<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19394">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff size=2 face=Verdana>
<DIV><FONT color=#0000ff size=2 face=Verdana>Dear Sirs,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Could someone help me this
question,Please.</FONT><FONT color=#0000ff size=2
face=Verdana>Thank's.</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Best Regards,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Ozai</FONT></DIV></FONT></DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #0000ff 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV style="FONT: 10pt 新細明體">----- Original Message ----- </DIV>
<DIV
style="FONT: 10pt 新細明體; BACKGROUND: #e4e4e4; font-color: black"><B>From:</B>
<A title=ozai.tien@gmail.com href="mailto:ozai.tien@gmail.com">Ozai</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>To:</B> <A title=users@lists.openswan.org
href="mailto:users@lists.openswan.org">users@lists.openswan.org</A> </DIV>
<DIV style="FONT: 10pt 新細明體"><B>Sent:</B> Thursday, January 17, 2013 10:55
AM</DIV>
<DIV style="FONT: 10pt 新細明體"><B>Subject:</B> [Openswan Users] phase2 failed on
0.0.0.0/0 case</DIV>
<DIV><BR></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Dear Sirs,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>My test environment openswan
2.6.38 with embedded linux is as below.</FONT></DIV>
<DIV><FONT color=#0000ff size=2
face=Verdana>192.168.1.x---------test1(openswan
172.17.21.80)-----------test2(openswan
172.17.21.81)--------192.168.2.x</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>I can not make the VPN tunnel
on 0.0.0.0/0 case.The phase 1 already worked and Phase2 seem to be
failed.It seem that test2 had sent 'Quick Mode' request to
test1,but always could not get response from test1.I have no idea in
it.Do I need to change my ipsec.conf?Does openswan support 0.0.0.0/0
case?or ..what.Please help me on this question.Thank's.</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Best Regards,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Ozai</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>syslog on
test2==============================================</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Jan 1 00:45:47 daemon err
ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...<BR>Jan 1
00:45:47 daemon err ipsec_setup: Using NETKEY(XFRM) stack<BR>Jan 1
00:45:49 authpriv err ipsec__plutorun: Starting Pluto
subsystem...<BR>Jan 1 00:45:49 daemon err ipsec_setup: ...Openswan IPsec
started<BR>Jan 1 00:45:49 daemon err ipsec__plutorun: adjusting ipsec.d
to /var/ipsec.d<BR>Jan 1 00:45:49 user warn syslog: adjusting ipsec.d to
/var/ipsec.d<BR>Jan 1 00:45:49 authpriv warn pluto[1993]: WARNING: 1DES
is enabled<BR>Jan 1 00:45:49 authpriv warn pluto[1993]: LEAK_DETECTIVE
support [disabled]<BR>Jan 1 00:45:49 authpriv warn pluto[1993]: OCF
support for IKE [disabled]<BR>Jan 1 00:45:49 authpriv warn pluto[1993]:
NSS support [disabled]<BR>Jan 1 00:45:49 authpriv warn pluto[1993]:
HAVE_STATSD notification support not compiled in<BR>Jan 1 00:45:50
authpriv warn pluto[1993]: Setting NAT-Traversal port-4500 floating to
off<BR>Jan 1 00:45:50 authpriv warn pluto[1993]: port
floating activation criteria nat_t=0/port_float=1<BR>Jan 1 00:45:50
authpriv warn pluto[1993]: NAT-Traversal support
[disabled]<BR>Jan 1 00:45:50 authpriv warn pluto[1993]: using
/dev/urandom as source of random entropy<BR>Jan 1 00:45:50 authpriv warn
pluto[1993]: starting up 1 cryptographic helpers<BR>Jan 1 00:45:50
authpriv warn pluto[2011]: using /dev/urandom as source of random
entropy<BR>Jan 1 00:45:50 authpriv warn pluto[1993]: started helper
pid=2011 (fd:6)<BR>Jan 1 00:45:52 authpriv warn pluto[1993]: Could not
change to directory '/var/ipsec.d/cacerts': No such file or
directory<BR>Jan 1 00:45:52 authpriv warn pluto[1993]: Could not change
to directory '/var/ipsec.d/aacerts': No such file or directory<BR>Jan 1
00:45:52 authpriv warn pluto[1993]: Could not change to directory
'/var/ipsec.d/ocspcerts': No such file or directory<BR>Jan 1 00:45:52
authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/crls':
2 No such file or directory<BR>Jan 1 00:45:52 authpriv warn pluto[1993]:
added connection description "test"<BR>Jan 1 00:45:52 daemon err
ipsec__plutorun: 002 added connection description "test"<BR>Jan 1
00:45:52 authpriv warn pluto[1993]: added connection description
"passthr"<BR>Jan 1 00:45:52 daemon err ipsec__plutorun: 002 added
