<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Sorry for the slow reply, had some other dramas come up....<br>
    <br>
    Received the real site information today (other end is a Cisco) -
    basically used exactly the same settings and it all worked first
    attempt, so it was obviously something to do with talking to the
    dreytek.<br>
    <br>
    May revisit it for the sake of the exercise when I have some spare
    time.<br>
    <br>
    Thanks for your help Nick<br>
    <br>
    Dave<br>
    <br>
    <div class="moz-cite-prefix">On 13/02/2014 2:13 AM, Nick Howitt
      wrote:<br>
    </div>
    <blockquote cite="mid:52FBB9C3.5080801@gmail.com" type="cite">
      <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
      Now I'm home you have a couple of options with the Draytek. If you
      want to accept connections from anywhere (e.g. if Centos is on a
      dynamic IP), you need to configure IPsec General Setup. Put in
      your PSK, uncheck AH and DES (and possibly 3DES) then configure
      your LAN to LAN profile.<br>
      <br>
      In the LAN to LAN profile<br>
      Section 1: Give it a name and enable it, Call Direction Dial-in,
      probably you want Always On<br>
      Section 2: Leave<br>
      Section 3: Allow IPsec Tunnel only. If you don't want connections
      from anywhere, don't set up IPsec General Setup, but you need to
      complete this section. Check the "Specify Remote VPN Gateway" box
      and put in the Centos WAN IP in the Peer VPN Server IP, Put in
      your PSK and for security method uncheck AH, DES and possibly
      3DES.<br>
      Section 4: Leave My WAN IP and Remote Gateway IP as 0.0.0.0,
      complete the remote and Local Network IP's and Masks. They should
      match with your conn. Dont bother with RIP or changing the default
      route.<br>
      <br>
      If this all works, you may find the encryption is only AES128 (or
      3DES if you allowed it). You can then ramp up the encryption to
      AES256, a higher MODP/DH group and you can chose between SHA1 and
      MD5 (I think SHA1 is preferable). This will all be controlled from
      the Openswan end if you specify the algorithm.<br>
      <br>
      If you're adventurous you can then try certificates instead of a
      PSK - I made a small attempt and failed.<br>
      <br>
      Regards,<br>
      <br>
      Nick<br>
      <br>
      <div class="moz-cite-prefix">On 12/02/2014 02:00, David Fowler
        wrote:<br>
      </div>
      <blockquote cite="mid:52FAD5CE.8060604@powercreations.com.au"
        type="cite">
        <meta content="text/html; charset=UTF-8"
          http-equiv="Content-Type">
        <div class="moz-cite-prefix">Hi Nick<br>
          <br>
          Thanks for your reply.<br>
          <br>
          Have made the required changes, and still no go. 
          Unfortunately I need to have the Centos server establishing
          the connection.  A lot of the settings in the conf came from
          reading umpteen docs / configs on the net - this isn't my
          usual area of specialty, I've just been given the task :)<br>
          <br>
          New <b>ipsec.conf</b><br>
          config setup<br>
               klipsdebug=all<br>
               plutodebug=all<br>
               protostack=netkey<br>
               interfaces=%defaultroute<br>
          <br>
          conn testconnection<br>
               type=tunnel<br>
               left=1.1.1.1<br>
               leftsourceip=192.168.3.195<br>
               leftsubnet=192.168.3.0/24<br>
               right=3.3.3.3<br>
               rightsubnet=192.168.3.0/24<br>
               auth=esp<br>
               keyexchange=ike<br>
               auto=add<br>
               pfs=yes<br>
               rekey=no<br>
               authby=secret<br>
          <br>
          Doing a tcpdump when doing the ipsec auto --add testconnection
          I can see the server sending the request (thishost and endhost
          replacing the actual hostnames)<br>
          <br>
          tcpdump -vv -x -X -s 1500 -i eth0 'port 500'<br>
          tcpdump: listening on eth0, link-type EN10MB (Ethernet),
          capture size 1500 bytes<br>
          01:55:31.099277 IP (tos 0x0, ttl 64, id 0, offset 0, flags
          [DF], proto UDP (17), length 520)<br>
              thishost.isakmp > endhost.isakmp: [bad udp cksum afb2!]
          isakmp 1.0 msgid 00000000 cookie
          0a1a31b314914bbb->0000000000000000: phase 1 I ident:<br>
              (sa: doi=ipsec situation=identity<br>
                  (p: #0 protoid=isakmp transform=12<br>
                      (t: #0 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=aes)(type=hash value=sha1)(type=auth
          value=preshared)(type=group desc value=modp2048)(type=keylen
          value=0080))<br>
                      (t: #1 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=aes)(type=hash value=md5)(type=auth
          value=preshared)(type=group desc value=modp2048)(type=keylen
          value=0080))<br>
                      (t: #2 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=3des)(type=hash value=sha1)(type=auth
          value=preshared)(type=group desc value=modp2048))<br>
                      (t: #3 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=3des)(type=hash value=md5)(type=auth
          value=preshared)(type=group desc value=modp2048))<br>
                      (t: #4 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=aes)(type=hash value=sha1)(type=auth
          value=preshared)(type=group desc value=modp1536)(type=keylen
          value=0080))<br>
                      (t: #5 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=aes)(type=hash value=md5)(type=auth
          value=preshared)(type=group desc value=modp1536)(type=keylen
          value=0080))<br>
                      (t: #6 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=3des)(type=hash value=sha1)(type=auth
          value=preshared)(type=group desc value=modp1536))<br>
                      (t: #7 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=3des)(type=hash value=md5)(type=auth
          value=preshared)(type=group desc value=modp1536))<br>
                      (t: #8 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=aes)(type=hash value=sha1)(type=auth
          value=preshared)(type=group desc value=modp1024)(type=keylen
          value=0080))<br>
                      (t: #9 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=aes)(type=hash value=md5)(type=auth
          value=preshared)(type=group desc value=modp1024)(type=keylen
          value=0080))<br>
                      (t: #10 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=3des)(type=hash value=sha1)(type=auth
          value=preshared)(type=group desc value=modp1024))<br>
                      (t: #11 id=ike (type=lifetype
          value=sec)(type=lifeduration value=0e10)(type=enc
          value=3des)(type=hash value=md5)(type=auth
          value=preshared)(type=group desc value=modp1024))))<br>
              (vid: len=12)<br>
              (vid: len=16)<br>
          <br>
          This is more of a 'test' as part of a bigger project, but
          wanted to try and get everything ready first.  I'm not sure of
          the end requirements for the actual 'live' system - so may
          wait for those and see how I go.<br>
          <br>
          Dave<br>
          <br>
          <br>
          <br>
          On 11/02/2014 4:42 PM, Nick Howitt wrote:<br>
        </div>
        <blockquote
          cite="mid:024116e539408daddde1043f6f1ef0da@howitts.poweredbyclear.com"
          type="cite">
          <p>What settings do you have in the Draytek (including the
            advanced settings)?</p>
          <p>Can you check your subnets (although it is not the issue)
            as your virtual_private subnets do not match te rightsubnet
            (/16 is not 255.255.255.0). Anyway you should not need
            virtual_private or nat_traversal.</p>
          <p>In your conn, you will probably also want a leftsubet and
            leftsoureceip. Also to get the tunnel up and running I'd
            remove the esp line, change auto to add and have the Draytek
            initiate the connection.</p>
          <p>Have you opened the CentOS firewall to udp:500 and the esp
            protocol? Is there any reason you are not using PFS?</p>
          <p>Regards,</p>
          <p>Nick</p>
          <p>BTW I have a DrayTek 2710 and 2820 calling me (ClearOS).</p>
          <p>On 2014-02-11 05:29, David Fowler wrote:</p>
          <blockquote type="cite" style="padding-left:5px;
            border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->Hi


