<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=big5" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19190">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff size=2 face=Verdana>Dear Sirs,</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT face=Verdana><FONT color=#0000ff size=2>I merged the openswan(2.6.37)
into embedded linux(mips) and tried to make the connection with another ipsec
system(ipsec-tools).The ESP tunnel can be built successfully.I tried to ping
private client from ipsec-tools to openswan.It's OK.but from openswan to
ipsec-tools,It's failed.I found that from openswan to ipsec-tools,the packets
did not traffic under ESP tunnel.My settings are as below.Please help me to
correct my procedure.thank's.</FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana># cat ipsec.conf<BR>#
/etc/ipsec.conf - Openswan IPsec configuration file</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana># This file:
/usr/local/share/doc/openswan/ipsec.conf-sample<BR>#<BR>#
Manual: ipsec.conf.5</FONT></DIV>
<DIV> </DIV><FONT color=#0000ff size=2 face=Verdana>
<DIV><BR>version 2.0 # conforms to second version of
ipsec.conf specification</DIV>
<DIV> </DIV>
<DIV># basic configuration<BR>config
setup<BR> # Do not set debug options
to debug configuration issues!<BR> #
plutodebug / klipsdebug = "all", "none" or a combation from
below:<BR> # "raw crypt parsing
emitting control klips pfkey natt x509 dpd private"</DIV>
<DIV> </DIV>
<DIV> #
eg:<BR> # plutodebug="control
parsing"<BR> # Again: only enable
plutodebug or klipsdebug when asked by a
developer<BR>
#<BR> # enable to get logs
per-peer<BR> #
plutoopts="--perpeerlog"<BR>
#<BR> # Enable core dumps (might
require system changes, like ulimit
-C)<BR> # This is required for abrtd
to work properly<BR> # Note: incorrect
SElinux policies might prevent pluto writing the
core<BR>
dumpdir=/var/run/pluto/<BR>
#<BR> # NAT-TRAVERSAL support, see
README.NAT-Traversal<BR>
#nat_traversal=yes<BR> # exclude
networks used on server side by adding
%v4:!a.b.c.0/24<BR> # It seems that
T-Mobile in the US and Rogers/Fido in Canada
are<BR> # using 25/8 as "private"
address space on their 3G network.<BR>
# This range has not been announced via BGP (at least upto
2010-12-21)<BR>
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4<BR>:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<BR>
interfaces=%defaultroute<BR> # OE is
now off by default. Uncomment and change to on, to
enable.<BR>
oe=off<BR> # which IPsec stack to use.
auto will try netkey, then klips then
mast<BR>
protostack=auto<BR> # Use this to log
to a file, or disable logging on embedded systems (lik<BR>e
openwrt)<BR>
#plutostderrlog=/dev/null</DIV>
<DIV> </DIV>
<DIV># Add connections here</DIV>
<DIV> </DIV>
<DIV># sample VPN connection<BR># for more examples, see
/etc/ipsec.d/examples/<BR>conn
sample<BR>#
# Left security gateway, subnet behind it, nexthop toward right.</DIV>
<DIV> </DIV>
<DIV>
left=111.243.152.132<BR>
leftsubnet=192.168.2.0/24<BR>#
leftnexthop=10.22.33.44<BR>#
# Right security gateway, subnet behind it, nexthop toward left.</DIV>
<DIV> </DIV>
<DIV>
right=111.243.156.217<BR>
rightsubnet=192.168.1.0/24<BR>#
rightnexthop=10.101.102.103<BR>#
# To authorize this connection, but not actually start
it,<BR>#
# at startup, uncomment
this.<BR>
type=tunnel<BR>
authby=secret<BR>
auto=start</DIV>
<DIV> </DIV>
<DIV>#<BR># cat ipsec.secrets<BR>111.243.156.217 111.243.152.132 : PSK
"12345"<BR>#</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana># ipsec setup
start<BR>/lib/libexec/ipsec/setup: 65: id: not found<BR>[: 0: unknown
operand<BR>ipsec_setup: Starting Openswan IPsec U2.6.37/K2.6.30...<BR>#
Jan 1 00:09:11 pluto[2102]: Starting Pluto (Openswan Version 2.6.37;
Vendor I<BR>D OEu\134d\134jy\134\134ap) pid:2102<BR>Jan 1 00:09:11
pluto[2102]: LEAK_DETECTIVE support [disabled]<BR>Jan 1 00:09:11
pluto[2102]: OCF support for IKE [disabled]<BR>Jan 1 00:09:11 pluto[2102]:
SAref support [disabled]: Protocol not available<BR>Jan 1 00:09:11
pluto[2102]: SAbind support [disabled]: Protocol not available<BR>Jan 1
00:09:11 pluto[2102]: NSS support [disabled]<BR>Jan 1 00:09:11
pluto[2102]: HAVE_STATSD notification support not compiled in<BR>Jan 1
00:09:11 pluto[2102]: Setting NAT-Traversal port-4500 floating to
off<BR>Jan 1 00:09:11 pluto[2102]: port floating
activation criteria nat_t=0/port_f<BR>loat=1<BR>Jan 1 00:09:11
pluto[2102]: NAT-Traversal support
[disabled]<BR>Jan 1 00:09:11 pluto[2102]: using /dev/urandom as source of
random entropy<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC:<BR>Ok (ret=0)<BR>Jan 1 00:09:11 pluto[2102]:
starting up 1 cryptographic helpers<BR>Jan 1 00:09:11 pluto[2117]: using
