[Openswan Users] Subnets conmunication?

IT Dept. it at technovation.com.sv
Tue Jun 5 15:52:39 EDT 2007


Any idea on how to do that???

	Im very confussed

	Hector

-----Mensaje original-----
De: Peter McGill [mailto:petermcgill at goco.net] 
Enviado el: Martes, 05 de Junio de 2007 01:43 p.m.
Para: 'IT Dept.'
Asunto: RE: [Openswan Users] Subnets conmunication?

According to these logs, branch40, branch40_to_centralbw_50 and
centralbw_50 all connected but centralbw_50_to_branch_40 is missing.
You need that for traffic flow between branch_40 and centralbw_50.
It needs to be initiated by centralbw's linksys router.

Peter McGill
 

> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv] 
> Sent: June 5, 2007 3:34 PM
> To: petermcgill at goco.net
> Subject: RE: [Openswan Users] Subnets conmunication?
> 
> Here is my last log....connections up but no ping between 
> 192.168.40.x and
> 192.168.50.x...
> 
> Jun  5 14:28:57 vpn pluto[1165]: adding interface eth0:3/eth0:3
> 208.70.149.165:500
> Jun  5 14:28:57 vpn pluto[1165]: adding interface eth0:3/eth0:3
> 208.70.149.165:4500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0:2/eth0:2
> 208.70.149.164:500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0:2/eth0:2
> 208.70.149.164:4500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0:1/eth0:1
> 208.70.149.163:500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0:1/eth0:1
> 208.70.149.163:4500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0:0/eth0:0
> 208.70.149.162:500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0:0/eth0:0
> 208.70.149.162:4500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0/eth0
> 208.70.149.161:500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface eth0/eth0
> 208.70.149.161:4500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface lo/lo 127.0.0.1:500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface lo/lo 127.0.0.1:4500
> Jun  5 14:28:58 vpn pluto[1165]: adding interface lo/lo ::1:500
> Jun  5 14:28:59 vpn pluto[1165]: loading secrets from 
> "/etc/ipsec.secrets"
> Jun  5 14:28:59 vpn sshd[1443]: Server listening on :: port 22.
> Jun  5 14:28:59 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: initiating
> Main Mode
> Jun  5 14:28:59 vpn webmin[1548]: Webmin starting 
> Jun  5 14:29:00 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jun  5 14:29:00 vpn pluto[1165]: "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I2: sent MI2, expecting MR2
> Jun  5 14:29:01 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: I did not
> send a certificate because I do not have one.
> Jun  5 14:29:01 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jun  5 14:29:01 vpn pluto[1165]: "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I3: sent MI3, expecting MR3
> Jun  5 14:29:02 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: Main mode
> peer ID is ID_IPV4_ADDR: '190.53.0.113'
> Jun  5 14:29:02 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #1: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jun  5 14:29:02 vpn pluto[1165]: "branch_40_to_centralbw_50" #1:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Jun  5 14:29:02 vpn pluto[1165]: "branch_40" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Jun  5 14:29:02 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #3: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Jun  5 14:29:04 vpn pluto[1165]: "branch_40" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> Jun  5 14:29:05 vpn pluto[1165]: "branch_40" #2: 
> STATE_QUICK_I2: sent QI2,
> IPsec SA established {ESP=>0x44688997 <0xf45725dc xfrm=3DES_0-HMAC_MD5
> NATD=none DPD=none}
> Jun  5 14:29:15 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> #3: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jun  5 14:29:15 vpn pluto[1165]: "branch_40_to_centralbw_50" #3:
> STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x9a8a16a3 <0x4b0ae507
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> Jun  5 14:29:16 vpn sshd[1563]: Accepted password for root 
> from 190.53.0.113
> port 1983 ssh2
> Jun  5 14:29:16 vpn sshd[1563]: subsystem request for sftp
> Jun  5 14:29:16 vpn sshd[1565]: (pam_unix) session opened for 
> user root by
> (uid=0)
> Jun  5 14:30:08 vpn sshd[1563]: subsystem request for sftp
> Jun  5 14:30:08 vpn sshd[1566]: (pam_unix) session opened for 
> user root by
> (uid=0)
> Jun  5 14:31:24 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> responding to Main Mode from unknown peer 66.201.165.11
> Jun  5 14:31:24 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  5 14:31:24 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jun  5 14:31:24 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun  5 14:31:24 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4: Main
> mode peer ID is ID_FQDN: '@centralbw'
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4: I did
> not send a certificate because I do not have one.
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #4:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #5:
> responding to Quick Mode {msgid:effb3915}
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #5:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #5:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #5:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun  5 14:31:25 vpn pluto[1165]: "centralbw_50"[1] 66.201.165.11 #5:
> STATE_QUICK_R2: IPsec SA established {ESP=>0x80f41e9f <0xf2757211
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> 
> Hector
> 
> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net] 
> Enviado el: Martes, 05 de Junio de 2007 01:18 p.m.
