<div dir="ltr">Hey Samir,<div><br></div><div>Thanks for the help - i've gone back to them asking for more logs on their end to try figure out what is happening.</div><div><br></div><div>Regards</div><div>Ian</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 1, 2016 at 10:25 PM Samir Hussain <<a href="mailto:shussain@xelerance.com">shussain@xelerance.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Ian,<br class="gmail_msg">
It certainly looks like that there is a misconfiguration on the remote<br class="gmail_msg">
side.<br class="gmail_msg">
<br class="gmail_msg">
In addition to confirming the parameters at the remote end, I would<br class="gmail_msg">
check if they are allowing IKEv1 connections.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
Samir<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
On 2016-10-30 02:43 PM, Ian Barnes wrote:<br class="gmail_msg">
> Hi All,<br class="gmail_msg">
><br class="gmail_msg">
> First, many thanks to Samir for the assistance so far - but i've hit<br class="gmail_msg">
> another wall and need some more assistance. Upon instruction from the<br class="gmail_msg">
> company im connecting to I set the leftid and rightid to what they<br class="gmail_msg">
> configured but am now getting the following<br class="gmail_msg">
> logs: <a href="http://pastebin.com/ddfLM29C" rel="noreferrer" class="gmail_msg" target="_blank">http://pastebin.com/ddfLM29C</a><br class="gmail_msg">
><br class="gmail_msg">
> My config now looks as follows:<br class="gmail_msg">
> conn host-prd<br class="gmail_msg">
> ##### Local<br class="gmail_msg">
> left=externalIP<br class="gmail_msg">
> leftid=@LEFTID<br class="gmail_msg">
> leftsubnet=externalIP/32<br class="gmail_msg">
> leftnexthop=%defaultroute<br class="gmail_msg">
><br class="gmail_msg">
> ##### Remote<br class="gmail_msg">
> right=RIGHTIP/ID<br class="gmail_msg">
> rightid=RIGHTIP/ID<br class="gmail_msg">
> rightsubnets={<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">172.25.48.43/32</a> <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>><br class="gmail_msg">
> <a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">172.25.48.36/32</a> <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>>}<br class="gmail_msg">
> rightnexthop=%defaultroute<br class="gmail_msg">
><br class="gmail_msg">
> ##### Auth Options<br class="gmail_msg">
> authby=secret<br class="gmail_msg">
> rekey=no<br class="gmail_msg">
><br class="gmail_msg">
> ##### Phase 1<br class="gmail_msg">
> ike=3des-sha1-modp1024<br class="gmail_msg">
> ikelifetime="14400"<br class="gmail_msg">
><br class="gmail_msg">
> ##### Phase 2<br class="gmail_msg">
> esp=3des-sha1<br class="gmail_msg">
> keylife="3600"<br class="gmail_msg">
> pfs=no<br class="gmail_msg">
><br class="gmail_msg">
> ##### Connection Options<br class="gmail_msg">
> type=tunnel<br class="gmail_msg">
> auto=start<br class="gmail_msg">
> compress=no<br class="gmail_msg">
><br class="gmail_msg">
> disablearrivalcheck=no<br class="gmail_msg">
> dpddelay=10<br class="gmail_msg">
> dpdtimeout=30<br class="gmail_msg">
> dpdaction=restart<br class="gmail_msg">
><br class="gmail_msg">
> My secrets as follows<br class="gmail_msg">
><br class="gmail_msg">
> # cat /etc/ipsec.d/ipsec.secrets<br class="gmail_msg">
> @LEFTIDRIGHTIP/ID: PSK "PSKHERE"<br class="gmail_msg">
><br class="gmail_msg">
> I see this line in the logs:<br class="gmail_msg">
> | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1<br class="gmail_msg">
><br class="gmail_msg">
> I assume this to mean the PSK failed? From what I can see thats not<br class="gmail_msg">
> because it didnt match on my end, they are rejecting the PSK correct?<br class="gmail_msg">
><br class="gmail_msg">
> The remote party provided the following logs:<br class="gmail_msg">
> Oct 27 2016 14:39:24.660.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Enter<br class="gmail_msg">
> m_responder_recv_ID_AUTH<br class="gmail_msg">
> [HOST-diagnose]<br class="gmail_msg">
> Oct 27 2016 14:39:24.670.1 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;recv ID:<br class="gmail_msg">
> find ike peer by ID failed !<br class="gmail_msg">
