<div dir="ltr">Hi, Nick<div><br></div><div>&gt;<span style="font-family:arial,sans-serif;font-size:13px">Why have you got forceencaps (although it appears to be working)?</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Because I&#39;m new to OpenSWAN :) It was asked in the settings I got from my provider.</span></div>

<div><span style="font-family:arial,sans-serif;font-size:13px">But it seems to be working with forceencaps=no (my gateway where openswan is installed has public ip).</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br>

</span></div><div>

<span style="font-family:arial,sans-serif;font-size:13px">&gt;</span><span style="font-family:arial,sans-serif;font-size:13px">Is the traceroute failing from the gateway?</span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Yes, from the gateway</span></div>

<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">&gt;</span><span style="font-family:arial,sans-serif;font-size:13px"> Try adding a leftsourceip=your_ipsec_</span><span style="font-family:arial,sans-serif;font-size:13px">server_LAN_IP.</span></div>

<div><span style="font-family:arial,sans-serif;font-size:13px">Do you mean IP in my OpenVPN network?</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div> leftsourceip=10.128.142.1<span style="font-family:arial,sans-serif;font-size:13px"><br>

</span></div><div><br></div><div style>now it dies with the timeout:</div><div style><br></div><div style><div>traceroute 10.128.0.2 </div><div>traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte packets</div><div>

 1  vm12202 (100.100.100.100)  3000.607 ms !H  3000.595 ms !H  3000.582 ms !H</div></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div style>100.100.100.100 -- is my gateway public ip address<span style="font-family:arial,sans-serif;font-size:13px"><br>

</span></div><div style>200.200.200.200 -- is IPSec provider&#39;s public ip address<br></div><div style><br></div><div style>One dummy question: Is OpenSWAN able to bridge IPsec networks only? Can it bridge to OpenVPN networks?</div>

<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Thanks, Slava</span></div>

<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/4/17 Nick Howitt <span dir="ltr">&lt;<a href="mailto:n1ck.h0w1tt@gmail.com" target="_blank">n1ck.h0w1tt@gmail.com</a>&gt;</span><br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

  <div text="#000000" bgcolor="#FFFFFF">

    Why have you got forceencaps (although it appears to be working)?<br>

    <br>

    Is the traceroute failing from the gateway? Try adding a

    leftsourceip=your_ipsec_server_LAN_IP.<br>

    <br>

    Nick<div><div><br>

    <br>

    <div>On 17/04/2013 20:42, Viacheslav Dushin

      wrote:<br>

    </div>

    </div></div><blockquote type="cite"><div><div>

      <div dir="ltr">

        <div>Hi guys</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>Bascialy there are  two networks <a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a> (my provider&#39;s

          network) and <a href="http://10.128.142.0/24" target="_blank">10.128.142.0/24</a> (my

          network built on OpenVPN) that I want to bridge via

          site-to-site VPN. Is it possible? If not, what other solutions

          may be used?</div>

        <div><br>

        </div>

        <div>Finally I managed (with your help) to set up the

          site-to-site connection to my VPN provider. Ipsec status shows

          that tunnel is up:</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>--- tunnels status start ---</div>

