<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    leftsourceip should be set to the LAN IP of the machine that is
    running Openswan - your gateway.<br>
    Does 10.128.0.2 exist?<br>
    I wonder if you have a firewalling problem but I'm not good with
    these.<br>
    <br>
    I don't understand the question of bridging IPsec or OpenVPN
    networks. It uses IPsec to bridge two networks. Similarly you can
    use OpenVPN to two bridge networks.<br>
    <br>
    Nick<br>
    <br>
    <div class="moz-cite-prefix">On 17/04/2013 21:23, Viacheslav Dushin
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAJN5JQqiL4kZ00pWZrj0gsD-mZVYzmOZhkeYaubnJyT4O9JHVg@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi, Nick
        <div><br>
        </div>
        <div>&gt;<span
            style="font-family:arial,sans-serif;font-size:13px">Why have
            you got forceencaps (although it appears to be working)?</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">Because
            I'm new to OpenSWAN :) It was asked in the settings I got
            from my provider.</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">But
            it seems to be working with forceencaps=no (my gateway where
            openswan is installed has public ip).</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div>
          <span style="font-family:arial,sans-serif;font-size:13px">&gt;</span><span
            style="font-family:arial,sans-serif;font-size:13px">Is the
            traceroute failing from the gateway?</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">Yes,
            from the gateway</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">&gt;</span><span
            style="font-family:arial,sans-serif;font-size:13px"> Try
            adding a leftsourceip=your_ipsec_</span><span
            style="font-family:arial,sans-serif;font-size:13px">server_LAN_IP.</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">Do
            you mean IP in my OpenVPN network?</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div> leftsourceip=10.128.142.1<span
            style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div><br>
        </div>
        <div style="">now it dies with the timeout:</div>
        <div style=""><br>
        </div>
        <div style="">
          <div>traceroute 10.128.0.2 </div>
          <div>traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60
            byte packets</div>
          <div>
             1  vm12202 (100.100.100.100)  3000.607 ms !H  3000.595 ms
            !H  3000.582 ms !H</div>
        </div>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div style="">100.100.100.100 -- is my gateway public ip address<span
            style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div style="">200.200.200.200 -- is IPSec provider's public ip
          address<br>
        </div>
        <div style=""><br>
        </div>
        <div style="">One dummy question: Is OpenSWAN able to bridge
          IPsec networks only? Can it bridge to OpenVPN networks?</div>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px">Thanks,
            Slava</span></div>
        <div><span style="font-family:arial,sans-serif;font-size:13px"><br>
          </span></div>
        <div class="gmail_extra"><br>
          <br>
          <div class="gmail_quote">2013/4/17 Nick Howitt <span
              dir="ltr">&lt;<a moz-do-not-send="true"
                href="mailto:n1ck.h0w1tt@gmail.com" target="_blank">n1ck.h0w1tt@gmail.com</a>&gt;</span><br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div text="#000000" bgcolor="#FFFFFF"> Why have you got
                forceencaps (although it appears to be working)?<br>
                <br>
                Is the traceroute failing from the gateway? Try adding a
                leftsourceip=your_ipsec_server_LAN_IP.<br>
                <br>
                Nick
                <div>
                  <div><br>
                    <br>
                    <div>On 17/04/2013 20:42, Viacheslav Dushin wrote:<br>
                    </div>
                  </div>
                </div>
                <blockquote type="cite">
                  <div>
                    <div>
                      <div dir="ltr">
                        <div>Hi guys</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div>Bascialy there are  two networks <a
                            moz-do-not-send="true"
                            href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a>
                          (my provider's network) and <a
                            moz-do-not-send="true"
                            href="http://10.128.142.0/24"
                            target="_blank">10.128.142.0/24</a> (my
                          network built on OpenVPN) that I want to
                          bridge via site-to-site VPN. Is it possible?
