<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1416960280967_4196" dir="ltr">Hi Neal,<br style="" class="">No joy with 'forceencaps=yes' to either side or both.<br style="" class="">I removed DMZ setup for PC B and set router to forward UDP 500 and 4500 for IPsec & NAT-T.<br style="" class="">Same ipsec.conf & ipsec.secrets. Again, the link initiates from 90.0.0.9-to--192.168.1.150 fine, but won't initiate<br style="" class="">in reverse.<br style="" class="">Thanks,<br style="" class=""><br style="" class="">Neal Murphy wrote:<br style="" class="">> As a guess, add 'forceencaps=yes' to B's config; that should force it to start <br style="" class="">> with NAT traversal.<br style="" class=""><br style="" class="">On Monday, November 24, 2014 01:35:35 AM Ted Victorio wrote:<br style="" class="">> Hello gurus,<br style="" class="">> <br style="" class="">> My IPsec link (90.0.0.9--192.168.1.150) works fine if PC A initiates "ipsec<br style="" class="">> auto --up A_to_B" However, if PC B initiates "ipsec auto --up B_to_A", the<br style="" class="">> handshake fails since the router converts main mode 1 from 192.168.1.150<br style="" class="">> as if IPsec initiated from 90.0.0.3. Appreciate any suggestion to solve<br style="" class="">> this.<br style="" class="">>Thank you,<br style="" class="">><br style="" class="">><br style="" class="">><br style="" class="">>Notes:<br style="" class="">>1) PC B is configured as DMZ behind Trendnet router<br style="" class="">>2) nat_traversal=yes for both PC A & PC B<br style="" class="">><br style="" class="">>209.0.0.9<br style="" class="">>PC A (openswan)<br style="" class="">>90.0.0.9<br style="" class="">> |<br style="" class="">> |<br style="" class="">> |<br style="" class="">>90.0.0.3<br style="" class="">>Trendnet TEW-432BRP ROUTER<br style="" class="">>192.168.1.1<br style="" class="">> |<br style="" class="">> |<br style="" class="">> |<br style="" class="">>192.168.1.150 #DMZ#<br style="" class="">>PC B (openswan)<br style="" class="">><br style="" class="">><br style="" class="">>PC A ipsec.conf:<br style="" class="">>================<br style="" class="">>config setup<br style="" class="">> nat_traversal=yes<br style="" class="">> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<br style="" class="">><br style="" class="">>conn A_to_B<br style="" class="">> type=tunnel<br style="" class="">> authby=secret<br style="" class="">> left=90.0.0.9<br style="" class="">> leftsubnet=209.0.0.0/24<br style="" class="">> leftnexthop=90.0.0.3<br style="" class="">> right=192.168.1.150<br style="" class="">> rightsubnet=192.168.1.150/32<br style="" class="">> auto=add<br style="" class="">><br style="" class="">>PC A ipsec.secrets:<br style="" class="">>-------------------<br style="" class="">>90.0.0.9 192.168.1.150 : PSK "test123"<br style="" class="">><br style="" class="">><br style="" class="">>PC B ipsec.conf:<br style="" class="">>================<br style="" class="">>config setup<br style="" class="">> nat_traversal=yes<br style="" class="">> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<br style="" class="">><br style="" class="">>conn B_to_A<br style="" class="">> type=tunnel<br style="" class="">> authby=secret<br style="" class="">> left=90.0.0.9<br style="" class="">> leftsubnet=209.0.0.0/24<br style="" class="">> right=192.168.1.150<br style="" class="">> rightsubnet=192.168.1.150/32<br style="" class="">> auto=add<br style="" class="">><br style="" class="">>PC B ipsec.secrets:<br style="" class="">>-------------------<br style="" class="">>192.168.1.150 90.0.0.9 : PSK "test123"<br style="" class=""><br style="" class=""><br style="" class=""><br style="" class=""><br style="" class=""><br></div><div id="yui_3_16_0_1_1416960280967_4472" style="" class="" dir="ltr"><br style="" class=""></div></div></body></html>