<div dir="ltr"><span style="background-color:rgb(255,255,255)">Hi </span><div><span style="background-color:rgb(255,255,255)">I am trying to setup a LAN 2 LAN IPSec VPN connection to a 3rd party service provider, they did request the following settings :</span></div>

<div><span style="background-color:rgb(255,255,255)"><br></span></div><div><span style="background-color:rgb(255,255,255)"><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">2.        VPN Requirements</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">2.1        Minimum Protocol Requirements</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">2.1.1        IKE Phase 1 Properties</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Encryption Algorithm AES-256 </span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Data Integrity
SHA-1</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Use Per-shared Key (the same key should be used for both productions and DR configurations)</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Aggressive mode disabled </span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Support Key exchanges per subnet</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Diffie Helmen Group 2</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        IKE SA Life time  1440 minutes (86400 seconds)</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">Other VPN settings are possible but not
recommended.</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">2.1.2        IKE Phase 2 Properties</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        IPSEC protocol ESP</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Encryption Algorithm AES-256 </span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Data Integrity SHA-1</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        Perfect forwarding security (PFS) disabled.</span><br style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">

<span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">o        IPSEC SA Life time  (3600 seconds)</span></span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><br>

</span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)">I did add the shared key to ipsec.secrets and I did setup the following connection in ipsec.conf </span></div>

<div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><br></span></div><div><span style="background-color:rgb(255,255,255);font-size:14px;white-space:pre-wrap"><font color="#111111" face="Helvetica, Arial, sans-serif">conn NZTA-CAS-ORS
        type=tunnel
        left=My.Server.IP.Addr
        leftsubnet=<a href="http://0.0.0.0/0.0.0.0">0.0.0.0/0.0.0.0</a>
        leftid=@GroupVPN
        leftxauthclient=yes
        right=x.x.0.29 
        rightsubnet=x.x.x.64/<a href="http://255.255.255.192">255.255.255.192</a>
        rightxauthserver=yes
        rightid=@NZTA
        keyingtries=0
        pfs=no
        aggrmode=no
        keyexchange=ike
        auto=add
        auth=esp
        esp=3DES-SHA1
        ike=3DES-SHA1
        authby=secret</font></span><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)">
</span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><br></span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><br>

</span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><br></span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)">TCPDUMP just shows :</span></div>

<div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;background-color:rgb(255,255,255);font-size:14px;white-space:pre-wrap">19:27:41.059776 IP fasttaxrefund.co.nz.isakmp &gt; NZTA.isakmp: isakmp: phase 1 I ident</span></div>

<div><span style="background-color:rgb(255,255,255)">
</span></div><div><span style="color:rgb(17,17,17);font-family:Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><br></span></div><div><font color="#111111" face="Helvetica, Arial, sans-serif"><span style="font-size:14px;white-space:pre-wrap">ipsec auto --status shows</span></font></div>

<div><font color="#111111" face="Helvetica, Arial, sans-serif"><span style="font-size:14px;white-space:pre-wrap"><br></span></font></div><div><font color="#111111" face="Helvetica, Arial, sans-serif"><span style="font-size:14px;white-space:pre-wrap"><div>

root@smartrefunds:~# ipsec auto --status</div><div>000 using kernel interface: netkey</div><div>000 interface lo/lo ::1</div><div>000 interface lo/lo 127.0.0.1</div><div>000 interface lo/lo 127.0.0.1</div><div>000 interface eth0/eth0 my.ip</div>

<div>000 interface eth0/eth0 my.ip</div><div>000 %myid = (none)</div><div>000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo</div><div>000  </div><div>000 virtual_private (%priv):</div>

<div>000 - allowed 2 subnets: <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a></div><div>000 - disallowed 2 subnets: <a href="http://192.168.180.0/24">192.168.180.0/24</a>, <a href="http://10.8.0.0/16">10.8.0.0/16</a></div>

<div>000  </div><div>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</div><div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128</div>

<div>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</div><div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div>

<div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</div>

<div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256</div>

<div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div>

<div>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div>

<div>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0</div><div>000  </div><div>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</div>

<div>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128</div><div>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</div><div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</div>

<div>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128</div>

<div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</div><div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</div><div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</div>

<div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div>

<div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div>

<div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000  </div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,1800} attrs={0,1,1200} </div><div>000  </div>

<div>000 &quot;NZTA-CAS-ORS&quot;: <a href="http://0.0.0.0/0===my.ip">0.0.0.0/0===my.ip</a>&lt;my.ip&gt;[@GroupVPN,+XC+S=C]...remote.ip&lt;remote.ip&gt;[@NZTA,+XS+S=C]===x.x.x.64/26; unrouted; eroute owner: #0</div><div>
000 &quot;NZTA-CAS-ORS&quot;:     myip=unset; hisip=unset;</div>
<div>000 &quot;NZTA-CAS-ORS&quot;:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 &quot;NZTA-CAS-ORS&quot;:   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 0,26; interface: eth0; </div>

<div>000 &quot;NZTA-CAS-ORS&quot;:   dpd: action:clear; delay:0; timeout:0; </div><div>000 &quot;NZTA-CAS-ORS&quot;:   newest ISAKMP SA: #0; newest IPsec SA: #0; </div><div>000 &quot;NZTA-CAS-ORS&quot;:   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict</div>

<div>000 &quot;NZTA-CAS-ORS&quot;:   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div><div>000 &quot;NZTA-CAS-ORS&quot;:   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict</div>

<div>000 &quot;NZTA-CAS-ORS&quot;:   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160</div><div>000  </div><div>000 #1: &quot;NZTA-CAS-ORS&quot;:500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 6s; nodpd; idle; import:admin initiate</div>

<div>000 #1: pending Phase 2 for &quot;NZTA-CAS-ORS&quot; replacing #0</div><div>000  </div><div><br></div><div><br></div><div>Please advice.</div><div><br></div><div>Regards</div></span></font></div></div>