<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    You can't use the oldoffice conn for connection to the new office.
    For a start they have different transport types.<br>
    <br>
    You do need internal firewall rules. I have one set like this:<br>
    <br>
    <font face="Courier New">iptables -t nat -I POSTROUTING -m policy
      --dir out --pol ipsec -j ACCEPT<br>
    </font><br>
    Nick<br>
    <br>
    <div class="moz-cite-prefix">On 20/09/2013 09:39, Paul Young wrote:<br>
    </div>
    <blockquote
cite="mid:CAAEtRDUiyWC+18Lru7D8RTeKCZDhrRw9a3n_+_FRXafNJL1e8Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi Nick,
        <div><br>
        </div>
        <div>Yes the new office appears to create the correct xfrm
          policies\routing info.</div>
        <div><br>
        </div>
        <div>Part of the complexity here would be that the new office
          has no permanent IP or infrastructure. So the path looks like
          this from new to old</div>
        <div><br>
        </div>
        <div>server running Openswan in new office-------------&gt;Asus
          router\switch N55U running DHCP etc------------&gt;4G dongle
          acting as modem for the
          Asus---------------&gt;INTERNET--------------&gt;outside NIC
          of server running Openswan in old office.</div>
        <div><br>
        </div>
        <div>From what I can tell there is some machinations going on
          within the 4G dongle so that nmap against the internet
          routable address the dongle comes up with always returns "all
          1000 scanned ports on &lt;address blah&gt; are filtered" -
          which could be making things difficult.</div>
        <div><br>
        </div>
        <div>So today I played some more (I will try your suggestions on
          the weekend though) with these configs-</div>
        <div><br>
        </div>
        <div>new office side:</div>
        <div><br>
        </div>
        <div>
          <div>conn newoffice</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; left=192.168.3.3</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; leftid=@newoffice</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; leftnexthop=%defaultroute &lt;- the ASUS router</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsourceip=192.168.3.3</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsubnet=<a moz-do-not-send="true"
              href="http://192.168.3.0/24">192.168.3.0/24</a></div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; right=&lt;outside address of old office&gt;</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; rightsubnet=<a moz-do-not-send="true"
              href="http://192.168.1.0/24">192.168.1.0/24</a></div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; type=tunnel</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; auto=start</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; salifetime=28800s</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; ikelifetime=86400s</div>
        </div>
        <div><br>
        </div>
        <div>new office side:</div>
        <div><br>
        </div>
        <div>
          <div>conn oldoffice</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; auto=add</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; keyingtries=3</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; type=transport</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; forceencaps=yes</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; right=%any</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; rightprotoport=17/%any</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; # Using the magic port of "0" means "any one
            single port". This is</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; # a work around required for Apple OSX clients
            that use a randomly</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; # high port, but propose "0" instead of their
            port. Could also be 17/%any</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; #leftprotoport=17/1701</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; left=&lt;outside address of old office&gt;</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; leftnexthop=&lt;outside address of old office
            next hop&gt;</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsubnet=<a moz-do-not-send="true"
              href="http://192.168.1.0/24">192.168.1.0/24</a></div>
          <div>
            &nbsp; &nbsp; &nbsp; &nbsp; rightsubnet=<a moz-do-not-send="true"
              href="http://192.168.3.0/24">192.168.3.0/24</a></div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; # Apple iOS doesn't send delete notify so we need
            dead peer detection</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; # to detect vanishing clients</div>
          <div>
            &nbsp; &nbsp; &nbsp; &nbsp; dpddelay=10</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; dpdtimeout=90</div>
          <div>&nbsp; &nbsp; &nbsp; &nbsp; dpdaction=clear</div>
        </div>
        <div><br>
        </div>
        <div>In this case once I created a static route on my
          workstation like so:</div>
        <div><br>
        </div>
        <div>
          <div>Network Destination &nbsp; &nbsp; &nbsp; &nbsp;Netmask &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Gateway &nbsp; &nbsp; &nbsp;
            Interface &nbsp;Metric</div>
          <div>&nbsp; &nbsp; &nbsp; 192.168.1.0 &nbsp; &nbsp;255.255.255.0 &nbsp; &nbsp; &nbsp;192.168.3.3 &nbsp;
            &nbsp;192.168.3.101 &nbsp; &nbsp; 11</div>
          <div>&nbsp; &nbsp; &nbsp;&nbsp;</div>
        </div>
        <div>I was able to ping anything on the <a
            moz-do-not-send="true" href="http://192.168.1.0/24">192.168.1.0/24</a>
          subnet in the old office.</div>
        <div><br>
        </div>