        <div><br>

        </div>

        <div> /etc/init.d/ipsec status</div>

        <div>IPsec running  - pluto pid: 797</div>

        <div>pluto pid 797</div>

        <div>1 tunnels up</div>

        <div>some eroutes exist</div>

        <div><br>

        </div>

        <div>---tunnels status end---</div>

        <div>

          <br>

        </div>

        <div><br>

        </div>

        <div>But traceroute 10.128.0.2 command dies  after 30 hops:</div>

        <div><br>

        </div>

        <div>traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte

          packets</div>

        <div> 1  * * *</div>

        <div><br>

        </div>

        <div>

          <br>

        </div>

        <div><br>

        </div>

        <div>Openswan version: Openswan U2.6.38/K3.1.0-1.2-xen (netkey)</div>

        <div><br>

        </div>

        <div>Thanks, Slava</div>

        <div><br>

        </div>

        <div>Other logs/configs see bellow</div>

        <div><br>

        </div>

        <div>------ifconfig  start---------</div>

        <div><br>

        </div>

        <div>eth0      Link encap:Ethernet  HWaddr 12:e8:12:8c:1a:c0  </div>

        <div>          inet addr:100.100.100.100  Bcast:100.100.100.255

           Mask:255.255.255.0</div>

        <div>          inet6 addr: fe80::10e8:12ff:fe8c:1ac0/64

          Scope:Link</div>

        <div>          UP BROADCAST RUNNING MULTICAST  MTU:1500

           Metric:1</div>

        <div>          RX packets:779249 errors:0 dropped:6352

          overruns:0 frame:0</div>

        <div>          TX packets:72439 errors:0 dropped:0 overruns:0

          carrier:0</div>

        <div>          collisions:0 txqueuelen:1000 </div>

        <div>          RX bytes:86789600 (82.7 MiB)  TX bytes:41816455

          (39.8 MiB)</div>

        <div><br>

        </div>

        <div>lo        Link encap:Local Loopback  </div>

        <div>          inet addr:127.0.0.1  Mask:255.0.0.0</div>

        <div>          inet6 addr: ::1/128 Scope:Host</div>

        <div>          UP LOOPBACK RUNNING  MTU:16436  Metric:1</div>

        <div>          RX packets:0 errors:0 dropped:0 overruns:0

          frame:0</div>

        <div>          TX packets:0 errors:0 dropped:0 overruns:0

          carrier:0</div>

        <div>          collisions:0 txqueuelen:0 </div>

        <div>          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)</div>

        <div><br>

        </div>

        <div>tun0      Link encap:UNSPEC  HWaddr

          00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  </div>

        <div>

                    inet addr:10.128.142.1  P-t-P:10.128.142.2

           Mask:255.255.255.255</div>

        <div>          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500

           Metric:1</div>

        <div>          RX packets:32031 errors:0 dropped:0 overruns:0

          frame:0</div>

        <div>          TX packets:33785 errors:0 dropped:0 overruns:0

          carrier:0</div>

        <div>          collisions:0 txqueuelen:100 </div>

        <div>          RX bytes:8637866 (8.2 MiB)  TX bytes:28671489

          (27.3 MiB)</div>

        <div><br>

        </div>

        <div>

          ------ifconfig  end------</div>

        <div><br>

        </div>

        <div>----status start-----</div>

        <div><br>

        </div>

        <div>ipsec auto --status</div>

        <div>000 using kernel interface: netkey</div>

        <div>000 interface lo/lo ::1</div>

        <div>000 interface lo/lo 127.0.0.1</div>

        <div>000 interface lo/lo 127.0.0.1</div>

        <div>000 interface eth0/eth0 100.100.100.100</div>

        <div>000 interface eth0/eth0 100.100.100.100</div>

        <div>000 %myid = (none)</div>

        <div>000 debug none</div>

        <div>000  </div>

        <div>000 virtual_private (%priv):</div>

        <div>000 - allowed 6 subnets: <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>, <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>,

