<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:o = "urn:schemas-microsoft-com:office:office"><HEAD>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<STYLE>
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
LINE-HEIGHT: 1.5; FONT-FAMILY: ËÎÌå; COLOR: #000000; FONT-SIZE: 10.5pt
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.23588"></HEAD>
<BODY style="MARGIN: 10px">
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri></FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Hi,</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>I'm using openswan2.6.46 on a device with
embedded linux kernel 3.10.20. </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>The device has a 4G interface usb1 connecting to
internet.</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>The network config:</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>10.67.8.0/24===10.29.19.62<%usb1>[@feitian]...THEIR_PUBLIC_IP<vpn.railfi.com>[@server]===192.168.17.0/24</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri> ~ # cat ipsec.conf </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>version 2.0<SPAN style="mso-spacerun: yes">
</SPAN># conforms to second version of ipsec.conf
specification</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri># basic configuration</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>config setup</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>dumpdir=/var/run/pluto/</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>oe=off</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>nat_traversal=yes</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>protostack=klips</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>interfaces="ipsec1=usb1"</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>conn ipsec</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>auto=add<SPAN
style="mso-spacerun: yes">
</SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>ikelifetime=24h</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>salifetime=24h<SPAN style="mso-spacerun: yes">
</SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>authby=secret</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>pfs=no</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>rekey=yes</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>keyingtries=3</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>type=tunnel</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>left=%usb1</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>leftid=@feitian</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>leftsubnets={10.67.8.0/24}</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>leftsourceip=10.67.8.1</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>right=vpn.railfi.com</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>rightid=@server</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>rightsubnet=192.168.17.0/24</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>dpddelay=10</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>dpdtimeout=60</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri><SPAN
style="mso-spacerun: yes">
</SPAN>dpdaction=hold</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>The tunnel is created successfully.</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>~ # tail /var/log/secure -n50</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) ipsec__plutorun: Starting Pluto
subsystem...</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: Starting Pluto (Openswan
Version 2.6.46; Vendor ID OSWqwPd@^IAE) pid:15819</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: LEAK_DETECTIVE support
[enabled]</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: OCF support for IKE
[disabled]</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: SAref support [disabled]:
Protocol not available</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: SAbind support [disabled]:
Protocol not available</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: NSS support
[disabled]</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: HAVE_STATSD notification
support not compiled in</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: Setting NAT-Traversal
port-4500 floating to on</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]:<SPAN
style="mso-spacerun: yes"> </SPAN>port floating activation
criteria nat_t=1/port_float=1</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]:<SPAN
style="mso-spacerun: yes"> </SPAN>NAT-Traversal support<SPAN
style="mso-spacerun: yes"> </SPAN>[enabled]</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: using /dev/urandom as source
of random entropy</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: starting up 1 cryptographic
helpers</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: started helper pid=15825
(fd:6)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: Using KLIPS IPsec interface
code on 3.10.20-rt14-Cavium-Octeon+</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15825]: using /dev/urandom as source
of random entropy</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: adding connection:
"ipsec/1x0"</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: listening for IKE
messages</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: adding interface ipsec1/usb1
10.29.19.62:500</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: adding interface ipsec1/usb1
10.29.19.62:4500</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:32 (none) pluto[15819]: loading secrets from
"/etc/ipsec.secrets"</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: initiating all conns with
alias='ipsec' </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: initiating
Main Mode</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: received
Vendor ID payload [Dead Peer Detection]</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: received
Vendor ID payload [RFC 3947] method set to=115 </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: STATE_MAIN_I2:
sent MI2, expecting MR2</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are
NATed</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: STATE_MAIN_I3:
sent MI3, expecting MR3</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: Main mode peer
ID is ID_FQDN: '@server'</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
group=modp1024}</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: Dead Peer
Detection (RFC 3706): enabled</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:19bbd8b7 proposal=defaults pfsgroup=no-pfs}</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
msgid=19bbd8b7</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: up-client
output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change
192.168.17.0/24 dev ipsec1 src 10.67.8.1' failed (RTNETLINK answers: No such
file or directory)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: Dead Peer