        <div>BUT - if I add more subnets to see the networks that are
          currently configured as site to site connections in the old
          office I am unable to see those in terms of ping and
          connectivity.</div>
        <div><br>
        </div>
        <div>Paul</div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On 19 September 2013 17:25, Nick Howitt
          <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:n1ck.h0w1tt@gmail.com" target="_blank">n1ck.h0w1tt@gmail.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style="font-family:Arial,Helvetica,sans-serif">
              <p>In conn current your leftsubnet should be a leftsubnets
                to match the rightsubnets. While right is not fixed, you
                may want to try %any but you will have to use the same
                psk as your roadwarriors. You will also want DPD with
                dpdaction=clear for when the remote IP changes. I also
                prefer pfs=yes (or remove it). I don't think any of
                these issues are causing your problem, however, as you
                are getting your tunnels.</p>
              <p>Can you ping between the two Openswan devices?</p>
              <p>In your new office, does your gateway device have
                routes redirecting traffic <a moz-do-not-send="true"
                  href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>,
                <a moz-do-not-send="true" href="http://10.134.210.64/28"
                  target="_blank">10.134.210.64/28</a> and 10.134.162.59
                via 1192.168.3.3?</p>
              <p>I'd need to check firewalling when I'm at home. Is
                "new" running a firewall. Presumably it is just a
                standalone PC on the "new" LAN.</p>
              <span class="HOEnZb"><font color="#888888">
                  <p>&nbsp;</p>
                  <p>Nick</p>
                </font></span>
              <div>
                <div class="h5">
                  <p>On 2013-09-19 02:45, Paul Young wrote:</p>
                  <blockquote type="cite"
                    style="padding-left:5px;border-left:#1010ff 2px
                    solid;margin-left:5px">
                    <div dir="ltr">Hi Nick,
                      <div>&nbsp;</div>
                      <div>Thanks for the response. I have confused the
                        situation as you have suggested.</div>
                      <div>&nbsp;</div>
                      <div>So now my configs looks like this:</div>
                      <div>&nbsp;</div>
                      <div>In the current office Openswan (one interface
                        connects directly to the outside world)-</div>
                      <div>&nbsp;</div>
                      <div>
                        <div>conn current</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; left=&lt;my fixed internet IP&gt;</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftid=@current</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftnexthop=&lt;my fixed internet
                          IP next hop&gt;</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsubnet=<a
                            moz-do-not-send="true"
                            href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsourceip=192.168.1.2</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; right=&lt;non fixed IP of the new
                          office router&gt;</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; rightsubnets= { <a
                            moz-do-not-send="true"
                            href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a>
                          }</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; type=tunnel</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; auto=start</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; ikelifetime=86400s</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; salifetime=28800s</div>
                      </div>
                      <div>&nbsp;</div>
                      <div>note that the new office does not have a
                        fixed IP address (it will in the future, but
                        people are moving in before the carrier has that
                        ready)</div>
                      <div>&nbsp;</div>
                      <div>The current config of the new office-</div>
                      <div>&nbsp;</div>
                      <div>
                        <div>conn new</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; left=192.168.3.3</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftid=@new</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftnexthop=%defaultroute</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsourceip=192.168.3.3</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsubnet=<a
                            moz-do-not-send="true"
                            href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; right=&lt;my fixed internet IP of
                          current office&gt;</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; rightsubnets={<a
                            moz-do-not-send="true"
                            href="http://10.134.162.59/32"
                            target="_blank">10.134.162.59/32</a> <a
                            moz-do-not-send="true"
                            href="http://10.134.210.64/28"
                            target="_blank">10.134.210.64/28</a> <a
                            moz-do-not-send="true"
                            href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>}</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; type=tunnel</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; auto=start</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; salifetime=28800s</div>
