What can be the problem? How must be correctly configured the virtual host? Is SNAT the correct solution?</div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; ">Anyone can help?</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; "><br></span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; "><br></span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; ">Thanks a lot.</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><span style="font-size: 10pt; ">Renzo</span></div><div style="font-family: Tahoma, Verdana, sans-serif; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br></div>
<style>
BODY {font:10pt Tahoma,Verdana,sans-serif}
</style>
</div><br><br></blockquote></div><br></body></html>