No subject


Tue Feb 5 18:22:43 EST 2013


$ sudo /etc/init.d/ipsec status
IPsec running  - pluto pid: 3040
pluto pid 3040
1 tunnels up
some eroutes exist

$ sudo ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.140.28.31
000 interface eth1/eth1 10.140.28.31
000 %myid =3D (none)
000 debug none
000 =20
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private=3D is empty. If you have
000          private address space in internal use, it should be excluded!
000 =20
000 algorithm ESP encrypt: id=3D2, name=3DESP_DES, ivlen=3D8, keysizemin=3D64,
keysizemax=3D64
000 algorithm ESP encrypt: id=3D3, name=3DESP_3DES, ivlen=3D8, keysizemin=3D192,
keysizemax=3D192
000 algorithm ESP encrypt: id=3D6, name=3DESP_CAST, ivlen=3D8, keysizemin=3D40,
keysizemax=3D128
000 algorithm ESP encrypt: id=3D7, name=3DESP_BLOWFISH, ivlen=3D8, keysizemin=3D40,
keysizemax=3D448
000 algorithm ESP encrypt: id=3D11, name=3DESP_NULL, ivlen=3D0, keysizemin=3D0,
keysizemax=3D0
000 algorithm ESP encrypt: id=3D12, name=3DESP_AES, ivlen=3D8, keysizemin=3D128,
keysizemax=3D256
000 algorithm ESP encrypt: id=3D13, name=3DESP_AES_CTR, ivlen=3D8, keysizemin=3D160=
,
keysizemax=3D288
000 algorithm ESP encrypt: id=3D14, name=3DESP_AES_CCM_A, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D15, name=3DESP_AES_CCM_B, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D16, name=3DESP_AES_CCM_C, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D18, name=3DESP_AES_GCM_A, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D19, name=3DESP_AES_GCM_B, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D20, name=3DESP_AES_GCM_C, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D22, name=3DESP_CAMELLIA, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D252, name=3DESP_SERPENT, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP encrypt: id=3D253, name=3DESP_TWOFISH, ivlen=3D8,
keysizemin=3D128, keysizemax=3D256
000 algorithm ESP auth attr: id=3D1, name=3DAUTH_ALGORITHM_HMAC_MD5,
keysizemin=3D128, keysizemax=3D128
000 algorithm ESP auth attr: id=3D2, name=3DAUTH_ALGORITHM_HMAC_SHA1,
keysizemin=3D160, keysizemax=3D160
000 algorithm ESP auth attr: id=3D5, name=3DAUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=3D256, keysizemax=3D256
000 algorithm ESP auth attr: id=3D6, name=3DAUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=3D384, keysizemax=3D384
000 algorithm ESP auth attr: id=3D7, name=3DAUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=3D512, keysizemax=3D512
000 algorithm ESP auth attr: id=3D8, name=3DAUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=3D160, keysizemax=3D160
000 algorithm ESP auth attr: id=3D9, name=3DAUTH_ALGORITHM_AES_CBC,
keysizemin=3D128, keysizemax=3D128
000 algorithm ESP auth attr: id=3D251, name=3D(null), keysizemin=3D0, keysizemax=3D=
0
000 =20
000 algorithm IKE encrypt: id=3D0, name=3D(null), blocksize=3D16, keydeflen=3D131
000 algorithm IKE encrypt: id=3D5, name=3DOAKLEY_3DES_CBC, blocksize=3D8,
keydeflen=3D192
000 algorithm IKE encrypt: id=3D7, name=3DOAKLEY_AES_CBC, blocksize=3D16,
keydeflen=3D128
000 algorithm IKE hash: id=3D1, name=3DOAKLEY_MD5, hashsize=3D16
000 algorithm IKE hash: id=3D2, name=3DOAKLEY_SHA1, hashsize=3D20
000 algorithm IKE dh group: id=3D2, name=3DOAKLEY_GROUP_MODP1024, bits=3D1024
000 algorithm IKE dh group: id=3D5, name=3DOAKLEY_GROUP_MODP1536, bits=3D1536
000 algorithm IKE dh group: id=3D14, name=3DOAKLEY_GROUP_MODP2048, bits=3D2048
000 algorithm IKE dh group: id=3D15, name=3DOAKLEY_GROUP_MODP3072, bits=3D3072
000 algorithm IKE dh group: id=3D16, name=3DOAKLEY_GROUP_MODP4096, bits=3D4096
000 algorithm IKE dh group: id=3D17, name=3DOAKLEY_GROUP_MODP6144, bits=3D6144
000 algorithm IKE dh group: id=3D18, name=3DOAKLEY_GROUP_MODP8192, bits=3D8192
000 algorithm IKE dh group: id=3D22, name=3DOAKLEY_GROUP_DH22, bits=3D1024
000 algorithm IKE dh group: id=3D23, name=3DOAKLEY_GROUP_DH23, bits=3D2048
000 algorithm IKE dh group: id=3D24, name=3DOAKLEY_GROUP_DH24, bits=3D2048
000 =20
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context=3D{0,0,0}
trans=3D{0,0,0} attrs=3D{0,0,0}
000 =20
000 "L2TP-PSK-NAT": 10.140.28.31[+S=3DC]:17/1701...%virtual[+S=3DC]:17/%any=3D=3D=3D?=
;
unrouted; eroute owner: #0
000 "L2TP-PSK-NAT":     myip=3Dunset; hisip=3Dunset;
000 "L2TP-PSK-NAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-NAT":   policy:
PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth1;=20
000 "L2TP-PSK-NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-NAT"[2]:
10.140.28.31[+S=3DC]:17/1701...10.140.28.60[@vpnclient.nnc,+S=3DC]:17/%any=3D=3D=3D?;
unrouted; eroute owner: #0
000 "L2TP-PSK-NAT"[2]:     myip=3Dunset; hisip=3Dunset;
000 "L2TP-PSK-NAT"[2]:   ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-NAT"[2]:   policy:
PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth1;=20
000 "L2TP-PSK-NAT"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "L2TP-PSK-NAT"[2]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "L2TP-PSK-NAT"[4]:
