<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Suraj<br>
<br>
you are using load-warrior mode, <br>
so here is my suggestions and questions.<br>
1.uncomment your leftsubnet.<br>
2.specific your packet type which will be encrypted by ipsec,
example: leftprotoprot=ip or leftprotoport=17/1701 and don't forget
your rigth side<br>
3.why do you need that NAT function ?<br>
<br>
Michael<br>
<br>
On 04/17/2015 11:55 AM, Suraj Mundada wrote:<br>
<blockquote
cite="mid:CAPU82Kpfu_XMyhP3wPG8Ng4_xCrfjnFP-2Y2sa4oWoF=GAHeSA@mail.gmail.com"
type="cite">
<div dir="ltr"><span style="background-color:rgb(0,153,204)">
<div style="">
<div>Hi,</div>
<div><br>
</div>
<div>I am trying to set up a IPSec tunnel between my VPS and
partner network. </div>
<div><br>
</div>
<div>My VPS is a CentOS 6 server with a static public IP
69.39.93.93. For partner network, I have a peer IP address
and NAT address for actual server. </div>
<div><br>
</div>
<div>I have configured my IPSec connection according as
follow:</div>
<div><br>
</div>
<div>shell>yum install openswan lsof</div>
<div><br>
</div>
<div>shell>vi /etc/sysctl.conf</div>
<div>shell>set net.ipv4.ip_forward = 1</div>
<div><br>
</div>
<div>shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT</div>
<div>shell>iptables -A INPUT -p tcp --dport 4500 -j
ACCEPT</div>
<div>shell>iptables -A INPUT -p udp --dport 4500 -j
ACCEPT</div>
<div><br>
</div>
<div>shell>iptables -t nat -A POSTROUTING -s <a
moz-do-not-send="true" href="http://69.39.93.93/24">69.39.93.93/24</a>
-j MASQUERADE</div>
<div><br>
</div>
<div>shell>route add -host 103.225.112.7 gw 69.39.93.93</div>
<div>shell>/sbin/service iptables save</div>
<div>shell>service iptables restart</div>
<div><br>
</div>
<div>shell>/etc/init.d/ipsec restart</div>
<div><br>
</div>
<div>shell>ip route</div>
<div>103.225.112.27 via 69.39.93.93 dev eth0 scope link</div>
<div><a moz-do-not-send="true" href="http://69.39.92.0/23">69.39.92.0/23</a>
dev eth0 proto kernel scope link src 69.39.93.93</div>
<div><a moz-do-not-send="true" href="http://69.39.0.0/16">69.39.0.0/16</a>
dev eth0 scope link metric 1002</div>
<div><a moz-do-not-send="true" href="http://69.39.0.0/16">69.39.0.0/16</a>
dev eth1 scope link metric 1003</div>
<div>default via 69.39.92.1 dev eth0</div>
<div><br>
</div>
<div>shell>service ipsec status</div>
<div>IPsec running - pluto pid: 8925</div>
<div>pluto pid 8925</div>
<div>No tunnels up</div>
<div><br>
</div>
<div><br>
</div>
<div>shell>ipsec auto --status</div>
<div>## output truncated ##</div>
<div>000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,1,64} trans={0,1,3072} attrs={0,1,2048}</div>
<div>000</div>
<div>000 "prod_cibil_ipsec": <a moz-do-not-send="true"
href="http://69.39.93.93/32===69.39.93.93">69.39.93.93/32===69.39.93.93</a><69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===<a
moz-do-not-send="true" href="http://103.225.112.27/32">103.225.112.27/32</a>;
prospective erouted; eroute owner: #0</div>
<div>000 "prod_cibil_ipsec": myip=unset; hisip=unset;</div>
<div>000 "prod_cibil_ipsec": ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0; nat_keepalive: yes</div>
<div>000 "prod_cibil_ipsec": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 32,32; interface: eth0;</div>
<div>000 "prod_cibil_ipsec": dpd: action:clear; delay:0;
timeout:0;</div>
<div>000 "prod_cibil_ipsec": newest ISAKMP SA: #0; newest
IPsec SA: #0;</div>
<div>000 "prod_cibil_ipsec": IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)</div>
<div>000 "prod_cibil_ipsec": IKE algorithms found:
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)</div>
<div>000 "prod_cibil_ipsec": ESP algorithms wanted:
AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2)</div>
<div>000 "prod_cibil_ipsec": ESP algorithms loaded:
AES(12)_128-SHA1(2)_160</div>
<div>000</div>
<div>000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent
MI2, expecting MR2); EVENT_RETRANSMIT in 11s; nodpd; idle;
import:admin initiate</div>
<div>000 #827: pending Phase 2 for "prod_cibil_ipsec"
replacing #0</div>
<div><br>
</div>
<div>When I checked ipsec log file, I see two things that I
think are the issues:</div>
<div>1. inserting event EVENT_CRYPTO_FAILED, timeout in 300
seconds for #17 </div>
<div>2. Notify Message Type: INVALID_COOKIE. </div>
<div><br>
</div>
<div>Details logs and ipsec.conf are attached with the
email.</div>
<div><br>
</div>
<div>I went through logs line by line but could not
understand root cause of the issue.</div>
<div><br>
</div>
<div>Need help to identify and fix the issue. </div>
<div><br>
</div>
<div>Suraj</div>
</div>
</span></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>