> [HOST-diagnose]<br class="gmail_msg">
> Oct 27 2016 14:39:24.670.2 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Leave<br class="gmail_msg">
> m_responder_recv_ID_AUTH: recv_ID run err!<br class="gmail_msg">
> Oct 27 2016 14:39:54.680.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;check<br class="gmail_msg">
> message duplicate: dropping dup<br class="gmail_msg">
><br class="gmail_msg">
> Looking at the second line it appears to be a configuration error on<br class="gmail_msg">
> their end correct?<br class="gmail_msg">
><br class="gmail_msg">
> Regards<br class="gmail_msg">
> Ian<br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
> On Tue, Oct 25, 2016 at 8:31 AM, Ian Barnes <<a href="mailto:ian.lidtech@gmail.com" class="gmail_msg" target="_blank">ian.lidtech@gmail.com</a><br class="gmail_msg">
> <mailto:<a href="mailto:ian.lidtech@gmail.com" class="gmail_msg" target="_blank">ian.lidtech@gmail.com</a>>> wrote:<br class="gmail_msg">
><br class="gmail_msg">
> Hey Samir,<br class="gmail_msg">
><br class="gmail_msg">
> Many many thanks for the quick response, helping me out hugely here!<br class="gmail_msg">
><br class="gmail_msg">
> I have contacted the provider to ask what the ID is that they are<br class="gmail_msg">
> expecting, hopefully I get some joy :)<br class="gmail_msg">
><br class="gmail_msg">
> Will keep you posted on resolution thanks!<br class="gmail_msg">
><br class="gmail_msg">
> Regards<br class="gmail_msg">
> Ian<br class="gmail_msg">
><br class="gmail_msg">
> On Mon, Oct 24, 2016 at 11:10 PM, Samir Hussain<br class="gmail_msg">
> <<a href="mailto:shussain@xelerance.com" class="gmail_msg" target="_blank">shussain@xelerance.com</a> <mailto:<a href="mailto:shussain@xelerance.com" class="gmail_msg" target="_blank">shussain@xelerance.com</a>>> wrote:<br class="gmail_msg">
><br class="gmail_msg">
> Hello Ian,<br class="gmail_msg">
> Thank you for providing a paste bin link. It was very helpful.<br class="gmail_msg">
><br class="gmail_msg">
> Your issue seems to be with your id. In your original<br class="gmail_msg">
> ipsec.conf, I<br class="gmail_msg">
> did not see a leftid or a rightid. If you have added them, please be<br class="gmail_msg">
> sure to:<br class="gmail_msg">
><br class="gmail_msg">
> 1) Have the same leftid and rightid in your secrets file (normally<br class="gmail_msg">
> /etc/ipsec.secrets)<br class="gmail_msg">
> 2) Have the same id as what the remote peer expects.<br class="gmail_msg">
><br class="gmail_msg">
> Samir<br class="gmail_msg">
><br class="gmail_msg">
> On 2016-10-24 04:07 PM, Ian Barnes wrote:<br class="gmail_msg">
> > Hi Samir,<br class="gmail_msg">
> ><br class="gmail_msg">
> > Thanks so much for the response - very much appreciated. I've<br class="gmail_msg">
> made the<br class="gmail_msg">
> > changes you suggested and have had zero joy. Here are the<br class="gmail_msg">
> > logs: <a href="http://pastebin.com/tycfF6JN" rel="noreferrer" class="gmail_msg" target="_blank">http://pastebin.com/tycfF6JN</a>. The only thing I can see<br class="gmail_msg">
> is this:<br class="gmail_msg">
> ><br class="gmail_msg">
> > got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0<br class="gmail_msg">
> > | ***parse ISAKMP Notification Payload:<br class="gmail_msg">
> > | next payload type: ISAKMP_NEXT_NONE<br class="gmail_msg">
> > | length: 12<br class="gmail_msg">
> > | DOI: ISAKMP_DOI_IPSEC<br class="gmail_msg">
> > | protocol ID: 1<br class="gmail_msg">
> > | SPI size: 0<br class="gmail_msg">
> > | Notify Message Type: INVALID_ID_INFORMATION<br class="gmail_msg">
> > | removing 4 bytes of padding<br class="gmail_msg">
> > "host-prd/0x2" #1: ignoring informational payload, type<br class="gmail_msg">
> > INVALID_ID_INFORMATION msgid=00000000<br class="gmail_msg">
> > | info:<br class="gmail_msg">
> > | processing informational INVALID_ID_INFORMATION (18)<br class="gmail_msg">
> > "host-prd/0x2" #1: received and ignored informational message<br class="gmail_msg">
> > | complete state transition with STF_IGNORE<br class="gmail_msg">
> > | * processed 0 messages from cryptographic helpers<br class="gmail_msg">