10.140.28.31[+S=3DC]:17/1701...10.140.28.24[+S=3DC]:17/1701; erouted; eroute
owner: #5
000 "L2TP-PSK-NAT"[4]:     myip=3Dunset; hisip=3Dunset;
000 "L2TP-PSK-NAT"[4]:   ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-NAT"[4]:   policy:
PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth1;=20
000 "L2TP-PSK-NAT"[4]:   newest ISAKMP SA: #4; newest IPsec SA: #5;
000 "L2TP-PSK-NAT"[4]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "L2TP-PSK-noNAT": 10.140.28.31[+S=3DC]:17/1701...%any[+S=3DC]:17/%any;
unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT":     myip=3Dunset; hisip=3Dunset;
000 "L2TP-PSK-noNAT":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-noNAT":   policy:
PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth1;=20
000 "L2TP-PSK-noNAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 =20
000 #1: "L2TP-PSK-NAT"[2] 10.140.28.60:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 2740s; newest ISAKMP; lastdpd=3D-1s(seq
in:0 out:0); idle; import:not set
000 #5: "L2TP-PSK-NAT"[4] 10.140.28.24:500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 2916s; newest IPSEC; eroute owner;
isakmp#4; idle; import:not set
000 #5: "L2TP-PSK-NAT"[4] 10.140.28.24 esp.3fb0df2c at 10.140.28.24
esp.3506b476 at 10.140.28.31 ref=3D0 refhim=3D4294901761
000 #4: "L2TP-PSK-NAT"[4] 10.140.28.24:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 3186s; newest ISAKMP; lastdpd=3D-1s(seq
in:0 out:0); idle; import:not set
000 =20

It seems the connection is established.But when I use tcpdump

$ sudo tcpdump -n -i eth1 host 10.140.28.24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:22:12.598822 IP 10.140.28.24 > 10.140.28.31: ICMP echo request, id 52270=
,
seq 398, length 64
10:22:12.598859 IP 10.140.28.31 > 10.140.28.24: ICMP echo reply, id 52270,
seq 398, length 64
10:22:12.602598 IP 10.140.28.24.22 > 10.140.28.49.53191: Flags [P.], seq
2012340106:2012340218, ack 475592297, win 259, options [nop,nop,TS val
23110542 ecr 283571076], length 112
10:22:12.602620 IP 10.140.28.49.53191 > 10.140.28.24.22: Flags [.], ack 112=
,
win 8185, options [nop,nop,TS val 283572070 ecr 23110542], length 0
10:22:13.599315 IP 10.140.28.24 > 10.140.28.31: ICMP echo request, id 52270=
,
seq 399, length 64
10:22:13.599349 IP 10.140.28.31 > 10.140.28.24: ICMP echo reply, id 52270,
seq 399, length 64
10:22:13.601950 IP 10.140.28.24.22 > 10.140.28.49.53191: Flags [P.], seq
112:224, ack 1, win 259, options [nop,nop,TS val 23110792 ecr 283572070],
length 112
10:22:13.601975 IP 10.140.28.49.53191 > 10.140.28.24.22: Flags [.], ack 224=
,
win 8185, options [nop,nop,TS val 283573068 ecr 23110792], length 0
10:22:14.598912 IP 10.140.28.24 > 10.140.28.31: ICMP echo request, id 52270=
,
seq 400, length 64
10:22:14.598947 IP 10.140.28.31 > 10.140.28.24: ICMP echo reply, id 52270,
seq 400, length 64
10:22:14.602530 IP 10.140.28.24.22 > 10.140.28.49.53191: Flags [P.], seq
224:336, ack 1, win 259, options [nop,nop,TS val 23111042 ecr 283573068],
length 112
10:22:14.602556 IP 10.140.28.49.53191 > 10.140.28.24.22: Flags [.], ack 336=
,
win 8185, options [nop,nop,TS val 283574065 ecr 23111042], length 0

I only see the ICMP packetes=8A.

What's wrong with my ipsec settings?
(I used the same ipsec settings, but added the l2tp, but I can see the ESP
packets=8A)

Yiyun




--B_3443941938_1158296
Content-type: text/html;
	charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable

<html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size:=
 14px; font-family: Calibri, sans-serif; "><div>Hi,</div><div><br></div><div=
>I have a problem with a pure ipsec VPN on ubuntu to ubuntu both in the loca=
l network.</div><div>The ipsec connection has been established, but the data=
 does not encrypted!</div><div><br></div><div>HOST1: 10.140.28.31</div><div>=
<div>$ uname -vro</div><div>3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:41=
:14 UTC 2012 GNU/Linux</div></div><div><div><br></div><div>$ ipsec --version=
</div><div>Linux Openswan U2.6.37/K3.2.0-23-generic (netkey)</div><div>See `=
ipsec --copyright' for copyright information.</div></div><div><div><br></div=
><div>$ sudo ipsec verify</div><div>Checking your system to see if IPsec got=
 installed and started correctly:</div><div>Version check and ipsec on-path =
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; <span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>[OK]</div><div>Linux Openswan U2.6.37/K3.2.0-23-generic (netkey)</div=
><div>Checking for IPsec support in kernel &nbsp; &nbsp; &nbsp; &nbsp; &nbsp=
; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=3D"Apple-tab-spa=
n" style=3D"white-space:pre">	</span>[OK]</div><div>&nbsp;SAref kernel support=
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp=
; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=3D"Apple=
-tab-span" style=3D"white-space:pre">	</span>[N/A]</div><div>&nbsp;NETKEY: &nb=
sp;Testing XFRM related proc values &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp=