> Para: 'IT Dept.'
> CC: users at openswan.org
> Asunto: RE: [Openswan Users] Subnets conmunication?
> 
> Forgot to mention you'll also need to update your,
> Ipsec secrets for centralbw like this.
> 
> 208.70.149.161 @centralbw : PSK "secret..."
> 
> Peter McGill
>  
> 
> > -----Original Message-----
> > From: Peter McGill [mailto:petermcgill at goco.net] 
> > Sent: June 5, 2007 3:15 PM
> > To: 'IT Dept.'
> > Cc: 'users at openswan.org'
> > Subject: RE: [Openswan Users] Subnets conmunication?
> > 
> > That's what we need.
> > It looks like there is a problem with centralbw connecting.
> > Because it's dynamic ip, it doesn't know how to identify the
> > Connecting router, needs an id field.
> > 
> > Update this conn in your conf add rightid line.
> > conn centralbw_50_shared
> >  	authby=secret
> >  	compress=no
> >  	ikelifetime=240m
> >   	keyexchange=ike
> >  	keylife=60m
> >  	left=208.70.149.161
> >  	leftnexthop=208.70.149.166
> >         pfs=yes
> >  	right=%any
> > 	rightid=@centralbw
> > 
> > Also add id to linksys conf, sorry don't know how to do that.
> > 
> > Peter McGill
> >  
> > 
> > > -----Original Message-----
> > > From: IT Dept. [mailto:it at technovation.com.sv] 
> > > Sent: June 5, 2007 3:06 PM
> > > To: petermcgill at goco.net
> > > Cc: users at openswan.org
> > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > 
> > > Here is auth.log
> > > 
> > > Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4:
> > > responding to Main Mode from unknown peer 66.201.165.11
> > > Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4:
> > > STATE_MAIN_R1: sent MR1, expecting MI2
> > > Jun  5 13:54:12 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4:
> > > transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[1] 
> 66.201.165.11 #4:
> > > STATE_MAIN_R2: sent MR2, expecting MI3
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[1] 
> > > 66.201.165.11 #4: Main
> > > mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4:
> > > deleting connection "centralbw_50" instance with peer 
> 66.201.165.11
> > > {isakmp=#0/ipsec=#0}
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: I did
> > > not send a certificate because I do not have one.
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4:
> > > transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4:
> > > STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> > > {auth=OAKLEY_PRESHARED_KEY
> > > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: cannot
> > > respond to IPsec SA request because no connection is known for
> > > 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> > > =192.168.50.0/
> > > 24
> > > Jun  5 13:54:13 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: sending
> > > encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> > > Jun  5 13:54:23 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: Quick
> > > Mode I1 message is unacceptable because it uses a previously 
> > > used Message ID
> > > 0x915afd54 (perhaps this is a duplicated packet)
> > > Jun  5 13:54:23 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: sending
> > > encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> > > Jun  5 13:54:43 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: Quick
> > > Mode I1 message is unacceptable because it uses a previously 
> > > used Message ID
> > > 0x915afd54 (perhaps this is a duplicated packet)
> > > Jun  5 13:54:43 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: sending
> > > encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> > > Jun  5 13:55:24 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: cannot
> > > respond to IPsec SA request because no connection is known for
> > > 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> > > =192.168.50.0/
> > > 24
> > > Jun  5 13:55:24 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11 #4: sending
> > > encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[2] 
> 66.201.165.11 #4:
> > > received Delete SA payload: deleting ISAKMP State #4
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[2] 
> > > 66.201.165.11: deleting
> > > connection "centralbw_50" instance with peer 66.201.165.11
> > > {isakmp=#0/ipsec=#0}
> > > Jun  5 13:55:27 vpn pluto[1165]: packet from 
> > > 66.201.165.11:500: received and
> > > ignored informational message
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 
> 66.201.165.11 #5:
> > > responding to Main Mode from unknown peer 66.201.165.11
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 
> 66.201.165.11 #5:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 
> 66.201.165.11 #5:
> > > STATE_MAIN_R1: sent MR1, expecting MI2
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 
> 66.201.165.11 #5:
> > > transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > > Jun  5 13:55:27 vpn pluto[1165]: "centralbw_50"[3] 
> 66.201.165.11 #5:
> > > STATE_MAIN_R2: sent MR2, expecting MI3
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[3] 
> > > 66.201.165.11 #5: Main
> > > mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5:
> > > deleting connection "centralbw_50" instance with peer 
> 66.201.165.11
> > > {isakmp=#0/ipsec=#0}
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: I did
> > > not send a certificate because I do not have one.