> > | next event EVENT_RETRANSMIT in 10 seconds for #3<br class="gmail_msg">
> > | next event EVENT_RETRANSMIT in 10 seconds for #3<br class="gmail_msg">
> ><br class="gmail_msg">
> > But I cant find much about that error.<br class="gmail_msg">
> ><br class="gmail_msg">
> > Any ideas?<br class="gmail_msg">
> ><br class="gmail_msg">
> > Cheers<br class="gmail_msg">
> > Ian<br class="gmail_msg">
> ><br class="gmail_msg">
> ><br class="gmail_msg">
> > On Mon, Oct 24, 2016 at 9:53 PM, Samir Hussain<br class="gmail_msg">
> <<a href="mailto:shussain@xelerance.com" class="gmail_msg" target="_blank">shussain@xelerance.com</a> <mailto:<a href="mailto:shussain@xelerance.com" class="gmail_msg" target="_blank">shussain@xelerance.com</a>><br class="gmail_msg">
> > <mailto:<a href="mailto:shussain@xelerance.com" class="gmail_msg" target="_blank">shussain@xelerance.com</a><br class="gmail_msg">
> <mailto:<a href="mailto:shussain@xelerance.com" class="gmail_msg" target="_blank">shussain@xelerance.com</a>>>> wrote:<br class="gmail_msg">
> ><br class="gmail_msg">
> > One quick question: You have explicitly set pfs to no.<br class="gmail_msg">
> Does the other<br class="gmail_msg">
> > side not expect PFS? what happens if you enable PFS?<br class="gmail_msg">
> ><br class="gmail_msg">
> > Samir<br class="gmail_msg">
> ><br class="gmail_msg">
> > On 2016-10-24 12:17 PM, Samir Hussain wrote:<br class="gmail_msg">
> > > Hello,<br class="gmail_msg">
> > > A couple of comments:<br class="gmail_msg">
> > > * ikelifetime and phasetime do not need to be quoted<br class="gmail_msg">
> > > * is your leftsourceip the same as the IP assigned to<br class="gmail_msg">
> left? If it is,<br class="gmail_msg">
> > > then you can remove leftsourceip<br class="gmail_msg">
> > > * keyexchange and aut=esp should be removed<br class="gmail_msg">
> > ><br class="gmail_msg">
> > > If you are still experiencing problems, what do the logs<br class="gmail_msg">
> show? You can<br class="gmail_msg">
> > > enable it by adding the following in "config setup" section:<br class="gmail_msg">
> > ><br class="gmail_msg">
> > > plutodebug="control parsing"<br class="gmail_msg">
> > > plutostderrlog=/var/log/ipsec.log<br class="gmail_msg">
> > ><br class="gmail_msg">
> > > Samir<br class="gmail_msg">
> > ><br class="gmail_msg">
> > > On 2016-10-23 03:33 PM, Ian Barnes wrote:<br class="gmail_msg">
> > >> Hi,<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> I am having trouble setting up a connection to a<br class="gmail_msg">
> provider (and am<br class="gmail_msg">
> > also<br class="gmail_msg">
> > >> running into delays getting logs from them) so I was<br class="gmail_msg">
> wondering if<br class="gmail_msg">
> > anyone<br class="gmail_msg">
> > >> can spot a glaring error or point me in the possible right<br class="gmail_msg">
> > direction as<br class="gmail_msg">
> > >> to why my tunnel isnt coming up.<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> First off - the connection details (as provided by the<br class="gmail_msg">
> remote party):<br class="gmail_msg">
> > >> *Remote:*<br class="gmail_msg">
> > >> Remote Device: Huawei VRP<br class="gmail_msg">
> > >> Auth Method: Pre-Shared Key<br class="gmail_msg">
> > >> Encryption: IKE<br class="gmail_msg">
> > >> IKE PFS: 3DES<br class="gmail_msg">
> > >> IKE Encryption Algorithm: SHA1<br class="gmail_msg">
> > >> IKE Hashing Algorithm: Group 2 (1024)<br class="gmail_msg">
> > >> IKE SA Lifetime: 14400<br class="gmail_msg">
> > >> Transform (IPSec Protocol): IKE<br class="gmail_msg">
> > >> IPSEC Perfect Forward Secrecy: ESP<br class="gmail_msg">
> > >> IPSEC Encryption Algorithm: 3DES<br class="gmail_msg">
> > >> IPSEC Hashing Algorithm: SHA1<br class="gmail_msg">
> > >> IPSEC SA Lifetime: 3600<br class="gmail_msg">
> > >> Hosts: 172.25.48.43, 172.25.48.36<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> Here is my config:<br class="gmail_msg">
> > >> *[root@server ~]# cat /etc/ipsec.conf*<br class="gmail_msg">
> > >> # /etc/ipsec.conf - Openswan IPsec configuration file<br class="gmail_msg">
> > >> version2.0# conforms to second version of ipsec.conf<br class="gmail_msg">