; &nbsp; &nbsp; &nbsp;<span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>[OK]</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>[OK]</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>[OK]</div><div>Checking that pluto is running &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp;<span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>[OK]</div>=
<div>&nbsp;Pluto listening for IKE on udp 500 &nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=3D"Apple-tab=
-span" style=3D"white-space:pre">	</span>[OK]</div><div>&nbsp;Pluto listening =
for NAT-T on udp 4500 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp=
; &nbsp; &nbsp; &nbsp;<span class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>[OK]</div><div>Checking for 'ip' command &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=
 &nbsp; &nbsp; <span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>=
[OK]</div><div>Checking /bin/sh is not /bin/dash &nbsp; &nbsp; &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=3D=
"Apple-tab-span" style=3D"white-space:pre">	</span>[WARNING]</div><div>Checkin=
g for 'iptables' command &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span>[OK]</div><div>Opportunistic Encryption Supp=
ort &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp;<span class=3D"Apple-tab-span" style=3D"white-space:pre=
">	</span>[DISABLED]</div></div><div><br></div><div>$sudo cat /etc/ipsec.con=
f</div><div><div>version<span class=3D"Apple-tab-span" style=3D"white-space:pre"=
>	</span>2.0<span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span># c=
onforms to second version of ipsec.conf specification</div><div><br></div><d=
iv># basic configuration</div><div>config setup</div><div><span class=3D"Apple=
-tab-span" style=3D"white-space:pre">	</span>nat_traversal=3Dyes</div><div><span=
 class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>virtual_private=3D%v4:=
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</div><div><span class=3D"Apple=
-tab-span" style=3D"white-space: pre; ">	</span>oe=3Doff</div><div><span class=3D"=
Apple-tab-span" style=3D"white-space:pre">	</span>protostack=3Dnetkey</div><div>=
<span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span></div><div>conn=
 L2TP-PSK-NAT</div><div>&nbsp; &nbsp; rightsubnet=3Dvhost:%priv</div><div>&nbs=
p; &nbsp; also=3DL2TP-PSK-noNAT</div><div><br></div><div>conn L2TP-PSK-noNAT</=
div><div>&nbsp; &nbsp; authby=3Dsecret</div><div>&nbsp; &nbsp; pfs=3Dno</div><di=
v>&nbsp; &nbsp; auto=3Dadd</div><div>&nbsp; &nbsp; keyingtries=3D3</div><div>&nb=
sp; &nbsp; rekey=3Dno</div><div>&nbsp; &nbsp; ikelifetime=3D8h</div><div>&nbsp; =
&nbsp; keylife=3D1h</div><div>&nbsp; &nbsp; type=3Dtransport</div><div>&nbsp; &n=
bsp; left=3D%defaultroute</div><div>&nbsp; &nbsp; leftprotoport=3D17/1701</div><=
div>&nbsp; &nbsp; right=3D%any</div><div>&nbsp; &nbsp; rightprotoport=3D17/%any<=
/div></div><div><br></div><div>$ ifconfig</div><div><div>eth1 &nbsp; &nbsp; =
&nbsp;Link encap:Ethernet &nbsp;HWaddr 08:00:27:4c:34:16 &nbsp;</div><div>&n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; inet addr:10.140.28.31 &nbsp;Bcast:10.140.2=
8.255 &nbsp;Mask:255.255.255.0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
inet6 addr: fe80::a00:27ff:fe4c:3416/64 Scope:Link</div><div>&nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; UP BROADCAST RUNNING MULTICAST &nbsp;MTU:1430 &nbsp;Metr=
ic:1</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; RX packets:2715 errors:0 d=
ropped:0 overruns:0 frame:0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TX =
packets:944 errors:0 dropped:0 overruns:0 carrier:0</div><div>&nbsp; &nbsp; =
&nbsp; &nbsp; &nbsp; collisions:0 txqueuelen:1000&nbsp;</div><div>&nbsp; &nb=
sp; &nbsp; &nbsp; &nbsp; RX bytes:432896 (432.8 KB) &nbsp;TX bytes:134994 (1=
34.9 KB)</div><div><br></div><div>lo &nbsp; &nbsp; &nbsp; &nbsp;Link encap:L=
ocal Loopback &nbsp;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; inet addr:=
127.0.0.1 &nbsp;Mask:255.0.0.0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
inet6 addr: ::1/128 Scope:Host</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
UP LOOPBACK RUNNING &nbsp;MTU:16436 &nbsp;Metric:1</div><div>&nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; RX packets:30 errors:0 dropped:0 overruns:0 frame:0</div=
><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TX packets:30 errors:0 dropped:0 ov=
erruns:0 carrier:0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; collisions:0=
 txqueuelen:0&nbsp;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; RX bytes:24=
82 (2.4 KB) &nbsp;TX bytes:2482 (2.4 KB)</div></div><div><br></div><div><div=
>$ sudo /etc/init.d/ipsec restart</div><div>ipsec_setup: Stopping Openswan I=
Psec...</div><div>ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-23-gen=
eric&#8230;</div></div><div><br></div><div>HOST2: 10.140.28.24</div><div>$un=
ame &#8211;vro</div><div>2.6.32-45-generic #102-Ubuntu SMP Wed Jan 2 21:53:0=
