<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
code
        {mso-style-priority:99;
        font-family:"Courier New";}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Vorformatiert Zchn";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
span.E-MailFormatvorlage17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.HTMLVorformatiertZchn
        {mso-style-name:"HTML Vorformatiert Zchn";
        mso-style-priority:99;
        mso-style-link:"HTML Vorformatiert";
        font-family:"Courier New";
        mso-fareast-language:DE;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:14.65pt;background:white">
<span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">Hi there,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:14.65pt;background:white">
<span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">I'm running a Debian 7.8 openswan 1:2.6.37-3+deb7u1 server with one external interface, but many different aliases :<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.94/24 brd xxx.xxx.xxx.255 scope
 global eth1<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.93/29 brd xxx.xxx.xxx.95 scope
 global eth1:ovpn<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.35/27 brd xxx.xxx.xxx.63 scope
 global eth1:mail1<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.75/29 brd xxx.xxx.xxx.79 scope
 global eth1:mail2<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.10/27 brd xxx.xxx.xxx.31 scope
 global eth1:web1<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.82/29 brd xxx.xxx.xxx.87 scope
 global eth1:ipsec2<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.36/27 brd xxx.xxx.xxx.63 scope
 global secondary eth1:web2<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.76/29 brd xxx.xxx.xxx.79 scope
 global secondary eth1:web3<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.3/27 brd xxx.xxx.xxx.31 scope
 global secondary eth1:gate1<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.34/27 brd xxx.xxx.xxx.63 scope
 global secondary eth1:gate2<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.5/27 brd xxx.xxx.xxx.31 scope
 global secondary eth1:mail<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">inet xxx.xxx.xxx.92/29 brd xxx.xxx.xxx.95 scope
 global secondary eth1:ipsec<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.65pt;background:white"><span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">My "main"-connections use xxx.xxx.xxx.94, but only one <b><span style="border:none windowtext 1.0pt;padding:0cm">has</span></b> to
 use xxx.xxx.xxx.92. If at my server I start up the connection using .92, all packets exit the interface with the .94 IP, of course getting </span><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">NO_PROPOSAL_CHOSEN
 msgid=00000000</span><span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE"> at phase 1.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:14.65pt;background:white">
<span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">I also found, that all my other IPSec servers (creating tunnels to .94) sometimes receive ESP packets from .92, despite there being not a
 single connection using this IP to them.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:14.65pt;background:white">
<span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">If the other side initiates the connection to .92 the server responds with the correct IP and the tunnel is established. Here is an excerpt
 from my ipsec.conf:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">uniqueids=yes<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">nhelpers=0<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">interfaces="ipsec0=eth1"<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">conn site2site<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">authby=secret<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">right=xxx.xxx.xxx.92<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">rightsubnet=192.168.0.0/24<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">rightnexthop=xxx.xxx.xxx.91<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">left=xxx.xxx.xxx.21<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">leftid="xxx.xxx.xxx.21"<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">ikelifetime=480m<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">keylife=3600s<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">rekeymargin=5m<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">keyingtries=0<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">auto=start<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">ike=3des-sha1;modp1024<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">esp=3des-sha1;modp1024<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">conn site2site-1<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">leftsubnet=172.16.0.0/12<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">also=site2site<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">conn site2site-2<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">leftsubnet=10.182.0.0/15<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">also=site2site<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:14.65pt;background:white">
<span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">I tried adding an iptables rule to SNAT the packets src: .94 dst: .21 to source .92, but to no avail, they keep leaving from the wrong interface:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:#EEEEEE"><span lang="EN-US" style="font-size:10.0pt;font-family:Consolas;color:#222222;border:none windowtext 1.0pt;padding:0cm;background:#EEEEEE;mso-fareast-language:DE">iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.94
 -d xxx.xxx.xxx.21 -j SNAT --to-source xxx.xxx.xxx.92<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:14.65pt;background:white">
<span lang="EN-US" style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#222222;mso-fareast-language:DE">Anyone got some better idea or want to point me in the right direction here?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>