<div dir="ltr">Hi All,<div><br></div><div>First, many thanks to Samir for the assistance so far - but i've hit another wall and need some more assistance. Upon instruction from the company im connecting to I set the leftid and rightid to what they configured but am now getting the following logs: <a href="http://pastebin.com/ddfLM29C">http://pastebin.com/ddfLM29C</a> </div><div><br></div><div>My config now looks as follows:</div><div><div>conn host-prd</div><div> ##### Local</div><div> left=externalIP</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>leftid=@LEFTID</div><div> leftsubnet=externalIP/32</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>leftnexthop=%defaultroute</div><div><br></div><div> ##### Remote</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>right=RIGHTIP/ID</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>rightid=RIGHTIP/ID</div><div> rightsubnets={<a href="http://172.25.48.43/32">172.25.48.43/32</a> <a href="http://172.25.48.36/32">172.25.48.36/32</a>}</div><div> rightnexthop=%defaultroute</div><div><br></div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>##### Auth Options</div><div> authby=secret</div><div> rekey=no</div><div><br></div><div> ##### Phase 1</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>ike=3des-sha1-modp1024</div><div> ikelifetime="14400"</div><div><br></div><div> ##### Phase 2</div><div> esp=3des-sha1</div><div> keylife="3600"</div><div> pfs=no</div><div><br></div><div> ##### Connection Options</div><div> type=tunnel</div><div> auto=start</div><div> compress=no</div><div><br></div><div> disablearrivalcheck=no</div><div><span class="gmail-Apple-tab-span" style="white-space:pre"> </span>dpddelay=10</div><div> dpdtimeout=30</div><div> dpdaction=restart</div></div><div><br></div><div>My secrets as follows</div><div><div><br></div><div># cat /etc/ipsec.d/ipsec.secrets</div><div>@LEFTID<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>RIGHTIP/ID: PSK "PSKHERE"</div></div><div><br></div><div>I see this line in the logs:</div><div>| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1 <br></div><div><br></div><div>I assume this to mean the PSK failed? From what I can see thats not because it didnt match on my end, they are rejecting the PSK correct? </div><div><br></div><div>The remote party provided the following logs:</div><div><div>Oct 27 2016 14:39:24.660.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Enter m_responder_recv_ID_AUTH</div><div>[HOST-diagnose]</div><div>Oct 27 2016 14:39:24.670.1 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;recv ID: find ike peer by ID failed !</div><div>[HOST-diagnose]</div><div>Oct 27 2016 14:39:24.670.2 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Leave m_responder_recv_ID_AUTH: recv_ID run err!</div><div>Oct 27 2016 14:39:54.680.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;check message duplicate: dropping dup</div></div><div><br></div><div>Looking at the second line it appears to be a configuration error on their end correct?</div><div><br></div><div>Regards</div><div>Ian</div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 25, 2016 at 8:31 AM, Ian Barnes <span dir="ltr"><<a href="mailto:ian.lidtech@gmail.com" target="_blank">ian.lidtech@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hey Samir,<div><br></div><div>Many many thanks for the quick response, helping me out hugely here!</div><div><br></div><div>I have contacted the provider to ask what the ID is that they are expecting, hopefully I get some joy :)</div><div><br></div><div>Will keep you posted on resolution thanks!</div><div><br></div><div>Regards</div><span class="gmail-HOEnZb"><font color="#888888"><div>Ian</div></font></span></div><div class="gmail-HOEnZb"><div class="gmail-h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 24, 2016 at 11:10 PM, Samir Hussain <span dir="ltr"><<a href="mailto:shussain@xelerance.com" target="_blank">shussain@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello Ian,<br>
