[Openswan Users] Problem for one way of Net-to-Net VPN

[Francois-Xavier DETOURNIERE]

Hello,

I have difficulties to make a net-to-net works correclty using
OpenSwan on both sides.
My network :

192.168.0.0/24 GREEN Network A
        |
192.168.0.114/32 OpenSwanServer A
192.168.119.51/32 OpenSwanServer A (RED Address)
        |
192.168.119.1/32 ISP Router (Orange Livebox VPN Passthrough)
a.b.c.d Internet Public Address
        .
  Internet
        .
w.x.y.z Internet Public Address on OpenSwanServer B (RED Address)
192.168.1.3/32 OpenSwanServer B
        |
192.168.1.0/24 GREEN Network B

I can establish the tunnel from site A or B without any problem.
Computers from Network B can SSH to any computer on Network A (SSH or
any other service)

The problem is that a computer from Network A cannot contact Network B.
If I tcpdump on OpenSwan Servers, I see that SPI sent by
OpenSwanServer A is invalid (and seems to be redefined each time I try
to open a new connection).

Example :
 + log from Open Swan A :
"FX_Fred" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xf7e69f69 <0x30addb50 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

 + tcpdump on OpenSwan A :
192.168.119.51 > fred1701.dyndns.org: ESP(spi=0x0e5e9f69,seq=0x20) (DF)

SPI is incorrect :(

But, if I SSH from network B :
 + tcpdump on OpenSwan A :
siteB.dyndns.org > 192.168.119.51: ESP(spi=0x30addb50,seq=0x19) (DF)
192.168.119.51 > siteB.dyndns.org: ESP(spi=0xf7e69f69,seq=0x14) (DF)

Everything is OK

My ipsec.conf on OpenSwan A :
conn FX_Fred
        auto=add
        left=192.168.119.51
        leftid=siteA.dyndns.org
        leftnexthop=%defaultroute
        leftsubnet=192.168.0.0/24
        leftrsasigkey=0sAQ....
        right=siteB.dyndns.org
        rightsubnet=192.168.1.0/24
        rightid=@server.fred1701.dyndns.org
        rightrsasigkey=0sAQ...
        type=tunnel

My ipsec.conf on OpenSwan B :
conn FX_Fred
        auto=add
        left=siteB.dyndns.org
        leftnexthop=%defaultroute
        leftsubnet=192.168.1.0/24
        leftid=@server.fred1701.dyndns.org
        leftrsasigkey=0sAQ....
        right=siteA.dyndns.org
        rightsubnet=192.168.0.0/24
        rightid=feuxeu77.dyndns.org
        rightrsasigkey=0sAQ...
        type=tunnel


Command I use to test from network A (not working):
ssh 192.168.1.x -b 192.168.0.114

Command I use to test from network B (working):
ssh 192.168.0.x -b 192.168.1.3

Does anybody have an idea for this problem. I have another
configuration for RoadWarrior connection on OpenSwanServer A to
another network and it works without any problem.

Don't hesitate if you need more information to help me.

Best Regards

FX