<div dir="ltr">Hi Michael, <div><br></div><div>1. leftsubnet is already uncommented in ipsec.conf. Do you mean to comment it? </div><div><br></div><div>2. Not sure how should I specify packet type. Can you please give specific instruction? </div><div><br></div><div>3. My partner network has many servers. These servers are behind a gateway or router. Partner has given me a IP address 103.225.112.4 for gateway (They call it as peer address) and also a ip address of server 103.225.112.27 which I want to connect to. For this, I believe I need to use NAT. Please correct me if wrong. </div><div><br></div><div>Regards,</div><div>Suraj<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 17, 2015 at 10:17 AM, MichaelLeung <span dir="ltr"><<a href="mailto:gbcbooksmj@gmail.com" target="_blank">gbcbooksmj@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi Suraj<br>
<br>
you are using load-warrior mode, <br>
so here is my suggestions and questions.<br>
1.uncomment your leftsubnet.<br>
2.specific your packet type which will be encrypted by ipsec,
example: leftprotoprot=ip or leftprotoport=17/1701 and don't forget
your rigth side<br>
3.why do you need that NAT function ?<br>
<br>
Michael<div><div class="h5"><br>
<br>
On 04/17/2015 11:55 AM, Suraj Mundada wrote:<br>
</div></div><blockquote type="cite"><div><div class="h5">
<div dir="ltr"><span style="background-color:rgb(0,153,204)">
<div>
<div>Hi,</div>
<div><br>
</div>
<div>I am trying to set up a IPSec tunnel between my VPS and
partner network. </div>
<div><br>
</div>
<div>My VPS is a CentOS 6 server with a static public IP
69.39.93.93. For partner network, I have a peer IP address
and NAT address for actual server. </div>
<div><br>
</div>
<div>I have configured my IPSec connection according as
follow:</div>
<div><br>
</div>
<div>shell>yum install openswan lsof</div>
<div><br>
</div>
<div>shell>vi /etc/sysctl.conf</div>
<div>shell>set net.ipv4.ip_forward = 1</div>
<div><br>
</div>
<div>shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT</div>
<div>shell>iptables -A INPUT -p tcp --dport 4500 -j
ACCEPT</div>
<div>shell>iptables -A INPUT -p udp --dport 4500 -j
ACCEPT</div>
<div><br>
</div>
<div>shell>iptables -t nat -A POSTROUTING -s <a href="http://69.39.93.93/24" target="_blank">69.39.93.93/24</a>
-j MASQUERADE</div>
<div><br>
</div>
<div>shell>route add -host 103.225.112.7 gw 69.39.93.93</div>
<div>shell>/sbin/service iptables save</div>
<div>shell>service iptables restart</div>
<div><br>
</div>
<div>shell>/etc/init.d/ipsec restart</div>
<div><br>
</div>
<div>shell>ip route</div>
<div>103.225.112.27 via 69.39.93.93 dev eth0 scope link</div>
<div><a href="http://69.39.92.0/23" target="_blank">69.39.92.0/23</a>
dev eth0 proto kernel scope link src 69.39.93.93</div>
<div><a href="http://69.39.0.0/16" target="_blank">69.39.0.0/16</a>
dev eth0 scope link metric 1002</div>
<div><a href="http://69.39.0.0/16" target="_blank">69.39.0.0/16</a>
dev eth1 scope link metric 1003</div>
<div>default via 69.39.92.1 dev eth0</div>
<div><br>
</div>
<div>shell>service ipsec status</div>
<div>IPsec running - pluto pid: 8925</div>
<div>pluto pid 8925</div>
<div>No tunnels up</div>
<div><br>
</div>
<div><br>
</div>
<div>shell>ipsec auto --status</div>
<div>## output truncated ##</div>
<div>000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,1,64} trans={0,1,3072} attrs={0,1,2048}</div>
<div>000</div>
<div>000 "prod_cibil_ipsec": <a href="http://69.39.93.93/32===69.39.93.93" target="_blank">69.39.93.93/32===69.39.93.93</a><69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===<a href="http://103.225.112.27/32" target="_blank">103.225.112.27/32</a>;
prospective erouted; eroute owner: #0</div>
<div>000 "prod_cibil_ipsec": myip=unset; hisip=unset;</div>
<div>000 "prod_cibil_ipsec": ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0; nat_keepalive: yes</div>
<div>000 "prod_cibil_ipsec": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 32,32; interface: eth0;</div>
<div>000 "prod_cibil_ipsec": dpd: action:clear; delay:0;
timeout:0;</div>
<div>000 "prod_cibil_ipsec": newest ISAKMP SA: #0; newest
IPsec SA: #0;</div>
<div>000 "prod_cibil_ipsec": IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)</div>
<div>000 "prod_cibil_ipsec": IKE algorithms found:
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)</div>
<div>000 "prod_cibil_ipsec": ESP algorithms wanted:
AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2)</div>
<div>000 "prod_cibil_ipsec": ESP algorithms loaded:
AES(12)_128-SHA1(2)_160</div>
<div>000</div>
<div>000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent
MI2, expecting MR2); EVENT_RETRANSMIT in 11s; nodpd; idle;
import:admin initiate</div>
<div>000 #827: pending Phase 2 for "prod_cibil_ipsec"
replacing #0</div>
<div><br>
</div>
<div>When I checked ipsec log file, I see two things that I
think are the issues:</div>
<div>1. inserting event EVENT_CRYPTO_FAILED, timeout in 300
seconds for #17 </div>
<div>2. Notify Message Type: INVALID_COOKIE. </div>
<div><br>
</div>
<div>Details logs and ipsec.conf are attached with the
email.</div>
<div><br>
</div>
<div>I went through logs line by line but could not
understand root cause of the issue.</div>
<div><br>
</div>
<div>Need help to identify and fix the issue. </div>
<div><br>
</div>
<div>Suraj</div>
</div>
</span></div>
<br>
<fieldset></fieldset>
<br>
</div></div><span class=""><pre>_______________________________________________
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</span></blockquote>
<br>
</div>
</blockquote></div><br></div></div></div>