Thank you for providing a paste bin link. It was very helpful.<br>
<br>
Your issue seems to be with your id. In your original ipsec.conf, I<br>
did not see a leftid or a rightid. If you have added them, please be<br>
sure to:<br>
<br>
1) Have the same leftid and rightid in your secrets file (normally<br>
/etc/ipsec.secrets)<br>
2) Have the same id as what the remote peer expects.<br>
<br>
Samir<br>
<div><div class="gmail-m_-7264980492196451640h5"><br>
On 2016-10-24 04:07 PM, Ian Barnes wrote:<br>
> Hi Samir,<br>
><br>
> Thanks so much for the response - very much appreciated. I've made the<br>
> changes you suggested and have had zero joy. Here are the<br>
> logs: <a href="http://pastebin.com/tycfF6JN" rel="noreferrer" target="_blank">http://pastebin.com/tycfF6JN</a>. The only thing I can see is this:<br>
><br>
> got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0<br>
> | ***parse ISAKMP Notification Payload:<br>
> | next payload type: ISAKMP_NEXT_NONE<br>
> | length: 12<br>
> | DOI: ISAKMP_DOI_IPSEC<br>
> | protocol ID: 1<br>
> | SPI size: 0<br>
> | Notify Message Type: INVALID_ID_INFORMATION<br>
> | removing 4 bytes of padding<br>
> "host-prd/0x2" #1: ignoring informational payload, type<br>
> INVALID_ID_INFORMATION msgid=00000000<br>
> | info:<br>
> | processing informational INVALID_ID_INFORMATION (18)<br>
> "host-prd/0x2" #1: received and ignored informational message<br>
> | complete state transition with STF_IGNORE<br>
> | * processed 0 messages from cryptographic helpers<br>
> | next event EVENT_RETRANSMIT in 10 seconds for #3<br>
> | next event EVENT_RETRANSMIT in 10 seconds for #3<br>
><br>
> But I cant find much about that error.<br>
><br>
> Any ideas?<br>
><br>
> Cheers<br>
> Ian<br>
><br>
><br>
> On Mon, Oct 24, 2016 at 9:53 PM, Samir Hussain <<a href="mailto:shussain@xelerance.com" target="_blank">shussain@xelerance.com</a><br>
</div></div><div><div class="gmail-m_-7264980492196451640h5">> <mailto:<a href="mailto:shussain@xelerance.com" target="_blank">shussain@xelerance.com</a><wbr>>> wrote:<br>
><br>
> One quick question: You have explicitly set pfs to no. Does the other<br>
> side not expect PFS? what happens if you enable PFS?<br>
><br>
> Samir<br>
><br>
> On 2016-10-24 12:17 PM, Samir Hussain wrote:<br>
> > Hello,<br>
> > A couple of comments:<br>
> > * ikelifetime and phasetime do not need to be quoted<br>
> > * is your leftsourceip the same as the IP assigned to left? If it is,<br>
> > then you can remove leftsourceip<br>
> > * keyexchange and aut=esp should be removed<br>
> ><br>
> > If you are still experiencing problems, what do the logs show? You can<br>
> > enable it by adding the following in "config setup" section:<br>
> ><br>
> > plutodebug="control parsing"<br>
> > plutostderrlog=/var/log/ipsec.<wbr>log<br>
> ><br>
> > Samir<br>
> ><br>
> > On 2016-10-23 03:33 PM, Ian Barnes wrote:<br>
> >> Hi,<br>
> >><br>
> >> I am having trouble setting up a connection to a provider (and am<br>
> also<br>
> >> running into delays getting logs from them) so I was wondering if<br>
> anyone<br>
> >> can spot a glaring error or point me in the possible right<br>
> direction as<br>
> >> to why my tunnel isnt coming up.<br>
> >><br>
> >> First off - the connection details (as provided by the remote party):<br>
> >> *Remote:*<br>
> >> Remote Device: Huawei VRP<br>
> >> Auth Method: Pre-Shared Key<br>
> >> Encryption: IKE<br>
> >> IKE PFS: 3DES<br>
> >> IKE Encryption Algorithm: SHA1<br>
> >> IKE Hashing Algorithm: Group 2 (1024)<br>
> >> IKE SA Lifetime: 14400<br>
> >> Transform (IPSec Protocol): IKE<br>
> >> IPSEC Perfect Forward Secrecy: ESP<br>
> >> IPSEC Encryption Algorithm: 3DES<br>
> >> IPSEC Hashing Algorithm: SHA1<br>
> >> IPSEC SA Lifetime: 3600<br>
> >> Hosts: 172.25.48.43, 172.25.48.36<br>
> >><br>
> >> Here is my config:<br>
> >> *[root@server ~]# cat /etc/ipsec.conf*<br>
> >> # /etc/ipsec.conf - Openswan IPsec configuration file<br>
> >> version2.0# conforms to second version of ipsec.conf specification<br>