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5:
> > > transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5:
> > > STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> > > {auth=OAKLEY_PRESHARED_KEY
> > > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: cannot
> > > respond to IPsec SA request because no connection is known for
> > > 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> > > =192.168.50.0/
> > > 24
> > > Jun  5 13:55:37 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: sending
> > > encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> > > Jun  5 13:55:47 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: Quick
> > > Mode I1 message is unacceptable because it uses a previously 
> > > used Message ID
> > > 0x443f23ad (perhaps this is a duplicated packet)
> > > Jun  5 13:55:47 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: sending
> > > encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> > > Jun  5 13:56:07 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: Quick
> > > Mode I1 message is unacceptable because it uses a previously 
> > > used Message ID
> > > 0x443f23ad (perhaps this is a duplicated packet)
> > > Jun  5 13:56:07 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: sending
> > > encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> > > Jun  5 13:56:45 vpn sshd[1620]: Accepted password for root 
> > > from 190.53.0.113
> > > port 1869 ssh2
> > > Jun  5 13:56:45 vpn sshd[1622]: (pam_unix) session opened for 
> > > user root by
> > > root(uid=0)
> > > Jun  5 13:56:48 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: cannot
> > > respond to IPsec SA request because no connection is known for
> > > 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> > > =192.168.50.0/
> > > 24
> > > Jun  5 13:56:48 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11 #5: sending
> > > encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[4] 
> 66.201.165.11 #5:
> > > received Delete SA payload: deleting ISAKMP State #5
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[4] 
> > > 66.201.165.11: deleting
> > > connection "centralbw_50" instance with peer 66.201.165.11
> > > {isakmp=#0/ipsec=#0}
> > > Jun  5 13:56:51 vpn pluto[1165]: packet from 
> > > 66.201.165.11:500: received and
> > > ignored informational message
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> 66.201.165.11 #6:
> > > responding to Main Mode from unknown peer 66.201.165.11
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> 66.201.165.11 #6:
> > > transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> 66.201.165.11 #6:
> > > STATE_MAIN_R1: sent MR1, expecting MI2
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> 66.201.165.11 #6:
> > > transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> 66.201.165.11 #6:
> > > STATE_MAIN_R2: sent MR2, expecting MI3
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[5] 
> > > 66.201.165.11 #6: Main
> > > mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6:
> > > deleting connection "centralbw_50" instance with peer 
> 66.201.165.11
> > > {isakmp=#0/ipsec=#0}
> > > Jun  5 13:56:51 vpn pluto[1165]: "centralbw_50"[6] 
> > > 66.201.165.11 #6: I did
> > > not send a certificate because I do not have one.
> > > Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6:
> > > transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > > Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 
> 66.201.165.11 #6:
> > > STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> > > {auth=OAKLEY_PRESHARED_KEY
> > > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > > Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 
> > > 66.201.165.11 #6: cannot
> > > respond to IPsec SA request because no connection is known for
> > > 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> > > =192.168.50.0/
> > > 24
> > > Jun  5 13:56:52 vpn pluto[1165]: "centralbw_50"[6] 
> > > 66.201.165.11 #6: sending
> > > encrypted notification INVALID_ID_INFORMATION to 66.201.165.11:500
> > > Jun  5 13:57:01 vpn pluto[1165]: "centralbw_50"[6] 
> > > 66.201.165.11 #6: Quick
> > > Mode I1 message is unacceptable because it uses a previously 
> > > used Message ID
> > > 0x6791a7cd (perhaps this is a duplicated packet)
> > > Jun  5 13:57:01 vpn pluto[1165]: "centralbw_50"[6] 
> > > 66.201.165.11 #6: sending
> > > encrypted notification INVALID_MESSAGE_ID to 66.201.165.11:500
> > > Jun  5 13:57:19 vpn sshd[1482]: Received signal 15; terminating.