6 UTC 2013 GNU/Linux</div><div><br></div><div>$ipsec &#8212;version</div><di=
v><div>Linux Openswan U2.6.23/K2.6.32-45-generic (netkey)</div><div>See `ips=
ec --copyright' for copyright information.</div></div><div><br></div><div>$s=
udo ipsec verify</div><div><div>Checking your system to see if IPsec got ins=
talled and started correctly:</div><div>Version check and ipsec on-path &nbs=
p; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; &nbsp; <span class=3D"Apple-tab-span" style=3D"white-space:pre">	</sp=
an>[OK]</div><div>Linux Openswan U2.6.23/K2.6.32-45-generic (netkey)</div><d=
iv>Checking for IPsec support in kernel &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span>[OK]</div><div>NETKEY detected, testing for =
disabled ICMP send_redirects &nbsp; <span class=3D"Apple-tab-span" style=3D"whit=
e-space:pre">	</span>[OK]</div><div>NETKEY detected, testing for disabled IC=
MP accept_redirects <span class=3D"Apple-tab-span" style=3D"white-space:pre">	</=
span>[OK]</div><div>Checking for RSA private key (/etc/ipsec.secrets) &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; <span class=3D"Apple-tab-span" style=3D"white-space=
:pre">	</span>[OK]</div><div>Checking that pluto is running &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp;<span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>[OK=
]</div><div>Pluto listening for IKE on udp 500 &nbsp; &nbsp; &nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=3D"Ap=
ple-tab-span" style=3D"white-space:pre">	</span>[OK]</div><div>Pluto listening=
 for NAT-T on udp 4500 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbs=
p; &nbsp; &nbsp; &nbsp; <span class=3D"Apple-tab-span" style=3D"white-space:pre"=
>	</span>[OK]</div><div>Checking for 'ip' command &nbsp; &nbsp; &nbsp; &nbsp=
; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbs=
p; &nbsp; &nbsp; <span class=3D"Apple-tab-span" style=3D"white-space:pre">	</spa=
n>[OK]</div><div>Checking for 'iptables' command &nbsp; &nbsp; &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <span=
 class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>[OK]</div><div>Oppor=
tunistic Encryption Support &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<span class=3D"Apple-tab-span=
" style=3D"white-space:pre">	</span>[DISABLED]</div></div><div><br></div><div>=
$sudo cat /etc/ipsec.conf</div><div><div>version<span class=3D"Apple-tab-span"=
 style=3D"white-space:pre">	</span>2.0<span class=3D"Apple-tab-span" style=3D"whit=
e-space:pre">	</span># conforms to second version of ipsec.conf specificatio=
n</div><div><br></div><div># basic configuration</div><div>config setup</div=
><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>nat_trave=
rsal=3Dyes</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</s=
pan>virtual_private=3D%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</div=
><div><span class=3D"Apple-tab-span" style=3D"white-space: pre; ">	</span>oe=3Doff=
</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>prot=
ostack=3Dnetkey</div><div><br></div><div>conn ipsecVPN&nbsp;</div><div><span c=
lass=3D"Apple-tab-span" style=3D"white-space:pre">	</span>authby=3Dsecret</div><di=
v><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>pfs=3Dno</div><=
div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>auto=3Dadd</d=
iv><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>rekey=3Dy=
es</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">	</span>ty=
pe=3Dtransport</div><div><span class=3D"Apple-tab-span" style=3D"white-space:pre">=
	</span>left=3D%defaultroute</div><div><span class=3D"Apple-tab-span" style=3D"whi=
te-space:pre">	</span>leftprotoport=3D17/1701</div><div><span class=3D"Apple-tab=
-span" style=3D"white-space:pre">	</span>right=3D10.140.28.31</div><div><span cl=
ass=3D"Apple-tab-span" style=3D"white-space:pre">	</span>rightprotoport=3D17/1701<=
/div></div><div><br></div><div><div>$ ifconfig</div><div>eth0 &nbsp; &nbsp; =
&nbsp;Link encap:Ethernet &nbsp;HWaddr 00:21:5a:14:1c:f6 &nbsp;</div><div>&n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; inet addr:10.140.28.24 &nbsp;Bcast:10.140.2=
8.255 &nbsp;Mask:255.255.255.0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; =
inet6 addr: fe80::221:5aff:fe14:1cf6/64 Scope:Link</div><div>&nbsp; &nbsp; &=
nbsp; &nbsp; &nbsp; UP BROADCAST RUNNING MULTICAST &nbsp;MTU:1430 &nbsp;Metr=
ic:1</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; RX packets:295957 errors:0=
 dropped:0 overruns:0 frame:0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; T=
X packets:65073 errors:0 dropped:0 overruns:0 carrier:0</div><div>&nbsp; &nb=
sp; &nbsp; &nbsp; &nbsp; collisions:0 txqueuelen:1000&nbsp;</div><div>&nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; RX bytes:144176320 (144.1 MB) &nbsp;TX bytes:44=
25554 (4.4 MB)</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Interrupt:26 Bas=
e address:0x8000&nbsp;</div><div><br></div><div>lo &nbsp; &nbsp; &nbsp; &nbs=
