<div>Thanks for answer!<br></div><div>There is working configuration.</div><div>VPN is Ok if I use protostack=netkey.</div><div>If I use protostack=klips VPN doesn't work.</div><div>But I'd like to use protostack=klips, because I need ipsec interface(ipsec0).</div>
<div>Is there a workaround? </div><div>I uesed Pavle's ipsec.conf configuration, only changed 'auto=route' to 'auto=add' , because VPN with protostack=klips didn't start at all. </div><div>Sorry for long listing.</div>
<div><br></div><div>I don't like theese lines (you can see full listing below)</div><div>
13:02:50.166199 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>13:02:51.165956 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>13:02:52.165894 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>
13:02:55.165892 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
</div><div><br></div><div><br></div><div>PROTOSTACK=KLIPS</div><div><br></div>linux>ipsec auto --status<br>000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set<br>
000 #2: "win-tun" <a href="mailto:esp.9023a4eb@192.168.1.38">esp.9023a4eb@192.168.1.38</a> <a href="mailto:esp.6ba38ad2@192.168.1.15">esp.6ba38ad2@192.168.1.15</a> ref=2 refhim=1<br>000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s; newest ISAKMP; nodpd; idle; import:not set<br>
<br>linux,/var/log/secure<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: responding to Main Mode<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.38'<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed: <a href="http://192.168.1.15/32:0/0">192.168.1.15/32:0/0</a> -> <a href="http://192.168.1.38/32:0/0">192.168.1.38/32:0/0</a><br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us: <a href="http://192.168.1.15/32===192.168.1.15">192.168.1.15/32===192.168.1.15</a><192.168.1.15>[+S=C]<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===<a href="http://192.168.1.38/32">192.168.1.38/32</a><br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br><br>linux>tcpdump -n -i eth0 host 192.168.1.38<br>
device eth0 entered promiscuous mode<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>13:02:05.172050 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x3), length 76<br>
13:02:10.169239 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x4), length 76<br>13:02:15.168938 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x5), length 76<br>
13:02:20.168511 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x6), length 76<br>13:02:25.168122 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x7), length 76<br>
13:02:30.167715 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x8), length 76<br>13:02:32.009961 ARP, Request who-has 192.168.1.90 tell 192.168.1.38, length 46<br>13:02:35.167311 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x9), length 76<br>
13:02:40.166957 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0xa), length 76<br>13:02:45.166405 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell 192.168.1.38, length 46<br>
13:02:45.166416 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0xb), length 76<br>13:02:46.166340 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell 192.168.1.38, length 46<br>
13:02:47.166251 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell 192.168.1.38, length 46<br>13:02:50.166199 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>13:02:51.165956 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>
13:02:52.165894 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>13:02:55.165892 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>13:02:56.165612 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br>
13:02:57.165531 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46<br><br>>tcpdump -n -i ipsec0 host 192.168.1.38<br>device ipsec0 entered promiscuous mode<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on ipsec0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>12:59:49.207724 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ICMP echo request, id 1, seq 173, length 40<br><br>##################<br>
<div><br></div><div> PROTOSTACK=NETKEY </div><div><br></div>linux>ipsec auto --status<br>000 #3: "win-tun":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 18s; nodpd; idle; import:local rekey<br>
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 843s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set<br>000 #2: "win-tun" <a href="mailto:esp.fe035afe@192.168.1.38">esp.fe035afe@192.168.1.38</a> <a href="mailto:esp.85be7d3d@192.168.1.15">esp.85be7d3d@192.168.1.15</a> ref=0 refhim=4294901761<br>
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7143s; newest ISAKMP; nodpd; idle; import:local rekey<br>000<br><br>linux,/var/log/secure<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: responding to Main Mode<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R2: sent MR2, expecting MI3<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.38'<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: the peer proposed: <a href="http://192.168.1.15/32:0/0">192.168.1.15/32:0/0</a> -> <a href="http://192.168.1.38/32:0/0">192.168.1.38/32:0/0</a><br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: us: <a href="http://192.168.1.15/32===192.168.1.15">192.168.1.15/32===192.168.1.15</a><192.168.1.15>[+S=C]<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===<a href="http://192.168.1.38/32">192.168.1.38/32</a><br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
Feb 10 12:45:18 linux pluto[4370]: initiate on demand from <a href="http://192.168.1.15:0">192.168.1.15:0</a> to <a href="http://192.168.1.38:0">192.168.1.38:0</a> proto=1 state: fos_start because: acquire<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000<br>Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored informational message<br>
<br>linux>tcpdump -n -i eth0 host 192.168.1.38<br>device eth0 entered promiscuous mode<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>
12:48:15.854050 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x85be7d3d,seq=0x16), length 76<br>12:48:15.854124 IP 192.168.1.15 > <a href="http://192.168.1.38">192.168.1.38</a>: ESP(spi=0xfe035afe,seq=0x15), length 76<br>
12:48:16.856592 IP 192.168.1.38 > <a href="http://192.168.1.15">192.168.1.15</a>: ESP(spi=0x85be7d3d,seq=0x17), length 76<br><br>