> > > Jun  5 13:57:19 vpn pluto[1165]: shutting down
> > > Jun  5 13:57:19 vpn pluto[1165]: forgetting secrets
> > > Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50"[6] 
> > > 66.201.165.11: deleting
> > > connection "centralbw_50" instance with peer 66.201.165.11
> > > {isakmp=#6/ipsec=#0}
> > > Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50" #6: deleting state
> > > (STATE_MAIN_R3)
> > > Jun  5 13:57:20 vpn pluto[1165]: 
> > "centralbw_50_to_branch_40": deleting
> > > connection
> > > Jun  5 13:57:20 vpn pluto[1165]: "branch_40": deleting connection
> > > Jun  5 13:57:20 vpn pluto[1165]: "branch_40" #2: deleting state
> > > (STATE_QUICK_I2)
> > > Jun  5 13:57:20 vpn pluto[1165]: 
> > "branch_40_to_centralbw_50": deleting
> > > connection
> > > Jun  5 13:57:20 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> > > #3: deleting
> > > state (STATE_QUICK_I2)
> > > Jun  5 13:57:20 vpn pluto[1165]: "branch_40_to_centralbw_50" 
> > > #1: deleting
> > > state (STATE_MAIN_I4)
> > > Jun  5 13:57:20 vpn pluto[1165]: "centralbw_50": deleting 
> connection
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > lo/lo ::1:500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface lo/lo
> > > 127.0.0.1:4500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > > lo/lo 127.0.0.1:500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0/eth0
> > > 208.70.149.161:4500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface eth0/eth0
> > > 208.70.149.161:500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:0/eth0:0
> > > 208.70.149.162:4500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:0/eth0:0
> > > 208.70.149.162:500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:1/eth0:1
> > > 208.70.149.163:4500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:1/eth0:1
> > > 208.70.149.163:500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:2/eth0:2
> > > 208.70.149.164:4500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:2/eth0:2
> > > 208.70.149.164:500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:3/eth0:3
> > > 208.70.149.165:4500
> > > Jun  5 13:57:20 vpn pluto[1165]: shutting down interface 
> > eth0:3/eth0:3
> > > 208.70.149.165:500
> > > Jun  5 13:58:02 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #1: initiating
> > > Main Mode
> > > Jun  5 13:58:02 vpn pluto[1164]: 
> "centralbw_50_to_branch_40": cannot
> > > initiate connection without knowing peer IP address 
> > (kind=CK_TEMPLATE)
> > > Jun  5 13:58:02 vpn sshd[1490]: Server listening on :: port 22.
> > > Jun  5 13:58:03 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #1: transition
> > > from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > > Jun  5 13:58:03 vpn pluto[1164]: "branch_40_to_centralbw_50" #1:
> > > STATE_MAIN_I2: sent MI2, expecting MR2
> > > Jun  5 13:58:04 vpn webmin[1574]: Webmin starting 
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #1: I did not
> > > send a certificate because I do not have one.
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #1: transition
> > > from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" #1:
> > > STATE_MAIN_I3: sent MI3, expecting MR3
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #1: Main mode
> > > peer ID is ID_IPV4_ADDR: '190.53.0.113'
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #1: transition
> > > from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" #1:
> > > STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > > cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40" #2: initiating 
> > Quick Mode
> > > PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> > > Jun  5 13:58:05 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #3: initiating
> > > Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> > > Jun  5 13:58:08 vpn pluto[1164]: "branch_40" #2: transition 
> > from state
> > > STATE_QUICK_I1 to state STATE_QUICK_I2
> > > Jun  5 13:58:08 vpn pluto[1164]: "branch_40" #2: 
> > > STATE_QUICK_I2: sent QI2,
> > > IPsec SA established {ESP=>0xc3ad781f <0xf5001af0 
> > xfrm=3DES_0-HMAC_MD5
> > > NATD=none DPD=none}
> > > Jun  5 13:58:12 vpn sshd[1586]: Accepted password for root 
> > > from 190.53.0.113
> > > port 1881 ssh2
> > > Jun  5 13:58:13 vpn sshd[1588]: (pam_unix) session opened for 
> > > user root by
> > > root(uid=0)
> > > Jun  5 13:58:18 vpn pluto[1164]: "branch_40_to_centralbw_50" 
> > > #3: transition
> > > from state STATE_QUICK_I1 to state STATE_QUICK_I2
> > > Jun  5 13:58:18 vpn pluto[1164]: "branch_40_to_centralbw_50" #3:
> > > STATE_QUICK_I2: sent QI2, IPsec SA established 
> > > {ESP=>0x433730c7 <0xe3efe176
> > > xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> > > Jun  5 13:58:19 vpn sshd[1605]: Accepted password for root 
> > > from 190.53.0.113
> > > port 1882 ssh2
> > > Jun  5 13:58:35 vpn sshd[1605]: subsystem request for sftp
> > > Jun  5 13:58:35 vpn sshd[1607]: (pam_unix) session opened for 
> > > user root by
> > > (uid=0)
> > > Jun  5 14:00:01 vpn CRON[1608]: (pam_unix) session opened for 
> > > user root by
> > > (uid=0)
> > > 
> > > -----Mensaje original-----
> > > De: users-bounces at openswan.org 
> > > [mailto:users-bounces at openswan.org] En nombre
> > > de IT Dept.
> > > Enviado el: Martes, 05 de Junio de 2007 01:00 p.m.
> > > Para: petermcgill at goco.net
> > > CC: users at openswan.org
> > > Asunto: Re: [Openswan Users] Subnets conmunication?
> > > 
> > > Here is:
> > > 
> > > 
> > > Jun  5 13:58:02 vpn syslogd 1.4.1#17ubuntu7: restart.