/dev/urandom as source of random entropy<BR>Jan 1 00:09:11 pluto[2102]:
started helper pid=2117 (fd:5)<BR>Jan 1 00:09:11 pluto[2102]: Kernel
interface auto-pick<BR>Jan 1 00:09:11 pluto[2102]: Using Linux 2.6 IPsec
interface code on 2.6.30 (exp<BR>erimental code)<BR>Jan 1 00:09:11
pluto[2102]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
(r<BR>et=0)<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm
already exists<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_register_enc():
Activating aes_ccm_12: FAIL<BR>ED (ret=-17)<BR>Jan 1 00:09:11 pluto[2102]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Jan 1 00:09:11
pluto[2102]: ike_alg_register_enc(): Activating aes_ccm_16: FAIL<BR>ED
(ret=-17)<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm
already exists<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_register_enc():
Activating aes_gcm_8: FAILE<BR>D (ret=-17)<BR>Jan 1 00:09:11 pluto[2102]:
ike_alg_add(): ERROR: Algorithm already exists<BR>Jan 1 00:09:11
pluto[2102]: ike_alg_register_enc(): Activating aes_gcm_12: FAIL<BR>ED
(ret=-17)<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm
already exists<BR>Jan 1 00:09:11 pluto[2102]: ike_alg_register_enc():
Activating aes_gcm_16: FAIL<BR>ED (ret=-17)<BR>Jan 1 00:09:11 pluto[2102]:
Could not change to directory '/var/ipsec.d/cacerts<BR>':
/var/run/pluto<BR>Jan 1 00:09:12 pluto[2102]: Could not change to
directory '/var/ipsec.d/aacerts<BR>': /var/run/pluto<BR>Jan 1 00:09:12
pluto[2102]: Could not change to directory '/var/ipsec.d/ocspcer<BR>ts':
/var/run/pluto<BR>Jan 1 00:09:12 pluto[2102]: Could not change to
directory '/var/ipsec.d/crls'<BR>Jan 1 00:09:12 pluto[2102]: added
connection description "sample"<BR>Jan 1 00:09:12 pluto[2102]: listening
for IKE messages<BR>Jan 1 00:09:12 pluto[2102]: adding interface ppp0/ppp0
111.243.156.217:500<BR>Jan 1 00:09:12 pluto[2102]: adding interface
br0/br0 192.168.1.1:500<BR>Jan 1 00:09:12 pluto[2102]: adding interface
lo/lo 127.0.0.1:500<BR>Jan 1 00:09:12 pluto[2102]: adding interface lo/lo
::1:500<BR>Jan 1 00:09:12 pluto[2102]: ERROR: problem with secrets file
"/var". Errno 9: B<BR>ad file descriptor<BR>Jan 1 00:09:12 pluto[2102]:
loading secrets from "/var/ipsec.secrets"<BR>Jan 1 00:09:13 pluto[2102]:
"sample" #1: initiating Main Mode<BR>Jan 1 00:09:13 pluto[2102]: "sample"
#1: received Vendor ID payload [Dead Peer<BR>Detection]<BR>Jan 1 00:09:13
pluto[2102]: "sample" #1: transition from state STATE_MAIN_I1 to<BR> state
STATE_MAIN_I2<BR>Jan 1 00:09:13 pluto[2102]: "sample" #1: STATE_MAIN_I2:
sent MI2, expecting MR2</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Jan 1 00:09:13 pluto[2102]:
"sample" #1: transition from state STATE_MAIN_I2 to<BR> state
STATE_MAIN_I3<BR>Jan 1 00:09:13 pluto[2102]: "sample" #1: STATE_MAIN_I3:
sent MI3, expecting MR3</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Jan 1 00:09:14 pluto[2102]:
"sample" #1: Main mode peer ID is ID_IPV4_ADDR:
'11<BR>1.243.152.132'<BR>Jan 1 00:09:14 pluto[2102]: "sample" #1:
transition from state STATE_MAIN_I3 to<BR> state STATE_MAIN_I4<BR>Jan
1 00:09:14 pluto[2102]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established
{<BR>auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp10<BR>24}<BR>Jan 1 00:09:14 pluto[2102]: "sample" #2: initiating
Quick Mode PSK+ENCRYPT+TUNN<BR>EL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:dbca98e7
proposal=defaults<BR> pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Jan 1
00:09:14 pluto[2102]: "sample" #1: ignoring informational payload, type
I<BR>PSEC_INITIAL_CONTACT msgid=00000000<BR>Jan 1 00:09:14 pluto[2102]:
"sample" #1: received and ignored informational mes<BR>sage<BR>Jan 1
00:09:14 pluto[2102]: "sample" #2: transition from state STATE_QUICK_I1 t<BR>o
state STATE_QUICK_I2<BR>Jan 1 00:09:14 pluto[2102]: "sample" #2:
STATE_QUICK_I2: sent QI2, IPsec SA est<BR>ablished tunnel mode
{ESP=>0x0f34cacc <0x8c632f64 xfrm=3DES_0-HMAC_MD5 NATOA=non<BR>e NATD=none
DPD=none}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>#<BR># ip xfrm state<BR>src
111.243.152.132 dst
111.243.156.217<BR> proto esp spi
0x8c632f64 reqid 16385 mode tunnel<BR>
replay-window 32 flag 20<BR> auth
hmac(md5)
0xaf8ba23ff005f262dfc3d5cf81c59ef9<BR>
enc cbc(des3_ede) 0xb0559c9dd51e7cdfdedf34fb95439bb19b72751852fd6e34<BR>src
111.243.156.217 dst
111.243.152.132<BR> proto esp spi
0x0f34cacc reqid 16385 mode tunnel<BR>
replay-window 32 flag 20<BR> auth
hmac(md5)
0xb7d5be9851d321710f47f94c93ea008b<BR>
enc cbc(des3_ede)
0x35fe8cb1dbcbbdbbd1321a41191b493a4f189d351a0c9f71<BR>#</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Best Regards.</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana>Ozai</FONT></DIV></BODY></HTML>