> specification<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> # basic configuration<br class="gmail_msg">
> > >> config setup<br class="gmail_msg">
> > >> nat_traversal=yes<br class="gmail_msg">
> > >> virtual_private=%v:<a href="http://10.0.0.0/16" rel="noreferrer" class="gmail_msg" target="_blank">10.0.0.0/16</a> <<a href="http://10.0.0.0/16" rel="noreferrer" class="gmail_msg" target="_blank">http://10.0.0.0/16</a>><br class="gmail_msg">
> <<a href="http://10.0.0.0/16" rel="noreferrer" class="gmail_msg" target="_blank">http://10.0.0.0/16</a>><br class="gmail_msg">
> > <<a href="http://10.0.0.0/16" rel="noreferrer" class="gmail_msg" target="_blank">http://10.0.0.0/16</a>><br class="gmail_msg">
> > >> protostack=netkey<br class="gmail_msg">
> > >> interfaces=%defaultroute<br class="gmail_msg">
> > >> klipsdebug=none<br class="gmail_msg">
> > >> plutodebug=none<br class="gmail_msg">
> > >> plutowait=no<br class="gmail_msg">
> > >> uniqueids=yes<br class="gmail_msg">
> > >> include /etc/ipsec.d/*.conf<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> *[root@server ~]# cat /etc/ipsec.d/host-prd.conf*<br class="gmail_msg">
> > >><br class="gmail_msg">
> ><br class="gmail_msg">
> #######################################################################<br class="gmail_msg">
> > >> # VPN to HOST<br class="gmail_msg">
> > >> #<br class="gmail_msg">
> > >> #remoteEndPoint/32 (Production) externalIP/32<br class="gmail_msg">
> > >> #<br class="gmail_msg">
> > >> conn host-prd<br class="gmail_msg">
> > >> ##### Local<br class="gmail_msg">
> > >> left=externalIP<br class="gmail_msg">
> > >> leftsourceip=externalIP<br class="gmail_msg">
> > >> leftsubnet=externalIP/32<br class="gmail_msg">
> > >> leftnexthop=%defaultroute<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> ##### Remote<br class="gmail_msg">
> > >> right=remoteEndPoint<br class="gmail_msg">
> > >> rightsubnets={<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">172.25.48.43/32</a><br class="gmail_msg">
> <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>> <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>><br class="gmail_msg">
> > <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>><br class="gmail_msg">
> > >> <a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">172.25.48.36/32</a> <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>><br class="gmail_msg">
> <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>> <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>>}<br class="gmail_msg">
> > >> rightnexthop=%defaultroute<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> ##### Auth Options<br class="gmail_msg">
> > >> authby=secret<br class="gmail_msg">
> > >> rekey=no<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> ##### Phase 1<br class="gmail_msg">
> > >> keyexchange=ike<br class="gmail_msg">
> > >> ike=3des-sha1-modp1024<br class="gmail_msg">
> > >> ikelifetime="14400"<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> ##### Phase 2<br class="gmail_msg">
> > >> auth=esp<br class="gmail_msg">
> > >> esp=3des-sha1<br class="gmail_msg">
> > >> keylife="3600"<br class="gmail_msg">
> > >> pfs=no<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> ##### Connection Options<br class="gmail_msg">
> > >> type=tunnel<br class="gmail_msg">
> > >> auto=start<br class="gmail_msg">
> > >> compress=no<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> disablearrivalcheck=no<br class="gmail_msg">
> > >> dpddelay=10<br class="gmail_msg">
> > >> dpdtimeout=30<br class="gmail_msg">
> > >> dpdaction=restart<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> Here are the logs of when I try connect:<br class="gmail_msg">
> > >> [root@server ~]# ipsec status<br class="gmail_msg">
> > >> 000 using kernel interface: netkey<br class="gmail_msg">
> > >> 000 interface lo/lo ::1<br class="gmail_msg">
> > >> 000 interface lo/lo 127.0.0.1<br class="gmail_msg">
> > >> 000 interface lo/lo 127.0.0.1<br class="gmail_msg">
> > >> 000 interface eth0/eth0 externalIP<br class="gmail_msg">
> > >> 000 interface eth0/eth0 externalIP<br class="gmail_msg">