connection description "passthr"<BR>Jan 1 00:45:52 authpriv warn
pluto[1993]: listening for IKE messages<BR>Jan 1 00:45:52 authpriv warn
pluto[1993]: adding interface eth0.1/eth0.1 172.17.21.81:500<BR>Jan 1
00:45:52 authpriv warn pluto[1993]: adding interface br0/br0
192.168.2.254:500<BR>Jan 1 00:45:52 authpriv warn pluto[1993]: adding
interface lo/lo 127.0.0.1:500<BR>Jan 1 00:45:52 authpriv warn
pluto[1993]: adding interface lo/lo ::1:500<BR>Jan 1 00:45:52 authpriv
warn pluto[1993]: loading secrets from "/var/ipsec.secrets"<BR>Jan 1
00:45:53 authpriv warn pluto[1993]: "test": deleting connection<BR>Jan 1
00:45:53 authpriv warn pluto[1993]: added connection description
"test"<BR>Jan 1 00:45:55 authpriv warn pluto[1993]: "test" #1:
initiating Main Mode<BR>Jan 1 00:45:55 authpriv warn pluto[1993]: "test"
#1: received Vendor ID payload [Dead Peer Detection]<BR>Jan 1 00:45:55
authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2<BR>Jan 1 00:45:55 authpriv warn pluto[1993]: "test"
#1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>Jan 1 00:45:56 authpriv
warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<BR>Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1:
STATE_MAIN_I3: sent MI3, expecting MR3<BR>Jan 1 00:45:56 authpriv warn
pluto[1993]: "test" #1: Main mode peer ID is ID_IPV4_ADDR:
'172.17.21.80'<BR>Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>Jan 1
00:45:56 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}<BR>Jan 1 00:45:56 authpriv warn
pluto[1993]: "test" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:509d2931
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1
00:45:56 authpriv warn pluto[1993]: "test" #1: ignoring informational payload,
type IPSEC_INITIAL_CONTACT msgid=00000000<BR>Jan 1 00:45:56 authpriv
warn pluto[1993]: "test" #1: received and ignored informational
message<BR>Jan 1 00:47:06 authpriv warn pluto[1993]: "test" #2: max
number of retransmissions (2) reached STATE_QUICK_I1. No acceptable
response to our first Quick Mode message: perhaps peer likes no
proposal<BR>Jan 1 00:47:06 authpriv warn pluto[1993]: "test" #2:
starting keying attempt 2 of an unlimited number, but releasing
whack<BR>Jan 1 00:47:06 authpriv warn pluto[1993]: "test" #3: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #2
{using isakmp#1 msgid:98d416b7 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:48:16 authpriv warn
pluto[1993]: "test" #3: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:48:16 authpriv warn
pluto[1993]: "test" #3: starting keying attempt 3 of an unlimited
number<BR>Jan 1 00:48:16 authpriv warn pluto[1993]: "test" #4:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #3 {using isakmp#1 msgid:88f89afc proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:49:26 authpriv warn
pluto[1993]: "test" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:49:26 authpriv warn
pluto[1993]: "test" #4: starting keying attempt 4 of an unlimited
number<BR>Jan 1 00:49:26 authpriv warn pluto[1993]: "test" #5:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #4 {using isakmp#1 msgid:f62f9485 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:50:36 authpriv warn
pluto[1993]: "test" #5: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:50:36 authpriv warn
pluto[1993]: "test" #5: starting keying attempt 5 of an unlimited
number<BR>Jan 1 00:50:36 authpriv warn pluto[1993]: "test" #6:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #5 {using isakmp#1 msgid:94452273 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:51:46 authpriv warn
pluto[1993]: "test" #6: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:51:46 authpriv warn
pluto[1993]: "test" #6: starting keying attempt 6 of an unlimited
number<BR>Jan 1 00:51:46 authpriv warn pluto[1993]: "test" #7:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #6 {using isakmp#1 msgid:aa7aeb59 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:52:56 authpriv warn
pluto[1993]: "test" #7: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:52:56 authpriv warn
pluto[1993]: "test" #7: starting keying attempt 7 of an unlimited
number<BR>Jan 1 00:52:56 authpriv warn pluto[1993]: "test" #8:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #7 {using isakmp#1 msgid:db655c5c proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:54:06 authpriv warn
pluto[1993]: "test" #8: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:54:06 authpriv warn
pluto[1993]: "test" #8: starting keying attempt 8 of an unlimited