p;Link encap:Local Loopback &nbsp;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; inet addr:127.0.0.1 &nbsp;Mask:255.0.0.0</div><div>&nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; inet6 addr: ::1/128 Scope:Host</div><div>&nbsp; &nbsp; &nbsp; =
&nbsp; &nbsp; UP LOOPBACK RUNNING &nbsp;MTU:16436 &nbsp;Metric:1</div><div>&=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp; RX packets:898 errors:0 dropped:0 overruns=
:0 frame:0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TX packets:898 error=
s:0 dropped:0 overruns:0 carrier:0</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; collisions:0 txqueuelen:0&nbsp;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; RX bytes:418304 (418.3 KB) &nbsp;TX bytes:418304 (418.3 KB)</div></div>=
<div><br></div><div>$ sudo /etc/init.d/ipsec restart</div><div><div>ipsec_se=
tup: Stopping Openswan IPsec...</div><div>ipsec_setup: Starting Openswan IPs=
ec U2.6.23/K2.6.32-45-generic...</div></div><div><br></div><div><div>$ sudo =
ipsec auto --up ipsecVPN</div><div>104 "ipsecVPN" #1: STATE_MAIN_I1: initiat=
e</div><div>003 "ipsecVPN" #1: ignoring unknown Vendor ID payload [4f45755c6=
45c6a795c5c6170]</div><div>003 "ipsecVPN" #1: received Vendor ID payload [De=
ad Peer Detection]</div><div>003 "ipsecVPN" #1: received Vendor ID payload [=
RFC 3947] method set to=3D109&nbsp;</div><div>106 "ipsecVPN" #1: STATE_MAIN_I2=
: sent MI2, expecting MR2</div><div>003 "ipsecVPN" #1: NAT-Traversal: Result=
 using RFC 3947 (NAT-Traversal): no NAT detected</div><div>108 "ipsecVPN" #1=
: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>003 "ipsecVPN" #1: receiv=
ed Vendor ID payload [CAN-IKEv2]</div><div>004 "ipsecVPN" #1: STATE_MAIN_I4:=
 ISAKMP SA established {auth=3DOAKLEY_PRESHARED_KEY cipher=3Daes_128 prf=3Doakley_=
sha group=3Dmodp2048}</div><div>117 "ipsecVPN" #2: STATE_QUICK_I1: initiate</d=
iv><div>004 "ipsecVPN" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tr=
ansport mode {ESP=3D&gt;0x3506b476 &lt;0x3fb0df2c xfrm=3DAES_128-HMAC_SHA1 NATOA=
=3Dnone NATD=3Dnone DPD=3Dnone}</div></div><div><br></div><div><div>$ sudo /etc/in=
it.d/ipsec status</div><div>IPsec stopped</div><div>but...</div><div>has /va=
r/run/pluto/ipsec.info file!</div><div>An normal Pluto is active?</div><div>=
some (1) eroutes exist!</div></div><div><br></div><div><div>$ sudo ipsec aut=
o --status</div><div>000 using kernel interface: netkey</div><div>000 interf=
ace lo/lo ::1</div><div>000 interface lo/lo 127.0.0.1</div><div>000 interfac=
e lo/lo 127.0.0.1</div><div>000 interface eth0/eth0 10.140.28.24</div><div>0=
00 interface eth0/eth0 10.140.28.24</div><div>000 %myid =3D (none)</div><div>0=
00 debug none</div><div>000 &nbsp;</div><div>000 virtual_private (%priv):</d=
iv><div>000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12</=
div><div>000 - disallowed 0 subnets:&nbsp;</div><div>000 WARNING: Either vir=
tual_private=3D was not specified, or there was a syntax&nbsp;</div><div>000 &=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp;error in that line. 'left/rightsubnet=3D%priv=
' will not work!</div><div>000 &nbsp;</div><div>000 algorithm ESP encrypt: i=
d=3D2, name=3DESP_DES, ivlen=3D8, keysizemin=3D64, keysizemax=3D64</div><div>000 algor=
ithm ESP encrypt: id=3D3, name=3DESP_3DES, ivlen=3D8, keysizemin=3D192, keysizemax=3D1=
92</div><div>000 algorithm ESP encrypt: id=3D6, name=3DESP_CAST, ivlen=3D8, keysiz=
emin=3D40, keysizemax=3D128</div><div>000 algorithm ESP encrypt: id=3D7, name=3DESP_=
BLOWFISH, ivlen=3D8, keysizemin=3D40, keysizemax=3D448</div><div>000 algorithm ESP=
 encrypt: id=3D11, name=3DESP_NULL, ivlen=3D0, keysizemin=3D0, keysizemax=3D0</div><di=
v>000 algorithm ESP encrypt: id=3D12, name=3DESP_AES, ivlen=3D8, keysizemin=3D128, k=
eysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D13, name=3DESP_AES_CTR, =
ivlen=3D8, keysizemin=3D160, keysizemax=3D288</div><div>000 algorithm ESP encrypt:=
 id=3D14, name=3DESP_AES_CCM_A, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><di=
v>000 algorithm ESP encrypt: id=3D15, name=3DESP_AES_CCM_B, ivlen=3D8, keysizemin=3D=
128, keysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D16, name=3DESP_AES=
_CCM_C, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP =
encrypt: id=3D18, name=3DESP_AES_GCM_A, ivlen=3D8, keysizemin=3D128, keysizemax=3D256<=
/div><div>000 algorithm ESP encrypt: id=3D19, name=3DESP_AES_GCM_B, ivlen=3D8, key=
sizemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D20, name=
=3DESP_AES_GCM_C, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 algori=
thm ESP encrypt: id=3D22, name=3DESP_CAMELLIA, ivlen=3D8, keysizemin=3D128, keysizem=
ax=3D256</div><div>000 algorithm ESP encrypt: id=3D252, name=3DESP_SERPENT, ivlen=3D=
8, keysizemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D25=
3, name=3DESP_TWOFISH, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 a=
lgorithm ESP auth attr: id=3D1, name=3DAUTH_ALGORITHM_HMAC_MD5, keysizemin=3D128, =