                          If not, what other solutions may be used?</div>
                        <div><br>
                        </div>
                        <div>Finally I managed (with your help) to set
                          up the site-to-site connection to my VPN
                          provider. Ipsec status shows that tunnel is
                          up:</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div>--- tunnels status start ---</div>
                        <div><br>
                        </div>
                        <div> /etc/init.d/ipsec status</div>
                        <div>IPsec running  - pluto pid: 797</div>
                        <div>pluto pid 797</div>
                        <div>1 tunnels up</div>
                        <div>some eroutes exist</div>
                        <div><br>
                        </div>
                        <div>---tunnels status end---</div>
                        <div> <br>
                        </div>
                        <div><br>
                        </div>
                        <div>But traceroute 10.128.0.2 command dies
                           after 30 hops:</div>
                        <div><br>
                        </div>
                        <div>traceroute to 10.128.0.2 (10.128.0.2), 30
                          hops max, 60 byte packets</div>
                        <div> 1  * * *</div>
                        <div><br>
                        </div>
                        <div> <br>
                        </div>
                        <div><br>
                        </div>
                        <div>Openswan version: Openswan
                          U2.6.38/K3.1.0-1.2-xen (netkey)</div>
                        <div><br>
                        </div>
                        <div>Thanks, Slava</div>
                        <div><br>
                        </div>
                        <div>Other logs/configs see bellow</div>
                        <div><br>
                        </div>
                        <div>------ifconfig  start---------</div>
                        <div><br>
                        </div>
                        <div>eth0      Link encap:Ethernet  HWaddr
                          12:e8:12:8c:1a:c0  </div>
                        <div>          inet addr:100.100.100.100
                           Bcast:100.100.100.255  Mask:255.255.255.0</div>
                        <div>          inet6 addr:
                          fe80::10e8:12ff:fe8c:1ac0/64 Scope:Link</div>
                        <div>          UP BROADCAST RUNNING MULTICAST
                           MTU:1500  Metric:1</div>
                        <div>          RX packets:779249 errors:0
                          dropped:6352 overruns:0 frame:0</div>
                        <div>          TX packets:72439 errors:0
                          dropped:0 overruns:0 carrier:0</div>
                        <div>          collisions:0 txqueuelen:1000 </div>
                        <div>          RX bytes:86789600 (82.7 MiB)  TX
                          bytes:41816455 (39.8 MiB)</div>
                        <div><br>
                        </div>
                        <div>lo        Link encap:Local Loopback  </div>
                        <div>          inet addr:127.0.0.1
                           Mask:255.0.0.0</div>
                        <div>          inet6 addr: ::1/128 Scope:Host</div>
                        <div>          UP LOOPBACK RUNNING  MTU:16436
                           Metric:1</div>
                        <div>          RX packets:0 errors:0 dropped:0
                          overruns:0 frame:0</div>
                        <div>          TX packets:0 errors:0 dropped:0
                          overruns:0 carrier:0</div>
                        <div>          collisions:0 txqueuelen:0 </div>
                        <div>          RX bytes:0 (0.0 B)  TX bytes:0
                          (0.0 B)</div>
                        <div><br>
                        </div>
                        <div>tun0      Link encap:UNSPEC  HWaddr
                          00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
                           </div>
                        <div>           inet addr:10.128.142.1
                           P-t-P:10.128.142.2  Mask:255.255.255.255</div>
                        <div>          UP POINTOPOINT RUNNING NOARP
                          MULTICAST  MTU:1500  Metric:1</div>
                        <div>          RX packets:32031 errors:0
                          dropped:0 overruns:0 frame:0</div>
                        <div>          TX packets:33785 errors:0
                          dropped:0 overruns:0 carrier:0</div>
                        <div>          collisions:0 txqueuelen:100 </div>
                        <div>          RX bytes:8637866 (8.2 MiB)  TX
                          bytes:28671489 (27.3 MiB)</div>
                        <div><br>
                        </div>
                        <div> ------ifconfig  end------</div>
                        <div><br>
                        </div>
                        <div>----status start-----</div>
                        <div><br>
                        </div>
                        <div>ipsec auto --status</div>
                        <div>000 using kernel interface: netkey</div>
                        <div>000 interface lo/lo ::1</div>
                        <div>000 interface lo/lo 127.0.0.1</div>
                        <div>000 interface lo/lo 127.0.0.1</div>
                        <div>000 interface eth0/eth0 100.100.100.100</div>
                        <div>000 interface eth0/eth0 100.100.100.100</div>