> > > Jun  5 13:58:02 vpn kernel: Cannot find map file.
> > > Jun  5 13:58:02 vpn kernel: No module symbols loaded - kernel 
> > > modules not
> > > enabled. 
> > > Jun  5 13:58:02 vpn kernel: Bootdata ok (command line is  
> > > root=/dev/sda1 ro
> > > 3)
> > > Jun  5 13:58:02 vpn kernel: Linux version 2.6.16.29-xen 
> > > (shand at endor) (gcc
> > > version 3.4.4 20050314 (prerelease) (Debian 3.4.3-13)) #3 SMP 
> > > Sun Oct 15
> > > 13:15:34 BST 2006
> > > Jun  5 13:58:02 vpn kernel: BIOS-provided physical RAM map:
> > > Jun  5 13:58:02 vpn kernel:  Xen: 0000000000000000 - 
> > 000000001f000000
> > > (usable)
> > > Jun  5 13:58:02 vpn kernel: On node 0 totalpages: 126976
> > > Jun  5 13:58:02 vpn kernel:   DMA zone: 126976 pages, 
> LIFO batch:31
> > > Jun  5 13:58:02 vpn kernel:   DMA32 zone: 0 pages, LIFO batch:0
> > > Jun  5 13:58:02 vpn kernel:   Normal zone: 0 pages, LIFO batch:0
> > > Jun  5 13:58:02 vpn kernel:   HighMem zone: 0 pages, LIFO batch:0
> > > Jun  5 13:58:02 vpn kernel: No mptable found.
> > > Jun  5 13:58:02 vpn kernel: Built 1 zonelists
> > > Jun  5 13:58:02 vpn kernel: Kernel command line:  
> > root=/dev/sda1 ro 3
> > > Jun  5 13:58:02 vpn kernel: Initializing CPU#0
> > > Jun  5 13:58:02 vpn kernel: PID hash table entries: 2048 
> > > (order: 11, 65536
> > > bytes)
> > > Jun  5 13:58:02 vpn kernel: Xen reported: 1795.496 MHz processor.
> > > Jun  5 13:58:02 vpn kernel: Dentry cache hash table entries: 
> > > 65536 (order:
> > > 7, 524288 bytes)
> > > Jun  5 13:58:02 vpn kernel: Inode-cache hash table entries: 
> > > 32768 (order: 6,
> > > 262144 bytes)
> > > Jun  5 13:58:02 vpn kernel: Software IO TLB disabled
> > > Jun  5 13:58:02 vpn kernel: Memory: 483452k/507904k available 
> > > (1918k kernel
> > > code, 15628k reserved, 809k data, 168k init)
> > > Jun  5 13:58:02 vpn kernel: Calibrating delay using timer 
> > > specific routine..
> > > 3592.77 BogoMIPS (lpj=17963870)
> > > Jun  5 13:58:02 vpn kernel: Security Framework v1.0.0 initialized
> > > Jun  5 13:58:02 vpn kernel: Capability LSM initialized
> > > Jun  5 13:58:02 vpn ipsec__plutorun: 104 
> > > "branch_40_to_centralbw_50" #1:
> > > STATE_MAIN_I1: initiate
> > > Jun  5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> > > "branch_40_to_centralbw_50"
> > > Jun  5 13:58:02 vpn kernel: Mount-cache hash table entries: 256
> > > Jun  5 13:58:02 vpn kernel: CPU: L1 I Cache: 64K (64 
> > > bytes/line), D cache
> > > 64K (64 bytes/line)
> > > Jun  5 13:58:02 vpn kernel: CPU: L2 Cache: 1024K (64 bytes/line)
> > > Jun  5 13:58:02 vpn kernel: Brought up 1 CPUs
> > > Jun  5 13:58:02 vpn kernel: migration_cost=0
> > > Jun  5 13:58:02 vpn kernel: checking if image is 
> initramfs... it is
> > > Jun  5 13:58:02 vpn kernel: Freeing initrd memory: 1859k freed
> > > Jun  5 13:58:02 vpn kernel: DMI not present or invalid.
> > > Jun  5 13:58:02 vpn kernel: Grant table initialized
> > > Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 16
> > > Jun  5 13:58:02 vpn kernel: Initializing CPU#1
> > > Jun  5 13:58:02 vpn kernel: migration_cost=967
> > > Jun  5 13:58:02 vpn kernel: Brought up 2 CPUs
> > > Jun  5 13:58:02 vpn kernel: PCI: setting up Xen PCI frontend stub
> > > Jun  5 13:58:02 vpn kernel: ACPI: Subsystem revision 20060127
> > > Jun  5 13:58:02 vpn kernel: ACPI: Interpreter disabled.