                        <div>&nbsp; &nbsp; &nbsp; &nbsp; ikelifetime=86400s</div>
                      </div>
                      <div>&nbsp;</div>
                      <div>So far I can bring up the new office tunnel
                        but can't ping anything on the other side.</div>
                      <div>&nbsp;</div>
                      <div>
                        <div>000 initiating all conns with alias='new'</div>
                        <div>104 "new/0x3" #25: STATE_MAIN_I1: initiate</div>
                        <div>003 "new/0x3" #25: received Vendor ID
                          payload [Openswan (this version) 2.6.32 ]</div>
                        <div>003 "new/0x3" #25: received Vendor ID
                          payload [Dead Peer Detection]</div>
                        <div>003 "new/0x3" #25: received Vendor ID
                          payload [RFC 3947] method set to=109</div>
                        <div>106 "new/0x3" #25: STATE_MAIN_I2: sent MI2,
                          expecting MR2</div>
                        <div>003 "new/0x3" #25: NAT-Traversal: Result
                          using RFC 3947 (NAT-Traversal): both are NATed</div>
                        <div>108 "new/0x3" #25: STATE_MAIN_I3: sent MI3,
                          expecting MR3</div>
                        <div>003 "new/0x3" #25: received Vendor ID
                          payload [CAN-IKEv2]</div>
                        <div>004 "new/0x3" #25: STATE_MAIN_I4: ISAKMP SA
                          established {auth=OAKLEY_PRESHARED_KEY
                          cipher=aes_128 prf=oakley_sha group=modp2048}</div>
                        <div>117 "new/0x1" #26: STATE_QUICK_I1: initiate</div>
                        <div>117 "new/0x2" #27: STATE_QUICK_I1: initiate</div>
                        <div>117 "new/0x3" #28: STATE_QUICK_I1: initiate</div>
                        <div>004 "new/0x1" #26: STATE_QUICK_I2: sent
                          QI2, IPsec SA established tunnel mode
                          {ESP=&gt;0x28d68261 &lt;0x554dc93f
                          xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=&lt;my
                          fixed internet IP of current office&gt;:4500
                          DPD=none}</div>
                        <div>004 "new/0x2" #27: STATE_QUICK_I2: sent
                          QI2, IPsec SA established tunnel mode
                          {ESP=&gt;0x0021555f &lt;0xa7d4a5fb
                          xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=&lt;my
                          fixed internet IP of current office&gt;:4500
                          DPD=none}</div>
                        <div>004 "new/0x3" #28: STATE_QUICK_I2: sent
                          QI2, IPsec SA established tunnel mode
                          {ESP=&gt;0xb1e4e80f &lt;0xa82a3d85
                          xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=&lt;my
                          fixed internet IP of current office&gt;:4500
                          DPD=none}</div>
                        <div>&nbsp;</div>
                      </div>
                      <div>I can't bring up the tunnel from the current
                        office to the new office though - I suspect
                        IPtables might be involved there but am not sure
                        as I would of thought these rules would be fine
                        which are in place for road runner types:</div>
                      <div>&nbsp;</div>
                      <div>
                        <div>-A INPUT -p udp --dport 500 -j ACCEPT</div>
                        <div>-A INPUT -p udp --dport 4500 -j ACCEPT</div>
                      </div>
                      <div>&nbsp;</div>
                      <div>and on the new office side I have</div>
                      <div>&nbsp;</div>
                      <div>
                        <div>-A INPUT -p udp --dport 500 -s&nbsp;&lt;my fixed
                          internet IP of current office&gt;&nbsp;-j ACCEPT</div>
                        <div>-A INPUT -p udp --dport 4500 -s&nbsp;&lt;my
                          fixed internet IP of current office&gt;&nbsp;-j
                          ACCEPT</div>
                      </div>
                      <div>&nbsp;</div>
                      <div>Thanks for trying to help me here.</div>
                      <div>&nbsp;</div>
                      <div>Paul</div>
                      <div>&nbsp;</div>
                      <div>&nbsp;</div>
                      <div>&nbsp;</div>
                      <div>&nbsp;</div>
                      <div>&nbsp;</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <br>
                      <div class="gmail_quote">On 18 September 2013
                        22:25, Nick Howitt <span>&lt;<a
                            moz-do-not-send="true"
                            href="mailto:n1ck.h0w1tt@gmail.com"
                            target="_blank">n1ck.h0w1tt@gmail.com</a>&gt;</span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex"><span
                            style="text-decoration:underline"></span>
                          <div
                            style="font-family:Arial,Helvetica,sans-serif">
                            <p>Your server and aconns do not match at
                              all. I would rename the server connto
                              something like roadwarrior and move some
                              of the settings into conn %default - the
                              ones which would apply to every conn such
                              as left, leftnexthop (probably not needed)
                              possibly pfs and auto and add leftsourceip
                              (the server's LAN IP). Create a new conn
                              which you could call aconn if you wanted.