                        <div>000 %myid = (none)</div>
                        <div>000 debug none</div>
                        <div>000  </div>
                        <div>000 virtual_private (%priv):</div>
                        <div>000 - allowed 6 subnets: <a
                            moz-do-not-send="true"
                            href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>,
                          <a moz-do-not-send="true"
                            href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>,
                          <a moz-do-not-send="true"
                            href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a>,
                          <a moz-do-not-send="true"
                            href="http://25.0.0.0/8" target="_blank">25.0.0.0/8</a>,
                          fd00::/8, fe80::/10</div>
                        <div>000 - disallowed 0 subnets: </div>
                        <div>000 WARNING: Disallowed subnets in
                          virtual_private= is empty. If you have </div>
                        <div>000          private address space in
                          internal use, it should be excluded!</div>
                        <div>000  </div>
                        <div>000 algorithm ESP encrypt: id=2,
                          name=ESP_DES, ivlen=8, keysizemin=64,
                          keysizemax=64</div>
                        <div>000 algorithm ESP encrypt: id=3,
                          name=ESP_3DES, ivlen=8, keysizemin=192,
                          keysizemax=192</div>
                        <div>000 algorithm ESP encrypt: id=6,
                          name=ESP_CAST, ivlen=8, keysizemin=40,
                          keysizemax=128</div>
                        <div>000 algorithm ESP encrypt: id=7,
                          name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
                          keysizemax=448</div>
                        <div>000 algorithm ESP encrypt: id=11,
                          name=ESP_NULL, ivlen=0, keysizemin=0,
                          keysizemax=0</div>
                        <div>000 algorithm ESP encrypt: id=12,
                          name=ESP_AES, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=13,
                          name=ESP_AES_CTR, ivlen=8, keysizemin=160,
                          keysizemax=288</div>
                        <div>000 algorithm ESP encrypt: id=14,
                          name=ESP_AES_CCM_A, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=15,
                          name=ESP_AES_CCM_B, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=16,
                          name=ESP_AES_CCM_C, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=18,
                          name=ESP_AES_GCM_A, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=19,
                          name=ESP_AES_GCM_B, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=20,
                          name=ESP_AES_GCM_C, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=22,
                          name=ESP_CAMELLIA, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=252,
                          name=ESP_SERPENT, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP encrypt: id=253,
                          name=ESP_TWOFISH, ivlen=8, keysizemin=128,
                          keysizemax=256</div>
                        <div>000 algorithm ESP auth attr: id=1,
                          name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
                          keysizemax=128</div>
                        <div>000 algorithm ESP auth attr: id=2,
                          name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
                          keysizemax=160</div>
                        <div>000 algorithm ESP auth attr: id=5,
                          name=AUTH_ALGORITHM_HMAC_SHA2_256,
                          keysizemin=256, keysizemax=256</div>
                        <div>000 algorithm ESP auth attr: id=6,
                          name=AUTH_ALGORITHM_HMAC_SHA2_384,
                          keysizemin=384, keysizemax=384</div>
                        <div>000 algorithm ESP auth attr: id=7,
                          name=AUTH_ALGORITHM_HMAC_SHA2_512,
                          keysizemin=512, keysizemax=512</div>
                        <div>000 algorithm ESP auth attr: id=8,
                          name=AUTH_ALGORITHM_HMAC_RIPEMD,
                          keysizemin=160, keysizemax=160</div>
                        <div> 000 algorithm ESP auth attr: id=9,
                          name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,
                          keysizemax=128</div>
                        <div>000 algorithm ESP auth attr: id=251,
                          name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0,
                          keysizemax=0</div>
                        <div>000  </div>
                        <div>000 algorithm IKE encrypt: id=0,
                          name=(null), blocksize=16, keydeflen=131</div>
                        <div>000 algorithm IKE encrypt: id=5,
                          name=OAKLEY_3DES_CBC, blocksize=8,
                          keydeflen=192</div>
                        <div>000 algorithm IKE encrypt: id=7,
                          name=OAKLEY_AES_CBC, blocksize=16,
                          keydeflen=128</div>
                        <div>000 algorithm IKE hash: id=1,
                          name=OAKLEY_MD5, hashsize=16</div>
                        <div>000 algorithm IKE hash: id=2,
                          name=OAKLEY_SHA1, hashsize=20</div>