> > >> 000 interface eth1/eth1 10.0.64.10<br class="gmail_msg">
> > >> 000 interface eth1/eth1 10.0.64.10<br class="gmail_msg">
> > >> 000 %myid = (none)<br class="gmail_msg">
> > >> 000 debug none<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >> 000 virtual_private (%priv):<br class="gmail_msg">
> > >> 000 - allowed 0 subnets:<br class="gmail_msg">
> > >> 000 - disallowed 0 subnets:<br class="gmail_msg">
> > >> 000 WARNING: Either virtual_private= is not specified,<br class="gmail_msg">
> or there<br class="gmail_msg">
> > is a syntax<br class="gmail_msg">
> > >> 000 error in that line.<br class="gmail_msg">
> 'left/rightsubnet=vhost:%priv'<br class="gmail_msg">
> > will not<br class="gmail_msg">
> > >> work!<br class="gmail_msg">
> > >> 000 WARNING: Disallowed subnets in virtual_private= is<br class="gmail_msg">
> empty. If<br class="gmail_msg">
> > you have<br class="gmail_msg">
> > >> 000 private address space in internal use, it<br class="gmail_msg">
> should be<br class="gmail_msg">
> > excluded!<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,<br class="gmail_msg">
> > keysizemin=192,<br class="gmail_msg">
> > >> keysizemax=192<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,<br class="gmail_msg">
> > keysizemin=128,<br class="gmail_msg">
> > >> keysizemax=128<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,<br class="gmail_msg">
> ivlen=8,<br class="gmail_msg">
> > >> keysizemin=40, keysizemax=448<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,<br class="gmail_msg">
> > keysizemin=0,<br class="gmail_msg">
> > >> keysizemax=0<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,<br class="gmail_msg">
> > keysizemin=128,<br class="gmail_msg">
> > >> keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR,<br class="gmail_msg">
> ivlen=8,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,<br class="gmail_msg">
> ivlen=8,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,<br class="gmail_msg">
> ivlen=12,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,<br class="gmail_msg">
> ivlen=16,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,<br class="gmail_msg">
> ivlen=8,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,<br class="gmail_msg">
> ivlen=12,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,<br class="gmail_msg">
> ivlen=16,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,<br class="gmail_msg">
> > keysizemin=128,<br class="gmail_msg">
> > >> keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,<br class="gmail_msg">
> ivlen=8,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,<br class="gmail_msg">
> ivlen=8,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=1,<br class="gmail_msg">
> name=AUTH_ALGORITHM_HMAC_MD5,<br class="gmail_msg">
> > >> keysizemin=128, keysizemax=128<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=2,<br class="gmail_msg">
> name=AUTH_ALGORITHM_HMAC_SHA1,<br class="gmail_msg">
> > >> keysizemin=160, keysizemax=160<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=5,<br class="gmail_msg">
> name=AUTH_ALGORITHM_HMAC_SHA2_256,<br class="gmail_msg">
> > >> keysizemin=256, keysizemax=256<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=6,<br class="gmail_msg">
> name=AUTH_ALGORITHM_HMAC_SHA2_384,<br class="gmail_msg">
> > >> keysizemin=384, keysizemax=384<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=7,<br class="gmail_msg">
> name=AUTH_ALGORITHM_HMAC_SHA2_512,<br class="gmail_msg">
> > >> keysizemin=512, keysizemax=512<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=8, name=(null),<br class="gmail_msg">
> keysizemin=160,<br class="gmail_msg">
> > >> keysizemax=160<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=9, name=(null),<br class="gmail_msg">
> keysizemin=128,<br class="gmail_msg">
> > >> keysizemax=128<br class="gmail_msg">
> > >> 000 algorithm ESP auth attr: id=251, name=(null),<br class="gmail_msg">
> keysizemin=0,<br class="gmail_msg">
> > keysizemax=0<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br class="gmail_msg">
> > keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br class="gmail_msg">
> > keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br class="gmail_msg">
> > keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br class="gmail_msg">
> > keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br class="gmail_msg">
> > keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br class="gmail_msg">
> > keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,<br class="gmail_msg">
> > blocksize=8,<br class="gmail_msg">
> > >> keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,<br class="gmail_msg">
> blocksize=8,<br class="gmail_msg">
> > >> keydeflen=192<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,<br class="gmail_msg">
> blocksize=16,<br class="gmail_msg">
> > >> keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=65004,<br class="gmail_msg">
> name=OAKLEY_SERPENT_CBC,<br class="gmail_msg">
> > >> blocksize=16, keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=65005,<br class="gmail_msg">
> name=OAKLEY_TWOFISH_CBC,<br class="gmail_msg">
> > >> blocksize=16, keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE encrypt: id=65289,<br class="gmail_msg">
> name=OAKLEY_TWOFISH_CBC_SSH,<br class="gmail_msg">
> > >> blocksize=16, keydeflen=128<br class="gmail_msg">
> > >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br class="gmail_msg">
> > >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br class="gmail_msg">
> > >> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,<br class="gmail_msg">
> hashsize=32<br class="gmail_msg">
> > >> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384,<br class="gmail_msg">
> hashsize=48<br class="gmail_msg">
> > >> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,<br class="gmail_msg">
> hashsize=64<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=2,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP1024,<br class="gmail_msg">
> > bits=1024<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=5,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP1536,<br class="gmail_msg">
> > bits=1536<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=14,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP2048,<br class="gmail_msg">
> > bits=2048<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=15,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP3072,<br class="gmail_msg">
> > bits=3072<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=16,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP4096,<br class="gmail_msg">
> > bits=4096<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=17,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP6144,<br class="gmail_msg">
> > bits=6144<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=18,<br class="gmail_msg">
> name=OAKLEY_GROUP_MODP8192,<br class="gmail_msg">
> > bits=8192<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=22,<br class="gmail_msg">
> name=OAKLEY_GROUP_DH22, bits=1024<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=23,<br class="gmail_msg">
> name=OAKLEY_GROUP_DH23, bits=2048<br class="gmail_msg">
> > >> 000 algorithm IKE dh group: id=24,<br class="gmail_msg">
> name=OAKLEY_GROUP_DH24, bits=2048<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >> 000 stats db_ops: {curr_cnt, total_cnt, maxsz}<br class="gmail_msg">
> :context={0,8064,64}<br class="gmail_msg">
> > >> trans={0,8064,3072} attrs={0,8064,2048}<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >> 000 "host-prd/0x1":<br class="gmail_msg">
> > >><br class="gmail_msg">
> ><br class="gmail_msg">
> externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">172.25.48.43/32</a><br class="gmail_msg">
> <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>><br class="gmail_msg">
> > <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>><br class="gmail_msg">
> > >> <<a href="http://172.25.48.43/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.43/32</a>>; unrouted; eroute owner: #0<br class="gmail_msg">
> > >> 000 "host-prd/0x1": myip=externalIP; hisip=unset;<br class="gmail_msg">
> > >> 000 "host-prd/0x1": ike_life: 14400s; ipsec_life: 3600s;<br class="gmail_msg">
> > rekey_margin:<br class="gmail_msg">
> > >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes<br class="gmail_msg">