            all<br>
            <br>
            I'm having some issues getting Openswan running on a
            Centos6.5 box to connect to a Draytek router (or even
            another Centos box) using an IPSec connection<br>
            <br>
            Here are all my settings (IP addresses have been changed -
            but consistent here)<br>
            1.1.1.1 - CentOS server<br>
            2.2.2.2 - CentOS server bcast<br>
            3.3.3.3 - router on the other end<br>
            <br>
            When I run an 'ipsec --up testconenction', I get the
            following<br>
            <br>
            ipsec auto --up testconnection<br>
            104 "testconnection" #3: STATE_MAIN_I1: initiate<br>
            010 "testconnection" #3: STATE_MAIN_I1: retransmission; will
            wait 20s for response<br>
            010 "testconnection" #3: STATE_MAIN_I1: retransmission; will
            wait 40s for response<br>
            <br>
            The /var/log/secure file shows<br>
            Feb 11 05:26:29 host pluto[31976]: | processing connection
            testconnection<br>
            Feb 11 05:26:29 host pluto[31976]: | handling event
            EVENT_RETRANSMIT for 3.3.3.3 "testconnection" #3<br>
            Feb 11 05:26:29 host pluto[31976]: | sending 592 bytes for
            EVENT_RETRANSMIT through eth0:500 to 3.3.3.3:500 (using #3)<br>
            <br>
            Config files and outputs are below<br>
            <br>
            ----------<br>
            <strong>ifconfig</strong><br>
            eth0      Link encap:Ethernet  HWaddr 00:16:3E:38:7B:2C<br>
                      inet addr:1.1.1.1  Bcast:2.2.2.2 
            Mask:255.255.248.0<br>
            <br>
            -----------<br>
            <strong>/etc/ipsec.conf</strong><br>
            config setup<br>
                 klipsdebug=all<br>
                 plutodebug=all<br>
                 protostack=netkey<br>
                 nat_traversal=yes<br>
                 virtual_private=%v4:192.168.0.0/16,%v4:192.168.3.0/16<br>
                 interfaces=%defaultroute<br>
            <br>
            conn testconnection<br>
                 type=tunnel<br>
                 left=1.1.1.1<br>
                 right=3.3.3.3<br>
                 rightsubnet=192.168.3.0/255.255.255.0<br>
                 auth=esp<br>
                 esp=3des-168<br>
                 keyexchange=ike<br>
                 auto=start<br>
                 pfs=no<br>
                 rekey=no<br>
                 authby=secret<br>
            <br>
            ----------<br>
            <strong>/etc/ip.secrets</strong><br>
            1.1.1.1 3.3.3.3: PSK "mykeyhere"<br>
            <br>
            ----------<br>
            <strong>ipsec verify</strong><br>
            Checking your system to see if IPsec got installed and
            started correctly:<br>
            Version check and ipsec
            on-path                                 [OK]<br>
            Linux Openswan U2.6.32/K2.6.32-431.3.1.el6.x86_64 (netkey)<br>
            Checking for IPsec support in
            kernel                            [OK]<br>
             SAref kernel
            support                                           [N/A]<br>
             NETKEY:  Testing for disabled ICMP
            send_redirects              [OK]<br>
            NETKEY detected, testing for disabled ICMP
            accept_redirects     [OK]<br>
            Checking that pluto is
            running                                  [OK]<br>
             Pluto listening for IKE on udp
            500                             [OK]<br>
             Pluto listening for NAT-T on udp
            4500                          [OK]<br>
            Checking for 'ip'
            command                                       [OK]<br>
            Checking /bin/sh is not
            /bin/dash                               [OK]<br>
            Checking for 'iptables'
            command                                 [OK]<br>
            <br>
            ----------<br>
            <br>
            Any help would be appreciated.<br>
            <br>
            Dave<br>
            <br>
            <br>
            <br>
            <br>
            <!-- html ignored --><br>
            <pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
          </blockquote>
          <br>
          <fieldset class="mimeAttachmentHeader"></fieldset>
          <br>
          <pre wrap="">_______________________________________________
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
          <br>
          <fieldset class="mimeAttachmentHeader"></fieldset>
          <br>
          <p class="" avgcert""="" color="#000000" align="left">No virus
            found in this message.<br>
            Checked by AVG - <a moz-do-not-send="true"
              href="http://www.avg.com">www.avg.com</a><br>
            Version: 2014.0.4259 / Virus Database: 3697/7081 - Release
            Date: 02/10/14</p>
        </blockquote>
        <br>
        <br>
        <pre class="moz-signature" cols="72">-- 