Detection (RFC 3706): enabled</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x32269a98
<0x26f68275 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=THEIR_PUBLIC_IP:4500
DPD=enabled}</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>~ # ipsec auto status</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>ipsec auto: warning: obsolete command syntax used</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 using kernel interface: klips</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 interface ipsec1/usb1 10.29.19.62</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 interface ipsec1/usb1 10.29.19.62</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 %myid = (none)</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 debug none</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 virtual_private (%priv):</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 - allowed 0 subnets: </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 - disallowed 0 subnets: </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 WARNING: Either virtual_private= is not specified, or there is
a syntax </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN
style="mso-spacerun: yes">
</SPAN>error in that line. 'left/rightsubnet=vhost:%priv' will not
work!</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 WARNING: Disallowed subnets in virtual_private= is empty. If
you have </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN
style="mso-spacerun: yes">
</SPAN>private address space in internal use, it should be
excluded!</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
keysizemin=96, keysizemax=448</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,
hashsize=32</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,
hashsize=64</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
bits=1024</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
bits=2048</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
bits=2048</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0} </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":
10.67.8.0/24===10.29.19.62<%usb1>[@feitian]...THEIR_PUBLIC_IP
<vpn.railfi.com>[@server]===192.168.17.0/24; unrouted; eroute owner:
#2</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN
style="mso-spacerun: yes"> </SPAN>myip=10.67.8.1;
hisip=unset;</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN style="mso-spacerun: yes">
</SPAN>ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 3 </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN style="mso-spacerun: yes">
</SPAN>policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
24,24; interface: usb1; kind=CK_PERMANENT</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN style="mso-spacerun: yes">
</SPAN>dpd: action:hold; delay:10; timeout:60;<SPAN
style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN style="mso-spacerun: yes">
</SPAN>newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner:
#2;</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN style="mso-spacerun: yes">
</SPAN>aliases: ipsec </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 "ipsec/1x0":<SPAN style="mso-spacerun: yes">
</SPAN>IKE algorithm newest: AES_CBC_128-SHA1-MODP1024</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 #2: "ipsec/1x0":4500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 81957s; newest IPSEC; eroute owner; isakmp#1;
idle; import:admin initiate</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 #2: "ipsec/1x0" esp.32269a98@THEIR_PUBLIC_IP
esp.26f68275@10.29.19.62 tun.1001@THEIR_PUBLIC_IP tun.1002@10.29.19.62 ref=3
refhim=1</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000 #1: "ipsec/1x0":4500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 81793s; newest ISAKMP; lastdpd=4s(seq in:2632
out:0); idle; import:admin initiate</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>000<SPAN style="mso-spacerun: yes"> </SPAN></FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>But ping private address of vpn server failed. </FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>/etc # ping 192.168.17.4</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>PING 192.168.17.4 (192.168.17.4) 56(84) bytes of
data.</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>^C</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>--- 192.168.17.4 ping statistics ---</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>8 packets transmitted, 0 received, 100% packet loss, time
7011ms</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>~ # tcpdump -i ipsec1 -n icmp</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>listening on ipsec1, link-type EN10MB (Ethernet), capture size
65535 bytes</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:12.780793 IP 10.67.8.1 > 192.168.17.4: ICMP echo request,
id 14248, seq 1, length 64</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:13.781654 IP 10.67.8.1 > 192.168.17.4: ICMP echo request,
id 14248, seq 2, length 64</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:14.787813 IP 10.67.8.1 > 192.168.17.4: ICMP echo request,
id 14248, seq 3, length 64</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>As output below, ICMP echo reply seem to come back, but couldn¡¯t be
decrypted successfully.</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>~ # tcpdump -i usb1 -n port 4500</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>listening on usb1, link-type EN10MB (Ethernet), capture size 65535
bytes</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:35.430282 IP 10.29.19.62.4500 > THEIR_PUBLIC_IP.4500:
UDP-encap: ESP(spi=0x32269a98,seq=0x118), length 132</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:35.509216 IP THEIR_PUBLIC_IP.4500 > 10.29.19.62.4500:
UDP-encap: ESP(spi=0x26f68275,seq=0x21c), length 132</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:36.437868 IP 10.29.19.62.4500 > THEIR_PUBLIC_IP.4500:
UDP-encap: ESP(spi=0x32269a98,seq=0x119), length 132</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:36.518809 IP THEIR_PUBLIC_IP.4500 > 10.29.19.62.4500:
UDP-encap: ESP(spi=0x26f68275,seq=0x21d), length 132</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:38.437798 IP 10.29.19.62.4500 > THEIR_PUBLIC_IP.4500:
UDP-encap: ESP(spi=0x32269a98,seq=0x11b), length 132</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>16:36:38.479313 IP THEIR_PUBLIC_IP.4500 > 10.29.19.62.4500:
UDP-encap: ESP(spi=0x26f68275,seq=0x21f), length 132</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri></FONT></SPAN> </P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Could anyone give some ideas?</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><FONT
face=Calibri>Best regards</FONT></SPAN></P>
<P style="MARGIN: 0cm 0cm 0pt" class=MsoNormal><SPAN lang=EN-US><o:p><FONT
face=Calibri> </FONT></o:p></SPAN></P><!--EndFragment--></BODY></HTML>