> > > Jun  5 13:58:02 vpn kernel: Linux Plug and Play Support v0.97 
> > > (c) Adam Belay
> > > Jun  5 13:58:02 vpn kernel: pnp: PnP ACPI: disabled
> > > Jun  5 13:58:02 vpn kernel: xen_mem: Initialising balloon driver.
> > > Jun  5 13:58:02 vpn kernel: PCI: System does not support PCI
> > > Jun  5 13:58:02 vpn kernel: PCI: System does not support PCI
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'system' has been 
> > > registered
> > > Jun  5 13:58:02 vpn kernel: IA-32 Microcode Update 
> Driver: v1.14-xen
> > > <tigran at veritas.com>
> > > Jun  5 13:58:02 vpn kernel: IA32 emulation $Id: sys_ia32.c,v 
> > > 1.32 2002/03/24
> > > 13:02:28 ak Exp $
> > > Jun  5 13:58:02 vpn kernel: audit: initializing netlink 
> > > socket (disabled)
> > > Jun  5 13:58:02 vpn kernel: audit(1181069856.905:1): initialized
> > > Jun  5 13:58:02 vpn kernel: VFS: Disk quotas dquot_6.5.1
> > > Jun  5 13:58:02 vpn kernel: Dquot-cache hash table entries: 
> > > 512 (order 0,
> > > 4096 bytes)
> > > Jun  5 13:58:02 vpn kernel: Initializing Cryptographic API
> > > Jun  5 13:58:02 vpn kernel: io scheduler noop registered
> > > Jun  5 13:58:02 vpn kernel: io scheduler anticipatory registered
> > > Jun  5 13:58:02 vpn kernel: io scheduler deadline registered
> > > Jun  5 13:58:02 vpn kernel: io scheduler cfq registered (default)
> > > Jun  5 13:58:02 vpn kernel: rtc: IRQ 8 is not free.
> > > Jun  5 13:58:02 vpn kernel: Non-volatile memory driver v1.2
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has 
> > > been registered
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has 
> > > been registered
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has been
> > > unregistered
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has been
> > > unregistered
> > > Jun  5 13:58:02 vpn kernel: PNP: No PS/2 controller found. 
> > > Probing ports
> > > directly.
> > > Jun  5 13:58:02 vpn kernel: i8042.c: No controller found.
> > > Jun  5 13:58:02 vpn kernel: RAMDISK driver initialized: 16 
> > > RAM disks of
> > > 16384K size 1024 blocksize
> > > Jun  5 13:58:02 vpn kernel: loop: loaded (max 8 devices)
> > > Jun  5 13:58:02 vpn kernel: Xen virtual console successfully 
> > > installed as
> > > tty1
> > > Jun  5 13:58:02 vpn kernel: Event-channel device installed.
> > > Jun  5 13:58:02 vpn kernel: netfront: Initialising virtual 
> > > ethernet driver.
> > > Jun  5 13:58:02 vpn kernel: Uniform Multi-Platform E-IDE 
> > > driver Revision:
> > > 7.00alpha2
> > > Jun  5 13:58:02 vpn kernel: ide: Assuming 50MHz system bus 
> > > speed for PIO
> > > modes; override with idebus=xx
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'ide' has been 
> > registered
> > > Jun  5 13:58:02 vpn kernel: mice: PS/2 mouse device common 
> > > for all mice
> > > Jun  5 13:58:02 vpn kernel: md: md driver 0.90.3 MAX_MD_DEVS=256,
> > > MD_SB_DISKS=27
> > > Jun  5 13:58:02 vpn kernel: md: bitmap version 4.39
> > > Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 2
> > > Jun  5 13:58:02 vpn kernel: netfront: device eth0 has 
> > > flipping receive path.
> > > Jun  5 13:58:02 vpn kernel: IP route cache hash table 
> > > entries: 4096 (order:
> > > 3, 32768 bytes)
> > > Jun  5 13:58:02 vpn kernel: TCP established hash table 
> > entries: 16384
> > > (order: 6, 262144 bytes)
> > > Jun  5 13:58:02 vpn kernel: TCP bind hash table entries: 
> > > 16384 (order: 6,
> > > 262144 bytes)
> > > Jun  5 13:58:02 vpn kernel: TCP: Hash tables configured 
> > > (established 16384
> > > bind 16384)
> > > Jun  5 13:58:02 vpn kernel: TCP reno registered
> > > Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 1
> > > Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 17
> > > Jun  5 13:58:02 vpn kernel: Registering block device major 8
> > > Jun  5 13:58:02 vpn kernel: kjournald starting.  Commit 
> > > interval 5 seconds
> > > Jun  5 13:58:02 vpn kernel: EXT3-fs: mounted filesystem with 
> > > ordered data
> > > mode.
> > > Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 10
> > > Jun  5 13:58:02 vpn kernel: lo: Disabled Privacy Extensions
> > > Jun  5 13:58:02 vpn kernel: IPv6 over IPv4 tunneling driver
> > > Jun  5 13:58:02 vpn kernel: pnp: the driver 'parport_pc' has 
> > > been registered
> > > Jun  5 13:58:02 vpn kernel: lp: driver loaded but no devices found
> > > Jun  5 13:58:02 vpn kernel: Adding 999416k swap on /dev/sda2. 
> > >  Priority:-1
> > > extents:1 across:999416k
> > > Jun  5 13:58:02 vpn kernel: EXT3 FS on sda1, internal journal
> > > Jun  5 13:58:02 vpn kernel: device-mapper: 4.5.0-ioctl 
> (2005-10-04)
> > > initialised: dm-devel at redhat.com
> > > Jun  5 13:58:02 vpn kernel: NET: Registered protocol family 15
> > > Jun  5 13:58:02 vpn kernel: Initializing IPsec netlink socket
> > > Jun  5 13:58:02 vpn ipsec__plutorun: 029 
> > > "centralbw_50_to_branch_40": cannot
> > > initiate connection without knowing peer IP address 
> > (kind=CK_TEMPLATE)
> > > Jun  5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> > > "centralbw_50_to_branch_40"
> > > Jun  5 13:58:03 vpn kernel: eth0: no IPv6 routers present
> > > Jun  5 13:58:03 vpn ipsec_setup: Openswan IPsec apparently 
> > > already running,
> > > start aborted
> > > Jun  5 13:58:03 vpn /usr/sbin/cron[1554]: (CRON) INFO 
> > (pidfile fd = 3)
> > > Jun  5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) STARTUP (fork ok)
> > > Jun  5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) INFO 
> > > (Running @reboot jobs)
> > > 
> > > Hector
> > > 
> > > 
> > > -----Mensaje original-----
> > > De: Peter McGill [mailto:petermcgill at goco.net] 
> > > Enviado el: Martes, 05 de Junio de 2007 12:55 p.m.
> > > Para: 'IT Dept.'
> > > CC: users at openswan.org
> > > Asunto: RE: [Openswan Users] Subnets conmunication?
> > > 
> > > > -----Original Message-----
> > > > From: IT Dept. [mailto:it at technovation.com.sv] 
> > > > Sent: June 5, 2007 2:43 PM
> > > > To: petermcgill at goco.net
> > > > Cc: users at openswan.org
> > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > > 
> > > > root at vpn:~# ipsec version
> > > > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > > > See `ipsec --copyright' for copyright information.
> > > > root at vpn:~#
> > > > 
> > > > root at vpn:~# ipsec verify
> > > > Checking your system to see if IPsec got installed and 
> > > > started correctly:
> > > > Version check and ipsec on-path                           
> >       [OK]
> > > > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > > > Checking for IPsec support in kernel                      
> >       [OK]
> > > > Checking for RSA private key (/etc/ipsec.secrets)         
> >       [OK]
> > > > Checking that pluto is running                            
> >       [OK]
> > > > Two or more interfaces found, checking IP forwarding      
> >       [OK]
> > > > Checking NAT and MASQUERADEing                              
> > >     [N/A]
> > > > Checking for 'ip' command                                 
> >       [OK]
> > > > Checking for 'iptables' command                           
> >       [OK]
> > > > Checking for 'setkey' command for NETKEY IPsec stack 
> > support    [OK]
> > > > Opportunistic Encryption Support                              
> > > >   [DISABLED]
> > > > root at vpn:~#
> > > > 
> > > > root at vpn:~# ipsec eroute
> > > > /usr/lib/ipsec/eroute: NETKEY does not support eroute table.
> > > > root at vpn:~#
> > > 
> > > The above look ok, we don't need eroute it's just a easy 
> > way to check
> > > Tunnel status. But I will need some log info to determine 
> > > where error is.
> > > 
> > > egrep -e 'pluto' /var/log/*
> > > Filter by date/time to only get the recent restart and 
> connections.
> > > 
> > > > Ill be wait for your help....my boss wanna hang me...LOL
> > > > 
> > > > Regards
> > > > 
> > > > 	Hector
> > > > 
> > > > -----Mensaje original-----
> > > > De: Peter McGill [mailto:petermcgill at goco.net] 
> > > > Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
> > > > Para: 'IT Dept.'
> > > > CC: users at openswan.org
> > > > Asunto: RE: [Openswan Users] Subnets conmunication?
> > > > 
> > > > > -----Original Message-----
> > > > > From: IT Dept. [mailto:it at technovation.com.sv] 
> > > > > Sent: June 5, 2007 2:00 PM
> > > > > To: petermcgill at goco.net
> > > > > Cc: users at openswan.org
> > > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > > > Importance: High
> > > > > 
> > > > > Hi again...
