<html><head><base href="x-msg://39/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Have you enabled ip.forwarding in /etc/sysctl.conf ? <div><br></div><div>also, have you done ipsec auto verify ?</div><div><br></div><div>d.<br><div><div>On 18 Jan 2013, at 10:46, Eduard Veleba wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div lang="CS" link="blue" vlink="purple"><div class="WordSection1" style="page: WordSection1; "><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Hello,<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">I need to set up host-to-host IPsec encrypted (ESP) connection without any VPN (just „plain“ transport mode). There’s our server with public IP address on the left side and many clients (with different OS) with different IP addresses (some of them on public addresses, some of them behind NAT, some of them even behind the very same NAT).<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">As I need to handle multiple clients behind the same NAT, I assume I need to use MAST stack and SAref patched kernel. I have now both functional (kernel is patched and I can modprobe ipsec without problems) and command „ipsec verify“ shows „OK“ for SAref support as well.<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">I don’t want to use L2TP or any other tunneling, I just need to secure connection to that single IP address (server address) with ESP.<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">My ipsec.conf looks like this (our IP address replaced with 1.2.3.4):<br><br><o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; ">version 2.0<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; ">config setup<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> nat_traversal=yes<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> protostack=mast<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> virtual_private=%v4:1.2.3.4/32,%v4:!0.0.0.0/0<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; ">conn host-to-host<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> authby=secret<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> pfs=no<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> auto=add<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> keyingtries=3<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> rekey=no<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> sareftrack=yes<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> overlapip=yes<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> dpddelay=10<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> dpdtimeout=90<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> dpdaction=clear<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> ikelifetime=8h<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> keylife=1h<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> type=transport<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> left=1.2.3.4<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "> right=%any<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; "><span style="font-size: 10pt; font-family: 'Courier New'; color: black; "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">And when I start Openswan, clients are able to associate (I see multiple SAs), but ping doesn’t work. Mast interface looks like this:<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><pre style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 10pt; font-family: 'Courier New'; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><span style="color: black; ">mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<o:p></o:p></span></pre><pre style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 10pt; font-family: 'Courier New'; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><span style="color: black; "> UP RUNNING NOARP MTU:16260 Metric:1<o:p></o:p></span></pre><pre style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 10pt; font-family: 'Courier New'; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><span style="color: black; "> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<o:p></o:p></span></pre><pre style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 10pt; font-family: 'Courier New'; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><span style="color: black; "> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<o:p></o:p></span></pre><pre style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 10pt; font-family: 'Courier New'; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><span style="color: black; "> collisions:0 txqueuelen:10<o:p></o:p></span></pre><pre style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 10pt; font-family: 'Courier New'; background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><span style="color: black; "> RX bytes:26840 (26.2 KiB) TX bytes:0 (0.0 B)<o:p></o:p></span></pre><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">The strange thing is I can see ping requests on mast0 with tcpdump and also if I change stack from MAST to KLIPS or NETKEY, everything works well (except only one client behind each NAT can connect, I assume that SAref is supported only in MAST stack).<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">What may I be doing wrong? Are my assumptions about the need of using MAST stack correct or can I get SAref support with KLIPS stack somehow?<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Thanks!<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div><div class="MsoNormal" style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "><hr size="2" width="302" noshade="" align="left" style="width: 226.5pt; "></span></div></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; ">Eduard Veleba<o:p></o:p></span></b></div><div style="margin-top: 0cm; margin-right: 0cm; margin-left: 0cm; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: white; background-position: initial initial; background-repeat: initial initial; "><o:p> </o:p></span></b></div></div>_______________________________________________<br><a href="mailto:Users@lists.openswan.org" style="color: blue; text-decoration: underline; ">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users" style="color: blue; text-decoration: underline; ">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments:<span class="Apple-converted-space"> </span><a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" style="color: blue; text-decoration: underline; ">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" style="color: blue; text-decoration: underline; ">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></div></span></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Regards</div><div><br></div><div>Dan.</div></div></span></span></span>
</div>
<br></div></body></html>