                              The server's aconn should pretty much
                              match the remote's aconn with left and
                              right reversed. (Generally wou don't need
                              to reverse left and right at each end but
                              the use of conn %default means you must).
                              I would also suggest enabling PFS for
                              aconn.</p>
                            <div>
                              <div>
                                <p>On 2013-09-18 09:49, Paul Young
                                  wrote:</p>
                              </div>
                            </div>
                            <blockquote
                              style="padding-left:5px;border-left:#1010ff
                              2px solid;margin-left:5px">
                              <div>
                                <div>
                                  <div dir="ltr">Hi Everyone,
                                    <div>&nbsp;</div>
                                    <div>I am in the deep end with
                                      Openswan and possibly the
                                      following will show that.
                                      Apologies!</div>
                                    <div>&nbsp;</div>
                                    <div>So far I have been relying
                                      heavily on this -&nbsp;<a
                                        moz-do-not-send="true"
                                        href="http://www.jacco2.dds.nl/networking/openswan-l2tp.html"
                                        target="_blank">http://www.jacco2.dds.nl/networking/openswan-l2tp.html</a></div>
                                    <div>&nbsp;</div>
                                    <div>A little bit of background
                                      first. We have a just opened a new
                                      office and not all the
                                      infrastructure is in place as yet.</div>
                                    <div>&nbsp;</div>
                                    <div>So the idea is to use a site to
                                      site VPN back to the current
                                      office so that all resources can
                                      be reached.</div>
                                    <div>&nbsp;</div>
                                    <div>There is a server acting as the
                                      openswan VPN\gateway etc in both
                                      offices - current office and new
                                      office.</div>
                                    <div>&nbsp;</div>
                                    <div>The current office has a number
                                      of site to site configs already in
                                      place to third parties. I have
                                      configured a server side which
                                      looks like this:</div>
                                    <div>&nbsp;</div>
                                    <div>
                                      <div><em>conn server</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; auto=add</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; keyingtries=3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; type=transport</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; forceencaps=yes</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; right=%any</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          #rightsubnet=vhost:%priv,%no</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          rightprotoport=17/%any</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; # Using the magic
                                          port of "0" means "any one
                                          single port". This is</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; # a work around
                                          required for Apple OSX clients
                                          that use a randomly</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; # high port, but
                                          propose "0" instead of their
                                          port. Could also be 17/%any</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; left=&lt;my
                                          outside fixed IP address&gt;</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          leftnexthop=&lt;my outside
                                          fixed IP address next hop&gt;</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          leftprotoport=17/1701</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; # Apple iOS
                                          doesn't send delete notify so
                                          we need dead peer detection</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; # to detect
                                          vanishing clients</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dpddelay=10</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dpdtimeout=90</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dpdaction=clear</em></div>
                                    </div>
                                    <div>&nbsp;</div>
                                    <div>behind that is some ppp and
                                      xl2tp settings that work well for
                                      some of our remote types. but I am
                                      looking at pure Ipsec at this
                                      point.</div>
                                    <div>&nbsp;</div>
                                    <div>In the new office I have set up
                                      a conn like this:</div>
                                    <div>&nbsp;</div>
                                    <div>
                                      <div><em>conn aconn</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; left=192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; #left=%any</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; leftid=@vpn</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          leftnexthop=%defaultroute</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          leftsourceip=192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; leftsubnet=<a
                                            moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; right=</em><em>&lt;my
                                          outside fixed IP address&gt;</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; rightsubnets={<a
                                            moz-do-not-send="true"
                                            href="http://10.134.162.59/32"
                                            target="_blank">10.134.162.59/32</a>
                                          <a moz-do-not-send="true"
                                            href="http://10.134.210.64/28"
                                            target="_blank">10.134.210.64/28</a>
                                          <a moz-do-not-send="true"
                                            href="http://192.168.1.0/24"
                                            target="_blank">192.168.1.0/24</a>}</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; type=tunnel</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; auto=start</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; salifetime=28800s</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp;
                                          ikelifetime=86400s</em></div>
                                    </div>
                                    <div>&nbsp;</div>
                                    <div>It sits behind a router so left
                                      is the local interface. And the
                                      subnets are back in the current
                                      office.</div>
                                    <div>&nbsp;</div>
                                    <div>It comes up ok:</div>
                                    <div>&nbsp;</div>