> > >> 000 "host-prd/0x1": policy:<br class="gmail_msg">
> > >><br class="gmail_msg">
> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;<br class="gmail_msg">
> > prio:<br class="gmail_msg">
> > >> 32,32; interface: eth0;<br class="gmail_msg">
> > >> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest<br class="gmail_msg">
> IPsec SA: #0;<br class="gmail_msg">
> > >> 000 "host-prd/0x1": aliases: host-prd<br class="gmail_msg">
> > >> 000 "host-prd/0x1": IKE algorithms wanted:<br class="gmail_msg">
> > >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)<br class="gmail_msg">
> > >> 000 "host-prd/0x1": IKE algorithms found:<br class="gmail_msg">
> > >> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)<br class="gmail_msg">
> > >> 000 "host-prd/0x1": ESP algorithms wanted:<br class="gmail_msg">
> 3DES(3)_000-SHA1(2)_000<br class="gmail_msg">
> > >> 000 "host-prd/0x1": ESP algorithms loaded:<br class="gmail_msg">
> 3DES(3)_192-SHA1(2)_160<br class="gmail_msg">
> > >> 000 "host-prd/0x2":<br class="gmail_msg">
> > >><br class="gmail_msg">
> ><br class="gmail_msg">
> externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">172.25.48.36/32</a><br class="gmail_msg">
> <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>><br class="gmail_msg">
> > <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>><br class="gmail_msg">
> > >> <<a href="http://172.25.48.36/32" rel="noreferrer" class="gmail_msg" target="_blank">http://172.25.48.36/32</a>>; unrouted; eroute owner: #0<br class="gmail_msg">
> > >> 000 "host-prd/0x2": myip=externalIP; hisip=unset;<br class="gmail_msg">
> > >> 000 "host-prd/0x2": ike_life: 14400s; ipsec_life: 3600s;<br class="gmail_msg">
> > rekey_margin:<br class="gmail_msg">
> > >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes<br class="gmail_msg">
> > >> 000 "host-prd/0x2": policy:<br class="gmail_msg">
> > >><br class="gmail_msg">
> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;<br class="gmail_msg">
> > prio:<br class="gmail_msg">
> > >> 32,32; interface: eth0;<br class="gmail_msg">
> > >> 000 "host-prd/0x2": newest ISAKMP SA: #7757; newest<br class="gmail_msg">
> IPsec SA: #0;<br class="gmail_msg">
> > >> 000 "host-prd/0x2": aliases: host-prd<br class="gmail_msg">
> > >> 000 "host-prd/0x2": IKE algorithms wanted:<br class="gmail_msg">
> > >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)<br class="gmail_msg">
> > >> 000 "host-prd/0x2": IKE algorithms found:<br class="gmail_msg">
> > >> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)<br class="gmail_msg">
> > >> 000 "host-prd/0x2": IKE algorithm newest:<br class="gmail_msg">
> > 3DES_CBC_192-SHA1-MODP1024<br class="gmail_msg">
> > >> 000 "host-prd/0x2": ESP algorithms wanted:<br class="gmail_msg">
> 3DES(3)_000-SHA1(2)_000<br class="gmail_msg">
> > >> 000 "host-prd/0x2": ESP algorithms loaded:<br class="gmail_msg">
> 3DES(3)_192-SHA1(2)_160<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >> 000 #8083: "host-prd/0x1":500 STATE_QUICK_I1 (sent QI1,<br class="gmail_msg">
> expecting<br class="gmail_msg">
> > QR1);<br class="gmail_msg">
> > >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate<br class="gmail_msg">
> > >> 000 #8082: "host-prd/0x2":500 STATE_QUICK_I1 (sent QI1,<br class="gmail_msg">
> expecting<br class="gmail_msg">
> > QR1);<br class="gmail_msg">
> > >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate<br class="gmail_msg">
> > >> 000 #7757: "host-prd/0x2":500 STATE_MAIN_I4 (ISAKMP SA<br class="gmail_msg">
> established);<br class="gmail_msg">
> > >> EVENT_SA_REPLACE_IF_USED in 2380s; newest ISAKMP;<br class="gmail_msg">
> nodpd; idle;<br class="gmail_msg">
> > >> import:admin initiate<br class="gmail_msg">
> > >> 000<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> *Here is an ipsec verify:*<br class="gmail_msg">
> > >> [root@server ~]# ipsec verify<br class="gmail_msg">
> > >> Checking your system to see if IPsec got installed and<br class="gmail_msg">
> started<br class="gmail_msg">
> > correctly:<br class="gmail_msg">
> > >> Version check and ipsec on-path<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64 (netkey)<br class="gmail_msg">
