<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Rescued from the Spam bucket. Please remember to subscribe to the mailing list before you post to it.<div><br><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="color: rgb(127, 127, 127);"><b>From: </b></span>David Jones <<a href="mailto:david@proficienthealth.com">david@proficienthealth.com</a>></div><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Re: OpenSwan and Palo Alto PA-4020</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">May 20, 2014 at 1:57:51 PM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br><div dir="ltr">Can anyone help me with this or tell me to include more information or something?<div><br></div><div>Thanks,</div><div><br></div><div>David</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Wed, Apr 30, 2014 at 12:04 PM, David jones <span dir="ltr"><<a href="mailto:david@proficienthealth.com" target="_blank">david@proficienthealth.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div>Hi, </div><div><br></div><div>First-time poster here. To set the mood, I am new to OpenSwan and network security in general but a chain of events have left me having to manage something better suited by someone else :-)</div>
<div><br></div><div>I have set up numerous IPSec connections using OpenSwan interfacing with Ciso, Sonicwall, and others but this Palo Alto is causing me some pain.</div><div><br></div><div>Here is the scenario… I have an existing IPSec connection with a client that is working perfectly, with a Cisco 300 Series VPN appliance as there endpoint. They are replacing it with this Palo Alto and gave me the new information for it. I created a new connection and secret and updated the rightIP and subnets, but left everything else the same except for setting PFS =Yes in the conf. </div>
<div><br></div><div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">Linux version 3.2.0-2-amd64 (Debian 3.2.18-1) (<a href="mailto:debian-kernel@lists.debian.org" target="_blank">debian-kernel@lists.debian.org</a>) (gcc version 4.6.3 (Debian 4.6.3-1) ) #1 SMP Mon May 21 17:45:41 UTC 2012</div>
</div><div><br></div><div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">Version: Linux Openswan U2.6.38-g312f1b8a-dirty/K3.2.0-2-amd64</div></div><div><br>
</div><div>example</div><div><b>WORKS!</b></div><div><div>conn clientvpn_old</div><div> authby=secret</div><div> left=xxx.xxx.xxx.167</div><div> leftsourceip=xxx.xxx.xxx.167</div><div> leftnexthop=xxx.xxx.xxx.161</div>
<div> right=xxx.xxx.xxx.5</div><div> rightsubnet=xxx.xxx.xxx.133/32</div><div> auto=route</div><div> pfs=no</div><div><br></div><div><b>DOESNT WORK!</b></div><div>conn clientvpn_new</div><div> authby=secret</div>
<div> left=xxx.xxx.xxx.167</div><div> leftsourceip=xxx.xxx.xxx.167</div><div> leftnexthop=xxx.xxx.xxx.161</div><div> right=xxx.xxx.xxx.2</div><div> rightsubnets={xxx.xxx.xxx6.34/32,xxx.xxx.xxx.35/32}</div><div>
auto=route</div><div> pfs=yes</div></div><div><br></div><div><br></div><div><br></div><div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">root@xxx:~# ipsec auto —status | grep clientvpn_new</div>
<div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">000 "clientvpn_new/0x1": <span style="font-family: Arial; font-size: 13px;">xxx.xxx.xxx</span>.167/32===xxx.xxx.xxx.167<xxx.xxx.xxx.167>---xxx.xxx.xxx.161...xxx.xxx.xxx.2<xxx.xxx.xxx.2>===xxx.xxx.xxx.34/32; unrouted; eroute owner: #0</div>
<div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">000 "clientvpn_new/0x1": myip=xxx.xxx.xxx.167; hisip=unset;</div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
000 "clientvpn_new/0x1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 </div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
000 "clientvpn_new/0x1": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth1; </div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
000 "clientvpn_new/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">000 "clientvpn_new/0x1": aliases: clientvpn_new </div>
<div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">000 "clientvpn_new/0x2": xxx.xxx.xxx.167/32===xxx.xxx.xxx.167<xxx.xxx.xxx.167>---xxx.xxx.xxx.161...xxx.xxx.xxx.2<xxx.xxx.xxx.2>===xxx.xxx.xxx.35/32; unrouted; eroute owner: #0</div>
<div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">000 "clientvpn_new/0x2": myip=xxx.xxx.xxx.167; hisip=unset;</div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
000 "clientvpn_new/0x2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 </div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
000 "clientvpn_new/0x2": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth1; </div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
000 "clientvpn_new/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">000 "clientvpn_new/0x2": aliases: clientvpn_new </div>
</div><div><br></div><div><br></div><div><br></div><div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">root@xxx:~# grep clientvpn_new /var/log/auth.log</div>
<div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">Apr 30 01:00:05 xxx pluto[13917]: added connection description "clientvpn_new/0x1"</div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">
Apr 30 01:00:05 xxx pluto[13917]: added connection description "clientvpn_new/0x2"</div><div style="margin:0px;font-size:12px;font-family:Courier;color:rgb(76,47,45);background-color:rgb(223,219,196)">Apr 30 01:00:05 xxx pluto[13917]: loading secrets from "/etc/ipsec.d/clientvpn_new.secrets"</div>
</div><div><br></div><div><br></div><div>So it looks like everything comes up properly but when the other side tries to connect, they get a timeout and I get nothing in my auth.log or ipsec auto —status. I have verified a trace route form their side and they can reach my IP just fine. Im completely lost at this point and looking for some suggestions. My assumption is that there is something not right on their side but I dont know how to prove it. </div>
<div><br></div><div>Thanks,</div><div><br></div><br><div>
<div style="font-family: Arial; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;">
<div style="word-wrap:break-word"><span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word"><span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word"><span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word">
<span style="border-collapse:separate;font-family:Helvetica;border-spacing:0px"><div style="word-wrap:break-word"><font face="Arial" size="4"><span style="font-size:14px">David Jones</span></font></div>
</span></div></span></div></span><div><span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word"><span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word">
<span style="border-collapse:separate;font-family:Helvetica;border-spacing:0px"><div style="word-wrap:break-word"><span style="border-collapse:separate;border-spacing:0px"><div style="word-wrap:break-word"><font face="Arial"><b><br>
</b></font></div></span></div></span></div></span></div></span><br></div></div></span><br></div><br></div><br><br>
</div>
<br></div></blockquote></div><br></div>
<br><br></div></div><br></div></body></html>