keysizemax=3D128</div><div>000 algorithm ESP auth attr: id=3D2, name=3DAUTH_ALGORI=
THM_HMAC_SHA1, keysizemin=3D160, keysizemax=3D160</div><div>000 algorithm ESP au=
th attr: id=3D5, name=3DAUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=3D256, keysizemax=
=3D256</div><div>000 algorithm ESP auth attr: id=3D8, name=3DAUTH_ALGORITHM_HMAC_R=
IPEMD, keysizemin=3D160, keysizemax=3D160</div><div>000 algorithm ESP auth attr:=
 id=3D9, name=3DAUTH_ALGORITHM_AES_CBC, keysizemin=3D128, keysizemax=3D128</div><div=
>000 algorithm ESP auth attr: id=3D251, name=3D(null), keysizemin=3D0, keysizemax=3D=
0</div><div>000 &nbsp;</div><div>000 algorithm IKE encrypt: id=3D0, name=3D(null=
), blocksize=3D16, keydeflen=3D131</div><div>000 algorithm IKE encrypt: id=3D3, na=
me=3DOAKLEY_BLOWFISH_CBC, blocksize=3D8, keydeflen=3D128</div><div>000 algorithm I=
KE encrypt: id=3D5, name=3DOAKLEY_3DES_CBC, blocksize=3D8, keydeflen=3D192</div><div=
>000 algorithm IKE encrypt: id=3D7, name=3DOAKLEY_AES_CBC, blocksize=3D16, keydefl=
en=3D128</div><div>000 algorithm IKE encrypt: id=3D65004, name=3DOAKLEY_SERPENT_CB=
C, blocksize=3D16, keydeflen=3D128</div><div>000 algorithm IKE encrypt: id=3D65005=
, name=3DOAKLEY_TWOFISH_CBC, blocksize=3D16, keydeflen=3D128</div><div>000 algorit=
hm IKE encrypt: id=3D65289, name=3DOAKLEY_TWOFISH_CBC_SSH, blocksize=3D16, keydefl=
en=3D128</div><div>000 algorithm IKE hash: id=3D1, name=3DOAKLEY_MD5, hashsize=3D16<=
/div><div>000 algorithm IKE hash: id=3D2, name=3DOAKLEY_SHA1, hashsize=3D20</div><=
div>000 algorithm IKE hash: id=3D4, name=3DOAKLEY_SHA2_256, hashsize=3D32</div><di=
v>000 algorithm IKE hash: id=3D6, name=3DOAKLEY_SHA2_512, hashsize=3D64</div><div>=
000 algorithm IKE dh group: id=3D2, name=3DOAKLEY_GROUP_MODP1024, bits=3D1024</div=
><div>000 algorithm IKE dh group: id=3D5, name=3DOAKLEY_GROUP_MODP1536, bits=3D153=
6</div><div>000 algorithm IKE dh group: id=3D14, name=3DOAKLEY_GROUP_MODP2048, b=
its=3D2048</div><div>000 algorithm IKE dh group: id=3D15, name=3DOAKLEY_GROUP_MODP=
3072, bits=3D3072</div><div>000 algorithm IKE dh group: id=3D16, name=3DOAKLEY_GRO=
UP_MODP4096, bits=3D4096</div><div>000 algorithm IKE dh group: id=3D17, name=3DOAK=
LEY_GROUP_MODP6144, bits=3D6144</div><div>000 algorithm IKE dh group: id=3D18, n=
ame=3DOAKLEY_GROUP_MODP8192, bits=3D8192</div><div>000 &nbsp;</div><div>000 stat=
s db_ops: {curr_cnt, total_cnt, maxsz} :context=3D{0,0,0} trans=3D{0,0,0} attrs=3D=
{0,0,0}&nbsp;</div><div>000 &nbsp;</div><div>000 "ipsecVPN": 10.140.28.24[+S=
=3DC]:17/1701...10.140.28.31&lt;10.140.28.31&gt;[+S=3DC]:17/1701; erouted; erout=
e owner: #2</div><div>000 "ipsecVPN": &nbsp; &nbsp; myip=3Dunset; hisip=3Dunset;=
</div><div>000 "ipsecVPN": &nbsp; ike_life: 3600s; ipsec_life: 28800s; rekey=
_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "ipsecVPN": &n=
bsp; policy: PSK+ENCRYPT+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: et=
h0;&nbsp;</div><div>000 "ipsecVPN": &nbsp; newest ISAKMP SA: #1; newest IPse=
c SA: #2;&nbsp;</div><div>000 "ipsecVPN": &nbsp; IKE algorithm newest: AES_C=
BC_128-SHA1-MODP2048</div><div>000 &nbsp;</div><div>000 #2: "ipsecVPN":500 S=
TATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27907s; =
newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate</div><div>=
000 #2: "ipsecVPN" esp.3506b476 at 10.140.28.31 esp.3fb0df2c at 10.140.28.24 ref=3D0=
 refhim=3D4294901761</div><div>000 #1: "ipsecVPN":500 STATE_MAIN_I4 (ISAKMP SA=
 established); EVENT_SA_REPLACE in 2632s; newest ISAKMP; lastdpd=3D-1s(seq in:=
0 out:0); idle; import:admin initiate</div><div>000 &nbsp;</div></div><div><=
br></div><div><div>$ ping 10.140.28.31</div><div>PING 10.140.28.31 (10.140.2=
8.31) 56(84) bytes of data.</div><div>64 bytes from 10.140.28.31: icmp_seq=3D1=
 ttl=3D64 time=3D1.03 ms</div><div>64 bytes from 10.140.28.31: icmp_seq=3D2 ttl=3D64=
 time=3D0.668 ms</div><div>64 bytes from 10.140.28.31: icmp_seq=3D3 ttl=3D64 time=3D=
1.24 ms</div><div>64 bytes from 10.140.28.31: icmp_seq=3D4 ttl=3D64 time=3D0.890 m=
s</div></div><div>&#8230;&#8230;</div><div><br></div><div><br></div><div>Fro=
m the server side(10.140.28.24)</div><div><div>$ sudo /etc/init.d/ipsec stat=
us</div><div>IPsec running &nbsp;- pluto pid: 3040</div><div>pluto pid 3040<=
/div><div>1 tunnels up</div><div>some eroutes exist</div></div><div><br></di=
v><div><div>$ sudo ipsec auto --status</div><div>000 using kernel interface:=
 netkey</div><div>000 interface lo/lo ::1</div><div>000 interface lo/lo 127.=
0.0.1</div><div>000 interface lo/lo 127.0.0.1</div><div>000 interface eth1/e=
th1 10.140.28.31</div><div>000 interface eth1/eth1 10.140.28.31</div><div>00=
0 %myid =3D (none)</div><div>000 debug none</div><div>000 &nbsp;</div><div>000=
 virtual_private (%priv):</div><div>000 - allowed 3 subnets: 10.0.0.0/8, 192=
.168.0.0/16, 172.16.0.0/12</div><div>000 - disallowed 0 subnets:&nbsp;</div>=
<div>000 WARNING: Disallowed subnets in virtual_private=3D is empty. If you ha=