          <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a>,

          <a href="http://25.0.0.0/8" target="_blank">25.0.0.0/8</a>,

          fd00::/8, fe80::/10</div>

        <div>000 - disallowed 0 subnets: </div>

        <div>000 WARNING: Disallowed subnets in virtual_private= is

          empty. If you have </div>

        <div>000          private address space in internal use, it

          should be excluded!</div>

        <div>000  </div>

        <div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,

          keysizemin=64, keysizemax=64</div>

        <div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,

          keysizemin=192, keysizemax=192</div>

        <div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,

          keysizemin=40, keysizemax=128</div>

        <div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,

          ivlen=8, keysizemin=40, keysizemax=448</div>

        <div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,

          keysizemin=0, keysizemax=0</div>

        <div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,

          keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR,

          ivlen=8, keysizemin=160, keysizemax=288</div>

        <div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,

          ivlen=8, keysizemin=128, keysizemax=256</div>

        <div>000 algorithm ESP auth attr: id=1,

          name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div>

        <div>000 algorithm ESP auth attr: id=2,

          name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div>

        <div>000 algorithm ESP auth attr: id=5,

          name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,

          keysizemax=256</div>

        <div>000 algorithm ESP auth attr: id=6,

          name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384,

          keysizemax=384</div>

        <div>000 algorithm ESP auth attr: id=7,

          name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512,

          keysizemax=512</div>

        <div>000 algorithm ESP auth attr: id=8,

          name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160,

          keysizemax=160</div>

        <div>

          000 algorithm ESP auth attr: id=9,

          name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div>

        <div>000 algorithm ESP auth attr: id=251,

          name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div>

        <div>000  </div>

        <div>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,

          keydeflen=131</div>

        <div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,

          blocksize=8, keydeflen=192</div>

        <div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,

          blocksize=16, keydeflen=128</div>

        <div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div>

        <div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div>

        <div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,

          hashsize=32</div>

        <div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,

          hashsize=64</div>

        <div>000 algorithm IKE dh group: id=2,

          name=OAKLEY_GROUP_MODP1024, bits=1024</div>

        <div>000 algorithm IKE dh group: id=5,

          name=OAKLEY_GROUP_MODP1536, bits=1536</div>

        <div>000 algorithm IKE dh group: id=14,

          name=OAKLEY_GROUP_MODP2048, bits=2048</div>

        <div>000 algorithm IKE dh group: id=15,

          name=OAKLEY_GROUP_MODP3072, bits=3072</div>

        <div>000 algorithm IKE dh group: id=16,

          name=OAKLEY_GROUP_MODP4096, bits=4096</div>

        <div>000 algorithm IKE dh group: id=17,

          name=OAKLEY_GROUP_MODP6144, bits=6144</div>

        <div>000 algorithm IKE dh group: id=18,

          name=OAKLEY_GROUP_MODP8192, bits=8192</div>

        <div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,

          bits=1024</div>

        <div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,

          bits=2048</div>

        <div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,

          bits=2048</div>

        <div>000  </div>

        <div>000 stats db_ops: {curr_cnt, total_cnt, maxsz}

          :context={0,4,36} trans={0,4,1536} attrs={0,4,2048} </div>

        <div>000  </div>

        <div>000 &quot;telphin&quot;: <a href="http://10.128.142.0/24===100.100.100.100" target="_blank">10.128.142.0/24===100.100.100.100</a>&lt;100.100.100.100&gt;…200.200.200.200&lt;200.200.200.200&gt;===<a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a>;

          erouted; eroute owner: #8</div>

        <div>000 &quot;telphin&quot;:     myip=unset; hisip=unset;</div>

        <div>000 &quot;telphin&quot;:   ike_life: 3600s; ipsec_life: 28800s;

          rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 </div>

        <div>000 &quot;telphin&quot;:   policy:

          PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;

          prio: 24,24; interface: eth0; </div>

        <div>000 &quot;telphin&quot;:   newest ISAKMP SA: #7; newest IPsec SA:

          #8; </div>

        <div>000 &quot;telphin&quot;:   IKE algorithms wanted:

          3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),

          3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict</div>

        <div>000 &quot;telphin&quot;:   IKE algorithms found:

 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div>

        <div>000 &quot;telphin&quot;:   IKE algorithm newest:

          3DES_CBC_192-SHA1-MODP1024</div>

        <div>000 &quot;telphin&quot;:   ESP algorithms wanted:

          3DES(3)_000-SHA1(2)_000; flags=-strict</div>

        <div>000 &quot;telphin&quot;:   ESP algorithms loaded:

          3DES(3)_192-SHA1(2)_160</div>

        <div>000 &quot;telphin&quot;:   ESP algorithm newest: 3DES_000-HMAC_SHA1;

          pfsgroup=&lt;Phase1&gt;</div>

        <div>000  </div>

        <div>000 #8: &quot;telphin&quot;:4500 STATE_QUICK_I2 (sent QI2, IPsec SA

          established); EVENT_SA_REPLACE in 26578s; newest IPSEC; eroute

          owner; isakmp#7; idle; import:admin initiate</div>

        <div>000 #8: &quot;telphin&quot; <a href="mailto:esp.3b287452@200.200.200.200" target="_blank">esp.3b287452@200.200.200.200</a>

          <a href="mailto:esp.26159e22@100.100.100.100" target="_blank">esp.26159e22@100.100.100.100</a>