David Fowler

General Manager
Power Creations
Ph : 1300 737 268
Mb : 041 791 0960
Fx : 08 9386 8561
Wb : <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.powercreations.com.au">www.powercreations.com.au</a>

Please note I am not in the office on Wednesdays.  For anything urgent
please call the office or my mobile.

-----------------------------------------------------------------------
This Email may contain confidential and/or privileged information and
is intended solely for the addressee(s) named. If you have received
this information in error, or are advised that you have been posted
thisvEmail by accident, please notify the sender by return Email,
do not redistribute it, delete the Email and keep no copies.
-----------------------------------------------------------------------</pre>
      </blockquote>
      <br>
      <p class="" avgcert""="" color="#000000" align="left">No virus
        found in this message.<br>
        Checked by AVG - <a moz-do-not-send="true"
          href="http://www.avg.com">www.avg.com</a><br>
        Version: 2014.0.4259 / Virus Database: 3697/7086 - Release Date:
        02/12/14</p>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 

David Fowler

General Manager
Power Creations
Ph : 1300 737 268
Mb : 041 791 0960
Fx : 08 9386 8561
Wb : <a class="moz-txt-link-abbreviated" href="http://www.powercreations.com.au">www.powercreations.com.au</a>

Please note I am not in the office on Wednesdays.  For anything urgent
please call the office or my mobile.

-----------------------------------------------------------------------
This Email may contain confidential and/or privileged information and
is intended solely for the addressee(s) named. If you have received
this information in error, or are advised that you have been posted
thisvEmail by accident, please notify the sender by return Email,
do not redistribute it, delete the Email and keep no copies.
-----------------------------------------------------------------------</pre>
  </body>
</html>