> >><br>
> >> # basic configuration<br>
> >> config setup<br>
> >> nat_traversal=yes<br>
> >> virtual_private=%v:<a href="http://10.0.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/16</a> <<a href="http://10.0.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/16</a>><br>
> <<a href="http://10.0.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/16</a>><br>
> >> protostack=netkey<br>
> >> interfaces=%defaultroute<br>
> >> klipsdebug=none<br>
> >> plutodebug=none<br>
> >> plutowait=no<br>
> >> uniqueids=yes<br>
> >> include /etc/ipsec.d/*.conf<br>
> >><br>
> >> *[root@server ~]# cat /etc/ipsec.d/host-prd.conf*<br>
> >><br>
> #############################<wbr>##############################<wbr>############<br>
> >> # VPN to HOST<br>
> >> #<br>
> >> #remoteEndPoint/32 (Production) externalIP/32<br>
> >> #<br>
> >> conn host-prd<br>
> >> ##### Local<br>
> >> left=externalIP<br>
> >> leftsourceip=externalIP<br>
> >> leftsubnet=externalIP/32<br>
> >> leftnexthop=%defaultroute<br>
> >><br>
> >> ##### Remote<br>
> >> right=remoteEndPoint<br>
> >> rightsubnets={<a href="http://172.25.48.43/32" rel="noreferrer" target="_blank">172.25.48.43/32</a> <<a href="http://172.25.48.43/32" rel="noreferrer" target="_blank">http://172.25.48.43/32</a>><br>
> <<a href="http://172.25.48.43/32" rel="noreferrer" target="_blank">http://172.25.48.43/32</a>><br>
</div></div>> >> <a href="http://172.25.48.36/32" rel="noreferrer" target="_blank">172.25.48.36/32</a> <<a href="http://172.25.48.36/32" rel="noreferrer" target="_blank">http://172.25.48.36/32</a>> <<a href="http://172.25.48.36/32" rel="noreferrer" target="_blank">http://172.25.48.36/32</a>>}<br>
<div><div class="gmail-m_-7264980492196451640h5">> >> rightnexthop=%defaultroute<br>
> >><br>
> >> ##### Auth Options<br>
> >> authby=secret<br>
> >> rekey=no<br>
> >><br>
> >> ##### Phase 1<br>
> >> keyexchange=ike<br>
> >> ike=3des-sha1-modp1024<br>
> >> ikelifetime="14400"<br>
> >><br>
> >> ##### Phase 2<br>
> >> auth=esp<br>
> >> esp=3des-sha1<br>
> >> keylife="3600"<br>
> >> pfs=no<br>
> >><br>
> >> ##### Connection Options<br>
> >> type=tunnel<br>
> >> auto=start<br>
> >> compress=no<br>
> >><br>
> >> disablearrivalcheck=no<br>
> >> dpddelay=10<br>
> >> dpdtimeout=30<br>
> >> dpdaction=restart<br>
> >><br>
> >><br>
> >> Here are the logs of when I try connect:<br>
> >> [root@server ~]# ipsec status<br>
> >> 000 using kernel interface: netkey<br>
> >> 000 interface lo/lo ::1<br>
> >> 000 interface lo/lo 127.0.0.1<br>
> >> 000 interface lo/lo 127.0.0.1<br>
> >> 000 interface eth0/eth0 externalIP<br>
> >> 000 interface eth0/eth0 externalIP<br>
> >> 000 interface eth1/eth1 10.0.64.10<br>
> >> 000 interface eth1/eth1 10.0.64.10<br>
> >> 000 %myid = (none)<br>
> >> 000 debug none<br>
> >> 000<br>
> >> 000 virtual_private (%priv):<br>
> >> 000 - allowed 0 subnets:<br>
> >> 000 - disallowed 0 subnets:<br>
> >> 000 WARNING: Either virtual_private= is not specified, or there<br>
> is a syntax<br>
> >> 000 error in that line. 'left/rightsubnet=vhost:%priv'<br>
> will not<br>
> >> work!<br>
> >> 000 WARNING: Disallowed subnets in virtual_private= is empty. If<br>
> you have<br>
> >> 000 private address space in internal use, it should be<br>
> excluded!<br>
> >> 000<br>
> >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,<br>
> keysizemin=192,<br>
> >> keysizemax=192<br>
> >> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,<br>
> keysizemin=128,<br>
> >> keysizemax=128<br>
> >> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,<br>
> >> keysizemin=40, keysizemax=448<br>
> >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,<br>
> keysizemin=0,<br>
> >> keysizemax=0<br>
> >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,<br>
> keysizemin=128,<br>
> >> keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,<br>
> keysizemin=128,<br>
> >> keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,<br>
> >> keysizemin=128, keysizemax=256<br>