          <a href="mailto:tun.0@200.200.200.200" target="_blank">tun.0@200.200.200.200</a>

          <a href="mailto:tun.0@100.100.100.100" target="_blank">tun.0@100.100.100.100</a>

          ref=0 refhim=4294901761</div>

        <div>000 #7: &quot;telphin&quot;:4500 STATE_MAIN_I4 (ISAKMP SA

          established); EVENT_SA_REPLACE in 1660s; newest ISAKMP;

          lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div>

        <div>000  </div>

        <div><br>

        </div>

        <div>------- status end -----</div>

        <div><br>

        </div>

        <div>--- verify start -----</div>

        <div><br>

        </div>

        <div>ipsec verify</div>

        <div>Checking your system to see if IPsec got installed and

          started correctly:</div>

        <div>Version check and ipsec on-path                            

          <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div>Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)</div>

        <div>Checking for IPsec support in kernel                      

           <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div> SAref kernel support                                      

          <span style="white-space:pre-wrap"> </span>[N/A]</div>

        <div> NETKEY:  Testing XFRM related proc values                

           <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div><span style="white-space:pre-wrap"> </span>[OK]</div>

        <div><span style="white-space:pre-wrap"> </span>[OK]</div>

        <div>Checking that pluto is running                            

           <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div> Pluto listening for IKE on udp 500                        

          <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div> Pluto listening for NAT-T on udp 4500                    

           <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div>Two or more interfaces found, checking IP forwarding      

           <span style="white-space:pre-wrap"> </span>[FAILED]</div>

        <div>Checking NAT and MASQUERADEing                            

           <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div>Checking for &#39;ip&#39; command                                  

          <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div>Checking /bin/sh is not /bin/dash                          

          <span style="white-space:pre-wrap"> </span>[WARNING]</div>

        <div>Checking for &#39;iptables&#39; command                            

          <span style="white-space:pre-wrap"> </span>[OK]</div>

        <div>Opportunistic Encryption Support                          

           <span style="white-space:pre-wrap"> </span>[DISABLED]</div>

        <div><br>

        </div>

        <div># /etc/ipsec.conf - Openswan IPsec configuration file</div>

        <div><br>

        </div>

        <div># This file:  /usr/share/doc/openswan/ipsec.conf-sample</div>

        <div>#</div>

        <div># Manual:     ipsec.conf.5</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>version<span style="white-space:pre-wrap"> </span>2.0<span style="white-space:pre-wrap"> </span># conforms to

          second version of ipsec.conf specification</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>--- verify end -----</div>

        <div><br>

        </div>

        <div>---- config start ---</div>

        <div><br>

        </div>

        <div># basic configuration</div>

        <div>config setup</div>

        <div>        interfaces=&quot;%defaultroute&quot;</div>

        <div><span style="white-space:pre-wrap"> </span># Do not

          set debug options to debug configuration issues!</div>

        <div><span style="white-space:pre-wrap"> </span>#

          plutodebug / klipsdebug = &quot;all&quot;, &quot;none&quot; or a combation from

          below:</div>

        <div><span style="white-space:pre-wrap"> </span># &quot;raw

          crypt parsing emitting control klips pfkey natt x509 dpd

          private&quot;</div>

        <div><span style="white-space:pre-wrap"> </span># eg:</div>

        <div><span style="white-space:pre-wrap"> </span>#

          plutodebug=&quot;control parsing&quot;</div>

        <div><span style="white-space:pre-wrap"> </span># Again:

          only enable plutodebug or klipsdebug when asked by a developer</div>

        <div><span style="white-space:pre-wrap"> </span>#</div>

        <div><span style="white-space:pre-wrap"> </span># enable to

          get logs per-peer</div>

        <div><span style="white-space:pre-wrap"> </span>#

          plutoopts=&quot;--perpeerlog&quot;</div>

        <div><span style="white-space:pre-wrap"> </span>#</div>

        <div><span style="white-space:pre-wrap"> </span># Enable

          core dumps (might require system changes, like ulimit -C)</div>

        <div><span style="white-space:pre-wrap"> </span># This is

          required for abrtd to work properly</div>

        <div><span style="white-space:pre-wrap"> </span># Note:

          incorrect SElinux policies might prevent pluto writing the

          core</div>

        <div><span style="white-space:pre-wrap"> </span>dumpdir=/var/run/pluto/</div>

        <div><span style="white-space:pre-wrap"> </span>#</div>

        <div><span style="white-space:pre-wrap"> </span>#

          NAT-TRAVERSAL support, see README.NAT-Traversal</div>

        <div><span style="white-space:pre-wrap"> </span>nat_traversal=yes</div>

        <div><span style="white-space:pre-wrap"> </span># exclude

          networks used on server side by adding %v4:!a.b.c.0/24</div>

        <div><span style="white-space:pre-wrap"> </span># It seems

          that T-Mobile in the US and Rogers/Fido in Canada are</div>

        <div><span style="white-space:pre-wrap"> </span># using

          25/8 as &quot;private&quot; address space on their 3G network.</div>

        <div><span style="white-space:pre-wrap"> </span># This

          range has not been announced via BGP (at least upto

          2010-12-21)</div>

        <div><span style="white-space:pre-wrap"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div>

        <div><span style="white-space:pre-wrap"> </span># OE is now

          off by default. Uncomment and change to on, to enable.</div>

        <div><span style="white-space:pre-wrap"> </span>oe=off</div>

        <div><span style="white-space:pre-wrap"> </span># which

          IPsec stack to use. auto will try netkey, then klips then mast</div>

        <div><span style="white-space:pre-wrap"> </span>protostack=netkey</div>

        <div><span style="white-space:pre-wrap"> </span># Use this

          to log to a file, or disable logging on embedded systems (like

          openwrt)</div>

        <div><span style="white-space:pre-wrap"> </span>#plutostderrlog=/dev/null</div>

        <div>        </div>

        <div><br>

        </div>

        <div># Add connections here</div>

        <div><br>

        </div>

        <div># sample VPN connection</div>

        <div># for more examples, see /etc/ipsec.d/examples/</div>

        <div>#conn sample</div>

        <div>#<span style="white-space:pre-wrap"> </span># Left

          security gateway, subnet behind it, nexthop toward right.</div>

        <div>#<span style="white-space:pre-wrap"> </span>left=10.0.0.1</div>

        <div>#<span style="white-space:pre-wrap"> </span>leftsubnet=<a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a></div>

        <div>#<span style="white-space:pre-wrap"> </span>leftnexthop=10.22.33.44</div>

        <div>#<span style="white-space:pre-wrap"> </span># Right

          security gateway, subnet behind it, nexthop toward left.</div>

        <div>#<span style="white-space:pre-wrap"> </span>right=10.12.12.1</div>

        <div>#<span style="white-space:pre-wrap"> </span>rightsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a></div>

        <div>#<span style="white-space:pre-wrap"> </span>rightnexthop=10.101.102.103</div>

        <div>#<span style="white-space:pre-wrap"> </span># To

          authorize this connection, but not actually start it, </div>

        <div>#<span style="white-space:pre-wrap"> </span># at

          startup, uncomment this.</div>

        <div>#<span style="white-space:pre-wrap"> </span>#auto=add</div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div>conn telphin</div>

        <div>               left=100.100.100.100 # left for local</div>

        <div>               leftsubnet=<a href="http://10.128.142.0/24" target="_blank">10.128.142.0/24</a></div>

        <div>               #leftnexthop=10.128.142.0</div>

        <div>               right=200.200.200.200 # right for remote</div>

        <div>               rightsubnet=<a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a></div>

        <div>               #rightnexthop=10.128.0.0</div>

        <div>               type=tunnel</div>

        <div>               authby=secret</div>

        <div>               auto=start</div>

        <div>               auth=esp</div>

        <div>               keyexchange=ike</div>

        <div>               ike=3des-sha1</div>

        <div>               esp=3des-sha1</div>

        <div>               pfs=yes</div>

        <div>               forceencaps=yes</div>

        <div><br>

        </div>

        <div>---- config end ---</div>

      </div>

      <br>

      <fieldset></fieldset>

      <br>

      </div></div><pre>_______________________________________________

<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>

<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>

Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>

Building and Integrating Virtual Private Networks with Openswan:

<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>

</pre>

    </blockquote>

    <br>

  </div>

</blockquote></div><br></div></div>