                                    <div>
                                      <div><em># service ipsec status</em></div>
                                      <div><em>IPsec running &nbsp;- pluto
                                          pid: 11869</em></div>
                                      <div><em>pluto pid 11869</em></div>
                                      <div><em>3 tunnels up</em></div>
                                      <div><em>some eroutes exist</em></div>
                                    </div>
                                    <div>&nbsp;</div>
                                    <div>I see the routes come up ok on
                                      the new office side:</div>
                                    <div>&nbsp;</div>
                                    <div>
                                      <div><em># ip xfrm policy</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a>
                                          dst <a moz-do-not-send="true"
href="http://10.134.162.59/32" target="_blank">10.134.162.59/32</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir out priority
                                          2336 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          192.168.3.3 dst
                                          203.215.150.142</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16385 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://10.134.162.59/32"
                                            target="_blank">10.134.162.59/32</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir fwd priority
                                          2336 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          203.215.150.142 dst
                                          192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16385 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://10.134.162.59/32"
                                            target="_blank">10.134.162.59/32</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir in priority
                                          2336 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          203.215.150.142 dst
                                          192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16385 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a>
                                          dst <a moz-do-not-send="true"
href="http://10.134.210.64/28" target="_blank">10.134.210.64/28</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir out priority
                                          2340 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          192.168.3.3 dst
                                          203.215.150.142</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16389 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://10.134.210.64/28"
                                            target="_blank">10.134.210.64/28</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir fwd priority
                                          2340 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          203.215.150.142 dst
                                          192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16389 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://10.134.210.64/28"
                                            target="_blank">10.134.210.64/28</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir in priority
                                          2340 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          203.215.150.142 dst
                                          192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16389 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.1.0/24"
                                            target="_blank">192.168.1.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir out priority
                                          2344 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          192.168.3.3 dst
                                          203.215.150.142</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16393 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://192.168.1.0/24"
                                            target="_blank">192.168.1.0/24</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir fwd priority
                                          2344 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          203.215.150.142 dst
                                          192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16393 mode tunnel</em></div>
                                      <div><em>src <a
                                            moz-do-not-send="true"
                                            href="http://192.168.1.0/24"
                                            target="_blank">192.168.1.0/24</a>
                                          dst <a moz-do-not-send="true"
                                            href="http://192.168.3.0/24"
                                            target="_blank">192.168.3.0/24</a></em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; dir in priority
                                          2344 ptype main</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; tmpl src
                                          203.215.150.142 dst
                                          192.168.3.3</em></div>
                                      <div><em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; proto esp
                                          reqid 16393 mode tunnel</em></div>
                                    </div>
                                    <div>&nbsp;</div>
                                    <div>Can't ping anything back in the
                                      current office from the new office
                                      even though I can see encapsulated
                                      traffic going across at the time
                                      of my ping - nothing comes back.</div>
                                    <div>&nbsp;</div>
                                    <div>I also don't see anything being
                                      created in the xfrm policy for the
                                      current office and if I add a
                                      rightsubnet(s) line to the current
                                      office config then the road
                                      runners types can't connect.</div>
                                    <div>&nbsp;</div>
                                    <div>Is what I am trying to do even
                                      possible?</div>
                                    <div>&nbsp;</div>
                                    <div>Thanks,</div>
                                    <div>Paul</div>
                                  </div>
                                </div>
                              </div>
                              <pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
                            </blockquote>
                          </div>
                          <br>
_______________________________________________<br>
                          <a moz-do-not-send="true"
                            href="mailto:Users@lists.openswan.org"
                            target="_blank">Users@lists.openswan.org</a><br>
                          <a moz-do-not-send="true"
                            href="https://lists.openswan.org/mailman/listinfo/users"
                            target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
                          Micropayments: <a moz-do-not-send="true"
                            href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
                            target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
                          Building and Integrating Virtual Private
                          Networks with Openswan:<br>
                          <a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
                            target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
                          <br>
                        </blockquote>
                      </div>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>