> > >> Checking for IPsec support in kernel<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> SAref kernel support<br class="gmail_msg">
> [N/A]<br class="gmail_msg">
> > >> NETKEY: Testing for disabled ICMP send_redirects<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> NETKEY detected, testing for disabled ICMP<br class="gmail_msg">
> accept_redirects [OK]<br class="gmail_msg">
> > >> Checking that pluto is running<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Pluto listening for IKE on udp 500<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Pluto listening for NAT-T on udp 4500<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Two or more interfaces found, checking IP forwarding<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Checking NAT and MASQUERADEing<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Checking for 'ip' command<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Checking /bin/sh is not /bin/dash<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Checking for 'iptables' command<br class="gmail_msg">
> [OK]<br class="gmail_msg">
> > >> Opportunistic Encryption Support<br class="gmail_msg">
> > [DISABLED]<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> Any ideas would be very welcome! Apologies if i'm<br class="gmail_msg">
> missing something<br class="gmail_msg">
> > >> silly - i think i cant see the wood for the trees at<br class="gmail_msg">
> the moment!<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> Regards<br class="gmail_msg">
> > >> Ian<br class="gmail_msg">
> > >><br class="gmail_msg">
> > >><br class="gmail_msg">
> > >><br class="gmail_msg">
> > >> _______________________________________________<br class="gmail_msg">
> > >> <a href="mailto:Users@lists.openswan.org" class="gmail_msg" target="_blank">Users@lists.openswan.org</a><br class="gmail_msg">
> <mailto:<a href="mailto:Users@lists.openswan.org" class="gmail_msg" target="_blank">Users@lists.openswan.org</a>><br class="gmail_msg">
> <mailto:<a href="mailto:Users@lists.openswan.org" class="gmail_msg" target="_blank">Users@lists.openswan.org</a> <mailto:<a href="mailto:Users@lists.openswan.org" class="gmail_msg" target="_blank">Users@lists.openswan.org</a>>><br class="gmail_msg">
> > >> <a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br class="gmail_msg">
> <<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>><br class="gmail_msg">
> > <<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br class="gmail_msg">
> <<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>>><br class="gmail_msg">
> > >> Micropayments:<br class="gmail_msg">
> > <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" class="gmail_msg" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br class="gmail_msg">
> <<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" class="gmail_msg" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>><br class="gmail_msg">
> > <<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" class="gmail_msg" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br class="gmail_msg">
> <<a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" class="gmail_msg" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>>><br class="gmail_msg">
> > >> Building and Integrating Virtual Private Networks with Openswan:<br class="gmail_msg">
> > >><br class="gmail_msg">
> > <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" class="gmail_msg" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br class="gmail_msg">
> <<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" class="gmail_msg" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>><br class="gmail_msg">
> ><br class="gmail_msg">
> <<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" class="gmail_msg" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br class="gmail_msg">
> <<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" class="gmail_msg" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>>><br class="gmail_msg">
> > >><br class="gmail_msg">
> ><br class="gmail_msg">
> ><br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
</blockquote></div>