number<BR>Jan 1 00:54:06 authpriv warn pluto[1993]: "test" #9:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #8 {using isakmp#1 msgid:99a28411 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:55:16 authpriv warn
pluto[1993]: "test" #9: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:55:16 authpriv warn
pluto[1993]: "test" #9: starting keying attempt 9 of an unlimited
number<BR>Jan 1 00:55:16 authpriv warn pluto[1993]: "test" #10:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #9 {using isakmp#1 msgid:cb114d82 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:56:26 authpriv warn
pluto[1993]: "test" #10: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:56:26 authpriv warn
pluto[1993]: "test" #10: starting keying attempt 10 of an unlimited
number<BR>Jan 1 00:56:26 authpriv warn pluto[1993]: "test" #11:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #10 {using isakmp#1 msgid:19f75bce proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:57:36 authpriv warn
pluto[1993]: "test" #11: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:57:36 authpriv warn
pluto[1993]: "test" #11: starting keying attempt 11 of an unlimited
number<BR>Jan 1 00:57:36 authpriv warn pluto[1993]: "test" #12:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #11 {using isakmp#1 msgid:6842cdda proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:58:46 authpriv warn
pluto[1993]: "test" #12: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:58:46 authpriv warn
pluto[1993]: "test" #12: starting keying attempt 12 of an unlimited
number<BR>Jan 1 00:58:46 authpriv warn pluto[1993]: "test" #13:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #12 {using isakmp#1 msgid:e93ea2dd proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1 00:59:56 authpriv warn
pluto[1993]: "test" #13: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal<BR>Jan 1 00:59:56 authpriv warn
pluto[1993]: "test" #13: starting keying attempt 13 of an unlimited
number<BR>Jan 1 00:59:56 authpriv warn pluto[1993]: "test" #14:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to
replace #13 {using isakmp#1 msgid:481c615c proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}</FONT></DIV>
<DIV><FONT color=#0000ff size=2
face=Verdana>==================================</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>#<BR># ipsec auto --status<BR>000
using kernel interface: netkey<BR>000 interface lo/lo ::1<BR>000 interface
lo/lo 127.0.0.1<BR>000 interface br0/br0 192.168.2.254<BR>000 interface
eth0.1/eth0.1 172.17.21.81<BR>000 %myid = (none)<BR>000 debug
none<BR>000<BR>000 virtual_private (%priv):<BR>000 - allowed 0 subnets:<BR>000
- disallowed 0 subnets:<BR>000 WARNING: Either virtual_private= is not
specified, or there is a
syntax<BR>000 error in
that line. 'left/rightsubnet=vhost:%priv' will not work!<BR>000 WARNING:
Disallowed subnets in virtual_private= is empty. If you
have<BR>000 private
address space in internal use, it should be excluded!<BR>000<BR>000 algorithm
ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizema<BR>x=64<BR>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysize<BR>max=192<BR>000 algorithm ESP encrypt: id=11,
name=ESP_NULL, ivlen=0, keysizemin=0, keysizem<BR>ax=0<BR>000 algorithm ESP
encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysize<BR>max=256<BR>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
ivlen=8, keysizemin=128, k<BR>eysizemax=256<BR>000 algorithm ESP encrypt:
id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, k<BR>eysizemax=256<BR>000
algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128,
k<BR>eysizemax=256<BR>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,
ivlen=8, keysizemin=128, k<BR>eysizemax=256<BR>000 algorithm ESP encrypt:
id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, k<BR>eysizemax=256<BR>000
algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128,
k<BR>eysizemax=256<BR>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,<BR> keysizemax=128<BR>000
algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160<BR>, keysizemax=160<BR>000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0<BR>, keysizemax=0<BR>000<BR>000
algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131<BR>000
algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
keydeflen=64<BR>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=19<BR>2<BR>000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=12<BR>8<BR>000 algorithm IKE
