<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><base href="x-msg://39/"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=CS link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hello Daniel,<o:p></o:p></span></a></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>yes, I have net.ipv4.ip_forward=1 in nearly all my Linux systems. Also I’m trying everything with empty iptables with ACCEPT policy:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>[virtmaster] root@ingwe:~# sysctl -a 2>/dev/null | grep ip_forward<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>net.ipv4.ip_forward = 1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>[virtmaster] root@ingwe:~# iptables -L<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Chain INPUT (policy ACCEPT)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>target prot opt source destination<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Chain FORWARD (policy ACCEPT)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>target prot opt source destination<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Chain OUTPUT (policy ACCEPT)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>target prot opt source destination<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Do you mean „ipsec verify“? If so, here it is:<br><br></span><span style='font-size:11.0pt;font-family:Consolas'>[virtmaster] root@ingwe:~# ipsec verify<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking your system to see if IPsec got installed and started correctly:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Version check and ipsec on-path [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Linux Openswan 2.6.38 (klips)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking for IPsec support in kernel [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'> KLIPS: checking for NAT Traversal support [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'> KLIPS: checking for OCF crypto offload support [N/A]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'> Kernel: IPsec SAref kernel support [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'> Kernel: IPsec SAref Bind kernel support [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking that pluto is running [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'> Pluto listening for IKE on udp 500 [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'> Pluto listening for NAT-T on udp 4500 [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Two or more interfaces found, checking IP forwarding [FAILED]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking NAT and MASQUERADEing<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking for 'ip' command [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking /bin/sh is not /bin/dash [WARNING]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Checking for 'iptables' command [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Consolas'>Opportunistic Encryption Support [DISABLED]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you mean something else, how can I try it? „ipsec auto verify“ shows me usage (help) screen.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Should I send output of „ipsec barf“?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div><div class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><hr size=2 width=302 style='width:226.5pt' noshade style='color:red' align=left></span></div></div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;background:white'>Eduard Veleba<o:p></o:p></span></b></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Have you enabled ip.forwarding in /etc/sysctl.conf ? <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>also, have you done ipsec auto verify ?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>d.<o:p></o:p></p><div><div><p class=MsoNormal>On 18 Jan 2013, at 10:46, Eduard Veleba wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Hello,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I need to set up host-to-host IPsec encrypted (ESP) connection without any VPN (just „plain“ transport mode). There’s our server with public IP address on the left side and many clients (with different OS) with different IP addresses (some of them on public addresses, some of them behind NAT, some of them even behind the very same NAT).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>As I need to handle multiple clients behind the same NAT, I assume I need to use MAST stack and SAref patched kernel. I have now both functional (kernel is patched and I can modprobe ipsec without problems) and command „ipsec verify“ shows „OK“ for SAref support as well.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I don’t want to use L2TP or any other tunneling, I just need to secure connection to that single IP address (server address) with ESP.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>My ipsec.conf looks like this (our IP address replaced with 1.2.3.4):<br><br><br><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'>version 2.0</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'>config setup</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> nat_traversal=yes</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> protostack=mast</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> virtual_private=%v4:1.2.3.4/32,%v4:!0.0.0.0/0</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'>conn host-to-host</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> authby=secret</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> pfs=no</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> auto=add</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> keyingtries=3</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> rekey=no</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> sareftrack=yes</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> overlapip=yes</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> dpddelay=10</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> dpdtimeout=90</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> dpdaction=clear</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> ikelifetime=8h</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> keylife=1h</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> type=transport</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> left=1.2.3.4</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> right=%any</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Courier New";color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>And when I start Openswan, clients are able to associate (I see multiple SAs), but ping doesn’t work. Mast interface looks like this:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><pre style='background:white;background-image:initial;background-attachment:initial;background-origin: initial;background-clip: initial;background-position:initial initial;background-repeat:initial initial'><span style='color:black'>mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00</span><o:p></o:p></pre><pre style='background:white;background-image:initial;background-attachment:initial;background-origin: initial;background-clip: initial;background-position:initial initial;background-repeat:initial initial'><span style='color:black'> UP RUNNING NOARP MTU:16260 Metric:1</span><o:p></o:p></pre><pre style='background:white;background-image:initial;background-attachment:initial;background-origin: initial;background-clip: initial;background-position:initial initial;background-repeat:initial initial'><span style='color:black'> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</span><o:p></o:p></pre><pre style='background:white;background-image:initial;background-attachment:initial;background-origin: initial;background-clip: initial;background-position:initial initial;background-repeat:initial initial'><span style='color:black'> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0</span><o:p></o:p></pre><pre style='background:white;background-image:initial;background-attachment:initial;background-origin: initial;background-clip: initial;background-position:initial initial;background-repeat:initial initial'><span style='color:black'> collisions:0 txqueuelen:10</span><o:p></o:p></pre><pre style='background:white;background-image:initial;background-attachment:initial;background-origin: initial;background-clip: initial;background-position:initial initial;background-repeat:initial initial'><span style='color:black'> RX bytes:26840 (26.2 KiB) TX bytes:0 (0.0 B)</span><o:p></o:p></pre><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The strange thing is I can see ping requests on mast0 with tcpdump and also if I change stack from MAST to KLIPS or NETKEY, everything works well (except only one client behind each NAT can connect, I assume that SAref is supported only in MAST stack).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>What may I be doing wrong? Are my assumptions about the need of using MAST stack correct or can I get SAref support with KLIPS stack somehow?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Thanks!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><div><div class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><hr size=2 width=302 style='width:226.5pt' noshade style='color:#A0A0A0' align=left></span></div></div></div><div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";background:white'>Eduard Veleba</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";background:white'> </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif"'>_______________________________________________<br><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments:<span class=apple-converted-space> </span><a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Regards<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Dan.<o:p></o:p></span></p></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>