                        <div>000 algorithm IKE hash: id=4,
                          name=OAKLEY_SHA2_256, hashsize=32</div>
                        <div>000 algorithm IKE hash: id=6,
                          name=OAKLEY_SHA2_512, hashsize=64</div>
                        <div>000 algorithm IKE dh group: id=2,
                          name=OAKLEY_GROUP_MODP1024, bits=1024</div>
                        <div>000 algorithm IKE dh group: id=5,
                          name=OAKLEY_GROUP_MODP1536, bits=1536</div>
                        <div>000 algorithm IKE dh group: id=14,
                          name=OAKLEY_GROUP_MODP2048, bits=2048</div>
                        <div>000 algorithm IKE dh group: id=15,
                          name=OAKLEY_GROUP_MODP3072, bits=3072</div>
                        <div>000 algorithm IKE dh group: id=16,
                          name=OAKLEY_GROUP_MODP4096, bits=4096</div>
                        <div>000 algorithm IKE dh group: id=17,
                          name=OAKLEY_GROUP_MODP6144, bits=6144</div>
                        <div>000 algorithm IKE dh group: id=18,
                          name=OAKLEY_GROUP_MODP8192, bits=8192</div>
                        <div>000 algorithm IKE dh group: id=22,
                          name=OAKLEY_GROUP_DH22, bits=1024</div>
                        <div>000 algorithm IKE dh group: id=23,
                          name=OAKLEY_GROUP_DH23, bits=2048</div>
                        <div>000 algorithm IKE dh group: id=24,
                          name=OAKLEY_GROUP_DH24, bits=2048</div>
                        <div>000  </div>
                        <div>000 stats db_ops: {curr_cnt, total_cnt,
                          maxsz} :context={0,4,36} trans={0,4,1536}
                          attrs={0,4,2048} </div>
                        <div>000  </div>
                        <div>000 "telphin": <a moz-do-not-send="true"
                            href="http://10.128.142.0/24===100.100.100.100"
                            target="_blank">10.128.142.0/24===100.100.100.100</a>&lt;100.100.100.100&gt;…200.200.200.200&lt;200.200.200.200&gt;===<a
                            moz-do-not-send="true"
                            href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a>;
                          erouted; eroute owner: #8</div>
                        <div>000 "telphin":     myip=unset; hisip=unset;</div>
                        <div>000 "telphin":   ike_life: 3600s;
                          ipsec_life: 28800s; rekey_margin: 540s;
                          rekey_fuzz: 100%; keyingtries: 0 </div>
                        <div>000 "telphin":   policy:
                          PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
                          prio: 24,24; interface: eth0; </div>
                        <div>000 "telphin":   newest ISAKMP SA: #7;
                          newest IPsec SA: #8; </div>
                        <div>000 "telphin":   IKE algorithms wanted:
                          3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
                          3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2);
                          flags=-strict</div>
                        <div>000 "telphin":   IKE algorithms found:
 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div>
                        <div>000 "telphin":   IKE algorithm newest:
                          3DES_CBC_192-SHA1-MODP1024</div>
                        <div>000 "telphin":   ESP algorithms wanted:
                          3DES(3)_000-SHA1(2)_000; flags=-strict</div>
                        <div>000 "telphin":   ESP algorithms loaded:
                          3DES(3)_192-SHA1(2)_160</div>
                        <div>000 "telphin":   ESP algorithm newest:
                          3DES_000-HMAC_SHA1; pfsgroup=&lt;Phase1&gt;</div>
                        <div>000  </div>
                        <div>000 #8: "telphin":4500 STATE_QUICK_I2 (sent
                          QI2, IPsec SA established); EVENT_SA_REPLACE
                          in 26578s; newest IPSEC; eroute owner;
                          isakmp#7; idle; import:admin initiate</div>
                        <div>000 #8: "telphin" <a
                            moz-do-not-send="true"
                            href="mailto:esp.3b287452@200.200.200.200"
                            target="_blank">esp.3b287452@200.200.200.200</a>
                          <a moz-do-not-send="true"
                            href="mailto:esp.26159e22@100.100.100.100"
                            target="_blank">esp.26159e22@100.100.100.100</a>
                          <a moz-do-not-send="true"
                            href="mailto:tun.0@200.200.200.200"
                            target="_blank">tun.0@200.200.200.200</a> <a
                            moz-do-not-send="true"
                            href="mailto:tun.0@100.100.100.100"
                            target="_blank">tun.0@100.100.100.100</a>
                          ref=0 refhim=4294901761</div>
                        <div>000 #7: "telphin":4500 STATE_MAIN_I4
                          (ISAKMP SA established); EVENT_SA_REPLACE in
                          1660s; newest ISAKMP; lastdpd=-1s(seq in:0
                          out:0); idle; import:admin initiate</div>
                        <div>000  </div>
                        <div><br>
                        </div>
                        <div>------- status end -----</div>
                        <div><br>
                        </div>
                        <div>--- verify start -----</div>
                        <div><br>
                        </div>