ve&nbsp;</div><div>000 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;private address spa=
ce in internal use, it should be excluded!</div><div>000 &nbsp;</div><div>00=
0 algorithm ESP encrypt: id=3D2, name=3DESP_DES, ivlen=3D8, keysizemin=3D64, keysize=
max=3D64</div><div>000 algorithm ESP encrypt: id=3D3, name=3DESP_3DES, ivlen=3D8, ke=
ysizemin=3D192, keysizemax=3D192</div><div>000 algorithm ESP encrypt: id=3D6, name=
=3DESP_CAST, ivlen=3D8, keysizemin=3D40, keysizemax=3D128</div><div>000 algorithm ES=
P encrypt: id=3D7, name=3DESP_BLOWFISH, ivlen=3D8, keysizemin=3D40, keysizemax=3D448</=
div><div>000 algorithm ESP encrypt: id=3D11, name=3DESP_NULL, ivlen=3D0, keysizemi=
n=3D0, keysizemax=3D0</div><div>000 algorithm ESP encrypt: id=3D12, name=3DESP_AES, =
ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP encrypt:=
 id=3D13, name=3DESP_AES_CTR, ivlen=3D8, keysizemin=3D160, keysizemax=3D288</div><div>=
000 algorithm ESP encrypt: id=3D14, name=3DESP_AES_CCM_A, ivlen=3D8, keysizemin=3D12=
8, keysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D15, name=3DESP_AES_C=
CM_B, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP en=
crypt: id=3D16, name=3DESP_AES_CCM_C, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</d=
iv><div>000 algorithm ESP encrypt: id=3D18, name=3DESP_AES_GCM_A, ivlen=3D8, keysi=
zemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D19, name=3DE=
SP_AES_GCM_B, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 algorith=
m ESP encrypt: id=3D20, name=3DESP_AES_GCM_C, ivlen=3D8, keysizemin=3D128, keysizema=
x=3D256</div><div>000 algorithm ESP encrypt: id=3D22, name=3DESP_CAMELLIA, ivlen=3D8=
, keysizemin=3D128, keysizemax=3D256</div><div>000 algorithm ESP encrypt: id=3D252=
, name=3DESP_SERPENT, ivlen=3D8, keysizemin=3D128, keysizemax=3D256</div><div>000 al=
gorithm ESP encrypt: id=3D253, name=3DESP_TWOFISH, ivlen=3D8, keysizemin=3D128, keys=
izemax=3D256</div><div>000 algorithm ESP auth attr: id=3D1, name=3DAUTH_ALGORITHM_=
HMAC_MD5, keysizemin=3D128, keysizemax=3D128</div><div>000 algorithm ESP auth at=
tr: id=3D2, name=3DAUTH_ALGORITHM_HMAC_SHA1, keysizemin=3D160, keysizemax=3D160</div=
><div>000 algorithm ESP auth attr: id=3D5, name=3DAUTH_ALGORITHM_HMAC_SHA2_256, =
keysizemin=3D256, keysizemax=3D256</div><div>000 algorithm ESP auth attr: id=3D6, =
name=3DAUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=3D384, keysizemax=3D384</div><div>=
000 algorithm ESP auth attr: id=3D7, name=3DAUTH_ALGORITHM_HMAC_SHA2_512, keysiz=
emin=3D512, keysizemax=3D512</div><div>000 algorithm ESP auth attr: id=3D8, name=3DA=
UTH_ALGORITHM_HMAC_RIPEMD, keysizemin=3D160, keysizemax=3D160</div><div>000 algo=
rithm ESP auth attr: id=3D9, name=3DAUTH_ALGORITHM_AES_CBC, keysizemin=3D128, keys=
izemax=3D128</div><div>000 algorithm ESP auth attr: id=3D251, name=3D(null), keysi=
zemin=3D0, keysizemax=3D0</div><div>000 &nbsp;</div><div>000 algorithm IKE encry=
pt: id=3D0, name=3D(null), blocksize=3D16, keydeflen=3D131</div><div>000 algorithm I=
KE encrypt: id=3D5, name=3DOAKLEY_3DES_CBC, blocksize=3D8, keydeflen=3D192</div><div=
>000 algorithm IKE encrypt: id=3D7, name=3DOAKLEY_AES_CBC, blocksize=3D16, keydefl=
en=3D128</div><div>000 algorithm IKE hash: id=3D1, name=3DOAKLEY_MD5, hashsize=3D16<=
/div><div>000 algorithm IKE hash: id=3D2, name=3DOAKLEY_SHA1, hashsize=3D20</div><=
div>000 algorithm IKE dh group: id=3D2, name=3DOAKLEY_GROUP_MODP1024, bits=3D1024<=
/div><div>000 algorithm IKE dh group: id=3D5, name=3DOAKLEY_GROUP_MODP1536, bits=
=3D1536</div><div>000 algorithm IKE dh group: id=3D14, name=3DOAKLEY_GROUP_MODP204=
8, bits=3D2048</div><div>000 algorithm IKE dh group: id=3D15, name=3DOAKLEY_GROUP_=
MODP3072, bits=3D3072</div><div>000 algorithm IKE dh group: id=3D16, name=3DOAKLEY=
_GROUP_MODP4096, bits=3D4096</div><div>000 algorithm IKE dh group: id=3D17, name=
=3DOAKLEY_GROUP_MODP6144, bits=3D6144</div><div>000 algorithm IKE dh group: id=3D1=
8, name=3DOAKLEY_GROUP_MODP8192, bits=3D8192</div><div>000 algorithm IKE dh grou=
p: id=3D22, name=3DOAKLEY_GROUP_DH22, bits=3D1024</div><div>000 algorithm IKE dh g=
roup: id=3D23, name=3DOAKLEY_GROUP_DH23, bits=3D2048</div><div>000 algorithm IKE d=
h group: id=3D24, name=3DOAKLEY_GROUP_DH24, bits=3D2048</div><div>000 &nbsp;</div>=
<div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context=3D{0,0,0} trans=3D{=
0,0,0} attrs=3D{0,0,0}&nbsp;</div><div>000 &nbsp;</div><div>000 "L2TP-PSK-NAT"=
: 10.140.28.31[+S=3DC]:17/1701...%virtual[+S=3DC]:17/%any=3D=3D=3D?; unrouted; eroute =
owner: #0</div><div>000 "L2TP-PSK-NAT": &nbsp; &nbsp; myip=3Dunset; hisip=3Dunse=
t;</div><div>000 "L2TP-PSK-NAT": &nbsp; ike_life: 28800s; ipsec_life: 3600s;=
 rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3</div><div>000 "L2TP-PS=
K-NAT": &nbsp; policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD=
; prio: 32,32; interface: eth1;&nbsp;</div><div>000 "L2TP-PSK-NAT": &nbsp; n=
ewest ISAKMP SA: #0; newest IPsec SA: #0;&nbsp;</div><div>000 "L2TP-PSK-NAT"=