> >> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,<br>
> >> keysizemin=128, keysizemax=128<br>
> >> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,<br>
> >> keysizemin=160, keysizemax=160<br>
> >> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_<wbr>256,<br>
> >> keysizemin=256, keysizemax=256<br>
> >> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_<wbr>384,<br>
> >> keysizemin=384, keysizemax=384<br>
> >> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_<wbr>512,<br>
> >> keysizemin=512, keysizemax=512<br>
> >> 000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160,<br>
> >> keysizemax=160<br>
> >> 000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128,<br>
> >> keysizemax=128<br>
> >> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,<br>
> keysizemax=0<br>
> >> 000<br>
> >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,<br>
> blocksize=8,<br>
> >> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,<br>
> >> keydeflen=192<br>
> >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,<br>
> >> keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,<br>
> >> blocksize=16, keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,<br>
> >> blocksize=16, keydeflen=128<br>
> >> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,<br>
> >> blocksize=16, keydeflen=128<br>
> >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
> >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
> >> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>
> >> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48<br>
> >> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
> >> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,<br>
> bits=1024<br>
> >> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,<br>
> bits=1536<br>
> >> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,<br>
> bits=2048<br>
> >> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,<br>
> bits=3072<br>
> >> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,<br>
> bits=4096<br>
> >> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,<br>
> bits=6144<br>
> >> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,<br>
> bits=8192<br>
> >> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>
> >> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>
> >> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>
> >> 000<br>
> >> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8064,64}<br>
> >> trans={0,8064,3072} attrs={0,8064,2048}<br>
> >> 000<br>
> >> 000 "host-prd/0x1":<br>
> >><br>
> externalIP/32===externalIP<ex<wbr>ternalIP>[+S=C]---defGateway..<wbr>.defGateway---remoteEndPoint<<wbr>remoteEndPoint>[+S=C]===<a href="http://172.25.48.43/32" rel="noreferrer" target="_blank">172.<wbr>25.48.43/32</a><br>
> <<a href="http://172.25.48.43/32" rel="noreferrer" target="_blank">http://172.25.48.43/32</a>><br>
> >> <<a href="http://172.25.48.43/32" rel="noreferrer" target="_blank">http://172.25.48.43/32</a>>; unrouted; eroute owner: #0<br>
> >> 000 "host-prd/0x1": myip=externalIP; hisip=unset;<br>
> >> 000 "host-prd/0x1": ike_life: 14400s; ipsec_life: 3600s;<br>
> rekey_margin:<br>
> >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes<br>
> >> 000 "host-prd/0x1": policy:<br>
> >> PSK+ENCRYPT+TUNNEL+DONTREKEY+U<wbr>P+IKEv2ALLOW+SAREFTRACK+lKOD+r<wbr>KOD;<br>
> prio:<br>
> >> 32,32; interface: eth0;<br>
> >> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>
> >> 000 "host-prd/0x1": aliases: host-prd<br>
> >> 000 "host-prd/0x1": IKE algorithms wanted:<br>
> >> 3DES_CBC(5)_000-SHA1(2)_000-MO<wbr>DP1024(2)<br>
> >> 000 "host-prd/0x1": IKE algorithms found:<br>
> >> 3DES_CBC(5)_192-SHA1(2)_160-MO<wbr>DP1024(2)<br>
> >> 000 "host-prd/0x1": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000<br>
> >> 000 "host-prd/0x1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
> >> 000 "host-prd/0x2":<br>
> >><br>