> > > > > 
> > > > > 	Thanks for the your help....i cant get 
> > communication yet.
> > > > > 
> > > > > 	Here is my last conf...im only using two branches to 
> > > > > make it more
> > > > > simple...
> > > > > 
> > > > > 	# /etc/ipsec.conf - Openswan IPsec configuration file
> > > > > # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 
> > > paul Exp $
> > > > > 
> > > > > # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> > > > > #
> > > > > # Manual:     ipsec.conf.5
> > > > > 
> > > > > 
> > > > > version	2.0	# conforms to second version of 
> > > > > ipsec.conf specification
> > > > > 
> > > > > # basic configuration
> > > > > config setup
> > > > > 	forwardcontrol=yes
> > > > > 	nat_traversal=yes
> > > > > 	# plutodebug / klipsdebug = "all", "none" or a 
> > > > > combation from below:
> > > > > 	# "raw crypt parsing emitting control klips pfkey natt 
> > > > > x509 private"
> > > > > 	# eg:
> > > > > 	# plutodebug="control parsing"
> > > > > 	#
> > > > > 	# Only enable klipsdebug=all if you are a developer
> > > > > 	#
> > > > > 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> > > > > 	# nat_traversal=yes
> > > > > 	# 
> > > > > 
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > > > > 
> > > > > #Disable Opportunistic Encryption
> > > > > include /etc/ipsec.d/examples/no_oe.conf
> > > > > 
> > > > > conn branch_40
> > > > > 	also=branch_40_shared
> > > > > 	rightsubnet=192.168.40.0/24
> > > > > 	auto=start
> > > > > 
> > > > > conn centralbw_50
> > > > > 	also=centralbw_50_shared
> > > > >  	rightsubnet=192.168.50.0/24
> > > > >  	auto=add
> > > > > 
> > > > > conn branch_40_to_centralbw_50
> > > > > 	also=branch_40_shared
> > > > >  	leftsubnet=192.168.50.0/24
> > > > > 	rightsubnet=192.168.40.0/24
> > > > > 	auto=start
> > > > > 
> > > > > conn centralbw_50_to_branch_40
> > > > > 	also=centralbw_50_shared
> > > > > 	leftsubnet=192.168.40.0/24
> > > > >  	rightsubnet=192.168.50.0/24
> > > > >  	auto=add
> > > > > 
> > > > > conn branch_40_shared
> > > > >  	authby=secret
> > > > >  	compress=no
> > > > >  	ikelifetime=240m
> > > > >  	keyexchange=ike
> > > > >  	keylife=60m
> > > > >  	left=208.70.149.161
> > > > >  	leftnexthop=208.70.149.166
> > > > >  	pfs=yes
> > > > >  	right=190.53.0.113
> > > > >  	rightnexthop=190.53.0.1
> > > > > 
> > > > > conn centralbw_50_shared
> > > > >  	authby=secret
> > > > >  	compress=no
> > > > >  	ikelifetime=240m
> > > > >  	keyexchange=ike
> > > > >  	keylife=60m
> > > > >  	left=208.70.149.161
> > > > >  	leftnexthop=208.70.149.166
> > > > >         pfs=yes
> > > > >  	right=%any
> > > > > 
> > > > > 
> > > > > in auth.log I get that conn branch_40_shared starts fine, but 
> > > > > I need to
> > > > > manually start conn centralbw_50_shared from the linksys 
> > > > > router, and them
> > > > > the conn´s between dosent start...
> > > > 
> > > > First off the shared conn's should never be started, they're not
> > > > Real conn's just shared information used by other conn's.
> > > > Also it would be easier to test with the static ip sites, 
> > > rather than
> > > > Centralbw. With centralbw linksys must initiate the 
> > > > connection for it to
> > > > work.
> > > > 
> > > > Show us these outputs.
> > > > ipsec version
> > > > ipsec verify
> > > > ipsec eroute
> > > > 
> > > > Lastly, restart openswan, and reconnect the linksys tunnels.
> > > > Get the restart and connect logs by...
> > > > egrep -e 'pluto' /var/log/*
> > > > Filter by date/time to only get the recent restart and 
> > connections.
> > > 
> > > 
> > > 
> > > -- 
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition. 
> > > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release 
> > > Date: 04/06/2007
> > > 06:43 p.m.
> > > 
> > > 
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan: 
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > > 7?n=283155
> > > 
> > > 
> > > -- 
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition. 
> > > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release 
> > > Date: 04/06/2007
> > > 06:43 p.m.
> > > 
> > > 
> 
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.472 / Virus Database: 269.8.9/832 - Release 
> Date: 04/06/2007
> 06:43 p.m.
> 
> 



-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.9/832 - Release Date: 04/06/2007
06:43 p.m.




More information about the Users mailing list