<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi Leto,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks for your reply. When I leave out leftsubnet blank it gives me an error <o:p></o:p></span></p><p class=MsoNormal># service ipsec start<o:p></o:p></p><p class=MsoNormal>failed to start openswan IKE daemon - the following error occured:<o:p></o:p></p><p class=MsoNormal>cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:20: syntax error, unexpected STRING, expecting EOL [network]<o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>And when I use the same public IP for both (</span><span style='mso-fareast-language:EN-GB'>left and leftsubnet</span><span style='color:#1F497D'>) it gives me the following message (warning)<o:p></o:p></span></p><p class=MsoNormal># service ipsec start<o:p></o:p></p><p class=MsoNormal>ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.x86_64...<o:p></o:p></p><p class=MsoNormal><b><u>ipsec_setup: multiple ip addresses, using 88.208.229.225 on eth0<o:p></o:p></u></b></p><p class=MsoNormal>ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Yes, I do have IP route package installed i.e Package iproute-2.6.32-23.el6.x86_64<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I am still getting the below output for ‘ipsec verify’<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'># ipsec verify<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking if IPsec got installed and started correctly:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Version check and ipsec on-path [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Openswan U2.6.39/K2.6.32-358.23.2.el6.x86_64 (netkey)<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>See `ipsec --copyright' for copyright information.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking for IPsec support in kernel [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> NETKEY: Testing XFRM related proc values<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> ICMP default/send_redirects [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> ICMP default/accept_redirects [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> XFRM larval drop [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Hardware random device check [N/A]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking rp_filter [ENABLED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking that pluto is running [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> Pluto listening for IKE on udp 500 [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking NAT and MASQUERADEing [TEST INCOMPLETE]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking 'ip' command [IP XFRM BROKEN]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking 'iptables' command [OK]<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ipsec verify: encountered errors<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks for your help<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-GB'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-GB'> Leto [mailto:letoams@gmail.com] <br><b>Sent:</b> 04 November 2013 19:16<br><b>To:</b> Rishad Ali<br><b>Cc:</b> <users@lists.openswan.org><br><b>Subject:</b> Re: [Openswan Users] VPN setup between dedicated server and CISCO firewall<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><br><br>sent from a tiny device <o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On 2013-11-04, at 7:39, "Rishad Ali" <<a href="mailto:rishad.ali@turnkey-instruments.com">rishad.ali@turnkey-instruments.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='color:#1F497D'>Hi all,</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>I am trying to setup VPN between my dedicated server (centOS) and a another company. I want to terminate VPN on my dedicated server which I access remotely and the other company terminates their VPN on a CISCO firewall.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>(I have been given their Internal IP address and external Gateway IP address to setup on openswan.) </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>My first problem is, I do not have a network behind my server, so what should be my <b>internal IP address</b> in the ipsec.config (should I use the same public IP address for both internal and external )</span><o:p></o:p></p></div></blockquote><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>you can just leave out leftsubnet=<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><br><br><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Secondly, when I run ipsec verify, below is the output</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>it's odd that it shows ip<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>xfrm is broken on centos. that is normally not a problem. do you have the iproute package installed?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><br><br><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Checking if IPsec got installed and started correctly:</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Version check and ipsec on-path [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Openswan U2.6.39/K2.6.32-358.23.2.el6.x86_64 (netkey)</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>See `ipsec --copyright' for copyright information.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Checking for IPsec support in kernel [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>NETKEY: Testing XFRM related proc values</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> ICMP default/send_redirects [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> ICMP default/accept_redirects [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> XFRM larval drop [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Hardware random device check [N/A]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Checking rp_filter [ENABLED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Checking that pluto is running [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Pluto listening for IKE on udp 500 [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]</span><o:p></o:p></p><p class=MsoNormal><b><u><span style='color:#1F497D'>Checking NAT and MASQUERADEing [TEST INCOMPLETE]</span></u></b><o:p></o:p></p><p class=MsoNormal><b><u><span style='color:#1F497D'>Checking 'ip' command [IP XFRM BROKEN]</span></u></b><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Checking 'iptables' command [OK]</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>It says,</span><o:p></o:p></p><p class=MsoNormal><b><u><span style='color:#1F497D'>Checking NAT and MASQUERADEing [TEST INCOMPLETE]</span></u></b><o:p></o:p></p><p class=MsoNormal><b><u><span style='color:#1F497D'>Checking 'ip' command [IP XFRM BROKEN]</span></u></b><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>How to fix this?</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Thanks.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>_______________________________________________<br><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></span></p></div></blockquote></div></div></body></html>