[2]: 10.140.28.31[+S=3DC]:17/1701...10.140.28.60[@vpnclient.nnc,+S=3DC]:17/%any=3D=
=3D=3D?; unrouted; eroute owner: #0</div><div>000 "L2TP-PSK-NAT"[2]: &nbsp; &nbs=
p; myip=3Dunset; hisip=3Dunset;</div><div>000 "L2TP-PSK-NAT"[2]: &nbsp; ike_life=
: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtri=
es: 3</div><div>000 "L2TP-PSK-NAT"[2]: &nbsp; policy: PSK+ENCRYPT+DONTREKEY+=
IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth1;&nbsp;</div><d=
iv>000 "L2TP-PSK-NAT"[2]: &nbsp; newest ISAKMP SA: #1; newest IPsec SA: #0;&=
nbsp;</div><div>000 "L2TP-PSK-NAT"[2]: &nbsp; IKE algorithm newest: AES_CBC_=
128-SHA1-MODP2048</div><div>000 "L2TP-PSK-NAT"[4]: 10.140.28.31[+S=3DC]:17/170=
1...10.140.28.24[+S=3DC]:17/1701; erouted; eroute owner: #5</div><div>000 "L2T=
P-PSK-NAT"[4]: &nbsp; &nbsp; myip=3Dunset; hisip=3Dunset;</div><div>000 "L2TP-PS=
K-NAT"[4]: &nbsp; ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; r=
ekey_fuzz: 100%; keyingtries: 3</div><div>000 "L2TP-PSK-NAT"[4]: &nbsp; poli=
cy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; inte=
rface: eth1;&nbsp;</div><div>000 "L2TP-PSK-NAT"[4]: &nbsp; newest ISAKMP SA:=
 #4; newest IPsec SA: #5;&nbsp;</div><div>000 "L2TP-PSK-NAT"[4]: &nbsp; IKE =
algorithm newest: AES_CBC_128-SHA1-MODP2048</div><div>000 "L2TP-PSK-noNAT": =
10.140.28.31[+S=3DC]:17/1701...%any[+S=3DC]:17/%any; unrouted; eroute owner: #0<=
/div><div>000 "L2TP-PSK-noNAT": &nbsp; &nbsp; myip=3Dunset; hisip=3Dunset;</div>=
<div>000 "L2TP-PSK-noNAT": &nbsp; ike_life: 28800s; ipsec_life: 3600s; rekey=
_margin: 540s; rekey_fuzz: 100%; keyingtries: 3</div><div>000 "L2TP-PSK-noNA=
T": &nbsp; policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; pr=
io: 32,32; interface: eth1;&nbsp;</div><div>000 "L2TP-PSK-noNAT": &nbsp; new=
est ISAKMP SA: #0; newest IPsec SA: #0;&nbsp;</div><div>000 &nbsp;</div><div=
>000 #1: "L2TP-PSK-NAT"[2] 10.140.28.60:500 STATE_MAIN_R3 (sent MR3, ISAKMP =
SA established); EVENT_SA_EXPIRE in 2740s; newest ISAKMP; lastdpd=3D-1s(seq in=
:0 out:0); idle; import:not set</div><div>000 #5: "L2TP-PSK-NAT"[4] 10.140.2=
8.24:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2916s; n=
ewest IPSEC; eroute owner; isakmp#4; idle; import:not set</div><div>000 #5: =
"L2TP-PSK-NAT"[4] 10.140.28.24 esp.3fb0df2c at 10.140.28.24 esp.3506b476 at 10.140=
.28.31 ref=3D0 refhim=3D4294901761</div><div>000 #4: "L2TP-PSK-NAT"[4] 10.140.28=
.24:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in =
3186s; newest ISAKMP; lastdpd=3D-1s(seq in:0 out:0); idle; import:not set</div=
><div>000 &nbsp;</div></div><div><br></div><div>It seems the connection is e=
stablished.But when I use tcpdump</div><div><br></div><div><div>$ sudo tcpdu=
mp -n -i eth1 host 10.140.28.24</div><div>tcpdump: verbose output suppressed=
, use -v or -vv for full protocol decode</div><div>listening on eth1, link-t=
ype EN10MB (Ethernet), capture size 65535 bytes</div><div>10:22:12.598822 IP=
 10.140.28.24 &gt; 10.140.28.31: ICMP echo request, id 52270, seq 398, lengt=
h 64</div><div>10:22:12.598859 IP 10.140.28.31 &gt; 10.140.28.24: ICMP echo =
reply, id 52270, seq 398, length 64</div><div>10:22:12.602598 IP 10.140.28.2=
4.22 &gt; 10.140.28.49.53191: Flags [P.], seq 2012340106:2012340218, ack 475=
592297, win 259, options [nop,nop,TS val 23110542 ecr 283571076], length 112=
</div><div>10:22:12.602620 IP 10.140.28.49.53191 &gt; 10.140.28.24.22: Flags=
 [.], ack 112, win 8185, options [nop,nop,TS val 283572070 ecr 23110542], le=
ngth 0</div><div>10:22:13.599315 IP 10.140.28.24 &gt; 10.140.28.31: ICMP ech=
o request, id 52270, seq 399, length 64</div><div>10:22:13.599349 IP 10.140.=
28.31 &gt; 10.140.28.24: ICMP echo reply, id 52270, seq 399, length 64</div>=
<div>10:22:13.601950 IP 10.140.28.24.22 &gt; 10.140.28.49.53191: Flags [P.],=
 seq 112:224, ack 1, win 259, options [nop,nop,TS val 23110792 ecr 283572070=
], length 112</div><div>10:22:13.601975 IP 10.140.28.49.53191 &gt; 10.140.28=
.24.22: Flags [.], ack 224, win 8185, options [nop,nop,TS val 283573068 ecr =
23110792], length 0</div><div>10:22:14.598912 IP 10.140.28.24 &gt; 10.140.28=
.31: ICMP echo request, id 52270, seq 400, length 64</div><div>10:22:14.5989=
47 IP 10.140.28.31 &gt; 10.140.28.24: ICMP echo reply, id 52270, seq 400, le=
ngth 64</div><div>10:22:14.602530 IP 10.140.28.24.22 &gt; 10.140.28.49.53191=
: Flags [P.], seq 224:336, ack 1, win 259, options [nop,nop,TS val 23111042 =
ecr 283573068], length 112</div><div>10:22:14.602556 IP 10.140.28.49.53191 &=
gt; 10.140.28.24.22: Flags [.], ack 336, win 8185, options [nop,nop,TS val 2=
83574065 ecr 23111042], length 0</div></div><div><br></div><div>I only see t=
he ICMP packetes&#8230;.</div><div><br></div><div>What's wrong with my ipsec=
 settings?</div><div>(I used the same ipsec settings, but added the l2tp, bu=
t I can see the ESP packets&#8230;)</div><div><br></div><div>Yiyun</div><div=
><br></div></body></html>

--B_3443941938_1158296--




More information about the Users mailing list