                        <div>ipsec verify</div>
                        <div>Checking your system to see if IPsec got
                          installed and started correctly:</div>
                        <div>Version check and ipsec on-path            
                                          <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div>Linux Openswan U2.6.38/K3.1.0-1.2-xen
                          (netkey)</div>
                        <div>Checking for IPsec support in kernel      
                                           <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div> SAref kernel support                      
                                          <span
                            style="white-space:pre-wrap"> </span>[N/A]</div>
                        <div> NETKEY:  Testing XFRM related proc values
                                           <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div><span style="white-space:pre-wrap"> </span>[OK]</div>
                        <div><span style="white-space:pre-wrap"> </span>[OK]</div>
                        <div>Checking that pluto is running            
                                           <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div> Pluto listening for IKE on udp 500        
                                          <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div> Pluto listening for NAT-T on udp 4500    
                                           <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div>Two or more interfaces found, checking IP
                          forwarding        <span
                            style="white-space:pre-wrap"> </span>[FAILED]</div>
                        <div>Checking NAT and MASQUERADEing            
                                           <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div>Checking for 'ip' command                  
                                          <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div>Checking /bin/sh is not /bin/dash          
                                          <span
                            style="white-space:pre-wrap"> </span>[WARNING]</div>
                        <div>Checking for 'iptables' command            
                                          <span
                            style="white-space:pre-wrap"> </span>[OK]</div>
                        <div>Opportunistic Encryption Support          
                                           <span
                            style="white-space:pre-wrap"> </span>[DISABLED]</div>
                        <div><br>
                        </div>
                        <div># /etc/ipsec.conf - Openswan IPsec
                          configuration file</div>
                        <div><br>
                        </div>
                        <div># This file:
                           /usr/share/doc/openswan/ipsec.conf-sample</div>
                        <div>#</div>
                        <div># Manual:     ipsec.conf.5</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div>version<span style="white-space:pre-wrap">
                          </span>2.0<span style="white-space:pre-wrap">
                          </span># conforms to second version of
                          ipsec.conf specification</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div>--- verify end -----</div>
                        <div><br>
                        </div>
                        <div>---- config start ---</div>
                        <div><br>
                        </div>
                        <div># basic configuration</div>
                        <div>config setup</div>
                        <div>        interfaces="%defaultroute"</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          Do not set debug options to debug
                          configuration issues!</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          plutodebug / klipsdebug = "all", "none" or a
                          combation from below:</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          "raw crypt parsing emitting control klips
                          pfkey natt x509 dpd private"</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          eg:</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          plutodebug="control parsing"</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          Again: only enable plutodebug or klipsdebug
                          when asked by a developer</div>
                        <div><span style="white-space:pre-wrap"> </span>#</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          enable to get logs per-peer</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          plutoopts="--perpeerlog"</div>
                        <div><span style="white-space:pre-wrap"> </span>#</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          Enable core dumps (might require system
                          changes, like ulimit -C)</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          This is required for abrtd to work properly</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          Note: incorrect SElinux policies might prevent
                          pluto writing the core</div>
                        <div><span style="white-space:pre-wrap"> </span>dumpdir=/var/run/pluto/</div>
                        <div><span style="white-space:pre-wrap"> </span>#</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          NAT-TRAVERSAL support, see
                          README.NAT-Traversal</div>