> externalIP/32===externalIP<ex<wbr>ternalIP>[+S=C]---defGateway..<wbr>.defGateway---remoteEndPoint<<wbr>remoteEndPoint>[+S=C]===<a href="http://172.25.48.36/32" rel="noreferrer" target="_blank">172.<wbr>25.48.36/32</a><br>
> <<a href="http://172.25.48.36/32" rel="noreferrer" target="_blank">http://172.25.48.36/32</a>><br>
> >> <<a href="http://172.25.48.36/32" rel="noreferrer" target="_blank">http://172.25.48.36/32</a>>; unrouted; eroute owner: #0<br>
> >> 000 "host-prd/0x2": myip=externalIP; hisip=unset;<br>
> >> 000 "host-prd/0x2": ike_life: 14400s; ipsec_life: 3600s;<br>
> rekey_margin:<br>
> >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes<br>
> >> 000 "host-prd/0x2": policy:<br>
> >> PSK+ENCRYPT+TUNNEL+DONTREKEY+U<wbr>P+IKEv2ALLOW+SAREFTRACK+lKOD+r<wbr>KOD;<br>
> prio:<br>
> >> 32,32; interface: eth0;<br>
> >> 000 "host-prd/0x2": newest ISAKMP SA: #7757; newest IPsec SA: #0;<br>
> >> 000 "host-prd/0x2": aliases: host-prd<br>
> >> 000 "host-prd/0x2": IKE algorithms wanted:<br>
> >> 3DES_CBC(5)_000-SHA1(2)_000-MO<wbr>DP1024(2)<br>
> >> 000 "host-prd/0x2": IKE algorithms found:<br>
> >> 3DES_CBC(5)_192-SHA1(2)_160-MO<wbr>DP1024(2)<br>
> >> 000 "host-prd/0x2": IKE algorithm newest:<br>
> 3DES_CBC_192-SHA1-MODP1024<br>
> >> 000 "host-prd/0x2": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000<br>
> >> 000 "host-prd/0x2": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
> >> 000<br>
> >> 000 #8083: "host-prd/0x1":500 STATE_QUICK_I1 (sent QI1, expecting<br>
> QR1);<br>
> >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate<br>
> >> 000 #8082: "host-prd/0x2":500 STATE_QUICK_I1 (sent QI1, expecting<br>
> QR1);<br>
> >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate<br>
> >> 000 #7757: "host-prd/0x2":500 STATE_MAIN_I4 (ISAKMP SA established);<br>
> >> EVENT_SA_REPLACE_IF_USED in 2380s; newest ISAKMP; nodpd; idle;<br>
> >> import:admin initiate<br>
> >> 000<br>
> >><br>
> >> *Here is an ipsec verify:*<br>
> >> [root@server ~]# ipsec verify<br>
> >> Checking your system to see if IPsec got installed and started<br>
> correctly:<br>
> >> Version check and ipsec on-path [OK]<br>
> >> Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x<wbr>86_64 (netkey)<br>
> >> Checking for IPsec support in kernel [OK]<br>
> >> SAref kernel support [N/A]<br>
> >> NETKEY: Testing for disabled ICMP send_redirects [OK]<br>
> >> NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>
> >> Checking that pluto is running [OK]<br>
> >> Pluto listening for IKE on udp 500 [OK]<br>
> >> Pluto listening for NAT-T on udp 4500 [OK]<br>
> >> Two or more interfaces found, checking IP forwarding [OK]<br>
> >> Checking NAT and MASQUERADEing [OK]<br>
> >> Checking for 'ip' command [OK]<br>
> >> Checking /bin/sh is not /bin/dash [OK]<br>
> >> Checking for 'iptables' command [OK]<br>
> >> Opportunistic Encryption Support<br>
> [DISABLED]<br>
> >><br>
> >> Any ideas would be very welcome! Apologies if i'm missing something<br>
> >> silly - i think i cant see the wood for the trees at the moment!<br>
> >><br>
> >> Regards<br>
> >> Ian<br>
> >><br>
> >><br>
> >><br>
> >> ______________________________<wbr>_________________<br>
</div></div>> >> <a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.o<wbr>rg</a>><br>
> >> <a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mai<wbr>lman/listinfo/users</a><br>
<span>> <<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/m<wbr>ailman/listinfo/users</a>><br>
> >> Micropayments:<br>
> <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/3838<wbr>7/IPsec-for-Linux-made-easy</a><br>
> <<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/383<wbr>87/IPsec-for-Linux-made-easy</a>><br>
> >> Building and Integrating Virtual Private Networks with Openswan:<br>
> >><br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/prod<wbr>uct/1904811256/104-3099591-<wbr>2946327?n=283155</a><br>
</span>> <<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/pro<wbr>duct/1904811256/104-3099591-<wbr>2946327?n=283155</a>><br>
> >><br>
><br>
><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div>