hash: id=1, name=OAKLEY_MD5, hashsize=16<BR>000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20<BR>000 algorithm IKE hash: id=4,
name=OAKLEY_SHA2_256, hashsize=32<BR>000 algorithm IKE hash: id=6,
name=OAKLEY_SHA2_512, hashsize=64<BR>000 algorithm IKE dh group: id=1,
name=OAKLEY_GROUP_MODP768, bits=768<BR>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024<BR>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536<BR>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048<BR>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072<BR>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096<BR>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144<BR>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192<BR>000 algorithm IKE dh group: id=22,
name=OAKLEY_GROUP_DH22, bits=1024<BR>000 algorithm IKE dh group: id=23,
name=OAKLEY_GROUP_DH23, bits=2048<BR>000 algorithm IKE dh group: id=24,
name=OAKLEY_GROUP_DH24, bits=2048<BR>000<BR>000 stats db_ops: {curr_cnt,
total_cnt, maxsz} :context={0,19,36} trans={0,19,36<BR>0}
attrs={0,19,480}<BR>000<BR>000 "passthr":
192.168.2.0/24===172.17.21.81<172.17.21.81>...%any===192.168.2.0/<BR>24;
prospective erouted; eroute owner: #0<BR>000
"passthr": myip=unset; hisip=unset;<BR>000
"passthr": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_<BR>fuzz: 100%; keyingtries: 0<BR>000 "passthr":
policy: PFS+IKEv2ALLOW+SAREFTRACK+PASS+NEVER_NEGOTIATE+lKOD+rKO<BR>D; prio:
24,24; interface: eth0.1;<BR>000 "passthr": newest ISAKMP SA: #0;
newest IPsec SA: #0;<BR>000 "test":
192.168.2.0/24===172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21<BR>.80>===0.0.0.0/0;
unrouted; eroute owner: #0<BR>000 "test": myip=unset;
hisip=unset;<BR>000 "test": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuz<BR>z: 100%; keyingtries: 0<BR>000
"test": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;<BR> prio:
24,0; interface: eth0.1;<BR>000 "test": newest ISAKMP SA: #1;
newest IPsec SA: #0;<BR>000 "test": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); fla<BR>gs=strict<BR>000
"test": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<BR>000 "test": IKE
algorithm newest: 3DES_CBC_192-MD5-MODP1024<BR>000 "test": ESP
algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2<BR>);
flags=strict<BR>000 "test": ESP algorithms loaded:
3DES(3)_192-MD5(1)_128<BR>000<BR>000 #19: "test":500 STATE_QUICK_I1 (sent QI1,
expecting QR1); EVENT_RETRANSMIT i<BR>n 2s; lastdpd=-1s(seq in:0 out:0); idle;
import:admin initiate<BR>000 #1: "test":500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 12<BR>81s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0); idle; import:admin initiate<BR></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Configuration for
test2=========================================</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana># cat ipsec.conf<BR>config
setup<BR>
nat_traversal=no<BR>
oe=off<BR>
protostack=netkey<BR>
interfaces=%defaultroute</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>conn
test<BR>
left=172.17.21.81<BR>
leftsubnet=192.168.2.0/24<BR>
rightsubnet=0.0.0.0/0<BR>
connaddrfamily=ipv4<BR>
right=172.17.21.80<BR>
keyexchange=ike<BR>
ike=3des-md5;modp1024!<BR>
salifetime=480m<BR>
phase2=esp<BR>
phase2alg=3des-hmac_md5!;modp1024<BR>
pfs=yes<BR>
ikelifetime=60m<BR>
type=tunnel<BR>
authby=secret<BR>
auto=add</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>conn
passthr<BR>
left=172.17.21.81<BR>
right=0.0.0.0<BR>
leftsubnet=192.168.2.0/24<BR>
rightsubnet=192.168.2.0/24<BR>
type=passthrough<BR>
authby=never<BR>
auto=route<BR>#<BR># cat ipsec.secrets<BR>172.17.21.81 172.17.21.80 : PSK
"123"<BR>#</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Configuration for
test1=========================================</FONT></DIV></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>
<DIV><FONT color=#0000ff size=2 face=Verdana># cat ipsec.conf<BR>config
setup<BR>
nat_traversal=no<BR>
oe=off<BR>
protostack=netkey<BR>
interfaces=%defaultroute</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>conn
test<BR>
left=172.17.21.80<BR>
leftsubnet=192.168.1.0/24<BR>
rightsubnet=192.168.2.0/24<BR>
connaddrfamily=ipv4<BR>
right=172.17.21.81<BR>
keyexchange=ike<BR>
ike=3des-md5;modp1024!<BR>
salifetime=480m<BR>
phase2=esp<BR>
phase2alg=3des-hmac_md5!;modp1024<BR>
pfs=yes<BR>
ikelifetime=60m<BR>
type=tunnel<BR>
authby=secret<BR>
auto=add</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana># cat
ipsec.secrets<BR>172.17.21.80 172.17.21.81 : PSK
"123"<BR>#</FONT></DIV></FONT></DIV></BLOCKQUOTE></BODY></HTML>