                        <div><span style="white-space:pre-wrap"> </span>nat_traversal=yes</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          exclude networks used on server side by adding
                          %v4:!a.b.c.0/24</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          It seems that T-Mobile in the US and
                          Rogers/Fido in Canada are</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          using 25/8 as "private" address space on their
                          3G network.</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          This range has not been announced via BGP (at
                          least upto 2010-12-21)</div>
                        <div><span style="white-space:pre-wrap"> </span>virtual_private=%v4:<a
                            moz-do-not-send="true"
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10"
                            target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          OE is now off by default. Uncomment and change
                          to on, to enable.</div>
                        <div><span style="white-space:pre-wrap"> </span>oe=off</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          which IPsec stack to use. auto will try
                          netkey, then klips then mast</div>
                        <div><span style="white-space:pre-wrap"> </span>protostack=netkey</div>
                        <div><span style="white-space:pre-wrap"> </span>#
                          Use this to log to a file, or disable logging
                          on embedded systems (like openwrt)</div>
                        <div><span style="white-space:pre-wrap"> </span>#plutostderrlog=/dev/null</div>
                        <div>        </div>
                        <div><br>
                        </div>
                        <div># Add connections here</div>
                        <div><br>
                        </div>
                        <div># sample VPN connection</div>
                        <div># for more examples, see
                          /etc/ipsec.d/examples/</div>
                        <div>#conn sample</div>
                        <div>#<span style="white-space:pre-wrap"> </span>#
                          Left security gateway, subnet behind it,
                          nexthop toward right.</div>
                        <div>#<span style="white-space:pre-wrap"> </span>left=10.0.0.1</div>
                        <div>#<span style="white-space:pre-wrap"> </span>leftsubnet=<a
                            moz-do-not-send="true"
                            href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a></div>
                        <div>#<span style="white-space:pre-wrap"> </span>leftnexthop=10.22.33.44</div>
                        <div>#<span style="white-space:pre-wrap"> </span>#
                          Right security gateway, subnet behind it,
                          nexthop toward left.</div>
                        <div>#<span style="white-space:pre-wrap"> </span>right=10.12.12.1</div>
                        <div>#<span style="white-space:pre-wrap"> </span>rightsubnet=<a
                            moz-do-not-send="true"
                            href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a></div>
                        <div>#<span style="white-space:pre-wrap"> </span>rightnexthop=10.101.102.103</div>
                        <div>#<span style="white-space:pre-wrap"> </span>#
                          To authorize this connection, but not actually
                          start it, </div>
                        <div>#<span style="white-space:pre-wrap"> </span>#
                          at startup, uncomment this.</div>
                        <div>#<span style="white-space:pre-wrap"> </span>#auto=add</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div>conn telphin</div>
                        <div>               left=100.100.100.100 # left
                          for local</div>
                        <div>               leftsubnet=<a
                            moz-do-not-send="true"
                            href="http://10.128.142.0/24"
                            target="_blank">10.128.142.0/24</a></div>
                        <div>               #leftnexthop=10.128.142.0</div>
                        <div>               right=200.200.200.200 #
                          right for remote</div>
                        <div>               rightsubnet=<a
                            moz-do-not-send="true"
                            href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a></div>
                        <div>               #rightnexthop=10.128.0.0</div>
                        <div>               type=tunnel</div>
                        <div>               authby=secret</div>
                        <div>               auto=start</div>
                        <div>               auth=esp</div>
                        <div>               keyexchange=ike</div>
                        <div>               ike=3des-sha1</div>
                        <div>               esp=3des-sha1</div>
                        <div>               pfs=yes</div>
                        <div>               forceencaps=yes</div>
                        <div><br>
                        </div>
                        <div>---- config end ---</div>
                      </div>
                      <br>
                      <fieldset></fieldset>
                      <br>
                    </div>
                  </div>
                  <pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
                </blockquote>
                <br>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>