<div dir="ltr">Hi Afzal,<div><br></div><div>My VPS supports ipsec. I am already using ipsec tunnel successfully on other VPS. </div><div><br></div><div>Regards,</div><div>Suraj</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 17, 2015 at 9:57 AM, Afzal Khan <span dir="ltr"><<a href="mailto:khan.afzal@gmail.com" target="_blank">khan.afzal@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Hi Suraj</div><div><br></div><div>Please check if your vps supports ipsec most vps will not support it</div><div><br></div><div>Regards</div><div>AK<br><br>--<div>Sent from my iPhone</div><div><br></div><div>--</div></div><div><div class="h5"><div><br>On 17-Apr-2015, at 9:25 am, Suraj Mundada <<a href="mailto:surajmundada@gmail.com" target="_blank">surajmundada@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><span style="background-color:rgb(0,153,204)"><div><div>Hi,</div><div><br></div><div>I am trying to set up a IPSec tunnel between my VPS and partner network. </div><div><br></div><div>My VPS is a CentOS 6 server with a static public IP 69.39.93.93. For partner network, I have a peer IP address and NAT address for actual server. </div><div><br></div><div>I have configured my IPSec connection according as follow:</div><div><br></div><div>shell>yum install openswan lsof</div><div><br></div><div>shell>vi /etc/sysctl.conf</div><div>shell>set net.ipv4.ip_forward = 1</div><div><br></div><div>shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT</div><div>shell>iptables -A INPUT -p tcp --dport 4500 -j ACCEPT</div><div>shell>iptables -A INPUT -p udp --dport 4500 -j ACCEPT</div><div><br></div><div>shell>iptables -t nat -A POSTROUTING -s <a href="http://69.39.93.93/24" target="_blank">69.39.93.93/24</a> -j MASQUERADE</div><div><br></div><div>shell>route add -host 103.225.112.7 gw 69.39.93.93</div><div>shell>/sbin/service iptables save</div><div>shell>service iptables restart</div><div><br></div><div>shell>/etc/init.d/ipsec restart</div><div><br></div><div>shell>ip route</div><div>103.225.112.27 via 69.39.93.93 dev eth0 scope link</div><div><a href="http://69.39.92.0/23" target="_blank">69.39.92.0/23</a> dev eth0 proto kernel scope link src 69.39.93.93</div><div><a href="http://69.39.0.0/16" target="_blank">69.39.0.0/16</a> dev eth0 scope link metric 1002</div><div><a href="http://69.39.0.0/16" target="_blank">69.39.0.0/16</a> dev eth1 scope link metric 1003</div><div>default via 69.39.92.1 dev eth0</div><div><br></div><div>shell>service ipsec status</div><div>IPsec running - pluto pid: 8925</div><div>pluto pid 8925</div><div>No tunnels up</div><div><br></div><div><br></div><div>shell>ipsec auto --status</div><div>## output truncated ##</div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}</div><div>000</div><div>000 "prod_cibil_ipsec": <a href="http://69.39.93.93/32===69.39.93.93" target="_blank">69.39.93.93/32===69.39.93.93</a><69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===<a href="http://103.225.112.27/32" target="_blank">103.225.112.27/32</a>; prospective erouted; eroute owner: #0</div><div>000 "prod_cibil_ipsec": myip=unset; hisip=unset;</div><div>000 "prod_cibil_ipsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes</div><div>000 "prod_cibil_ipsec": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;</div><div>000 "prod_cibil_ipsec": dpd: action:clear; delay:0; timeout:0;</div><div>000 "prod_cibil_ipsec": newest ISAKMP SA: #0; newest IPsec SA: #0;</div><div>000 "prod_cibil_ipsec": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)</div><div>000 "prod_cibil_ipsec": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)</div><div>000 "prod_cibil_ipsec": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2)</div><div>000 "prod_cibil_ipsec": ESP algorithms loaded: AES(12)_128-SHA1(2)_160</div><div>000</div><div>000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent MI2, expecting MR2); EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate</div><div>000 #827: pending Phase 2 for "prod_cibil_ipsec" replacing #0</div><div><br></div><div>When I checked ipsec log file, I see two things that I think are the issues:</div><div>1. inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #17 </div><div>2. Notify Message Type: INVALID_COOKIE. </div><div><br></div><div>Details logs and ipsec.conf are attached with the email.</div><div><br></div><div>I went through logs line by line but could not understand root cause of the issue.</div><div><br></div><div>Need help to identify and fix the issue. </div><div><br></div><div>Suraj</div></div></span></div>
</div></blockquote></div></div><blockquote type="cite"><div><dev-ipsec-log.txt></div></blockquote><blockquote type="cite"><div><ipsec.conf></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span><a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a></span><br><span><a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a></span><br><span>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></span><br><span>Building and Integrating Virtual Private Networks with Openswan:</span><br><span><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></span><br></div></blockquote></div></blockquote></div><br></div>