<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=big5" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19222">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff size=2 face=Verdana>
<DIV><FONT color=#0000ff size=2 face=Verdana><FONT color=#000000 size=3
face=新細明體>Dear Sirs,<BR><BR>About the openswan with netkey stack,I ever
tried it before.But it's failed.<BR>PC1 can ping to PC2 but PC2 can not ping to
PC1. I do not know what the <BR>procedures I lost.Could someone help me on this
question?thank's.<BR>====================================<BR><My test
environment><BR>PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2<BR>192.168.6.1
172.17.21.87
172.17.21.80
192.168.1.100<BR>================================<BR><ipsec.conf
><BR>config
setup<BR> interfaces=%defaultroute<BR> oe=off<BR> protostack=netkey<BR><BR>conn
%default<BR> connaddrfamily=ipv4<BR> keyexchange=ike<BR>
ike=3des-md5;modp1024<BR> phase2alg=3des-md5;modp1024<BR>
auth=esp<BR> type=tunnel<BR> authby=secret<BR>
auto=start<BR><BR>conn sample<BR> left=172.17.21.80<BR>
leftsubnet=192.168.1.0/24<BR> right=172.17.21.87<BR>
rightsubnet=192.168.6.0/24<BR>==============================<BR><ipsec.secrets><BR>172.17.21.80
172.17.21.87 : PSK
"12345"<BR>========================================<BR><Kernel
feature><BR>CONFIG_XFRM=y<BR>CONFIG_XFRM_USER=m<BR>CONFIG_XFRM_MIGRATE=y<BR>CONFIG_NET_KEY=y<BR>CONFIG_NET_KEY_MIGRATE=y<BR>========================================</FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana><FONT color=#000000 size=3
face=新細明體><log></FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana><FONT color=#000000 size=3
face=新細明體>Jan 1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsec
U2.6.38/K2.6.30...<BR>Jan 1 00:02:31 daemon err ipsec_setup: Using
NETKEY(XFRM) stack<BR>Jan 1 00:02:33 authpriv err ipsec__plutorun:
Starting Pluto subsystem...<BR>Jan 1 00:02:33 daemon err ipsec_setup:
...Openswan IPsec started<BR>Jan 1 00:02:34 daemon err ipsec__plutorun:
adjusting ipsec.d to /var/ipsec.d<BR>Jan 1 00:02:34 user warn syslog:
adjusting ipsec.d to /var/ipsec.d<BR>Jan 1 00:02:34 authpriv warn
pluto[1568]: LEAK_DETECTIVE support [disabled]<BR>Jan 1 00:02:34 authpriv
warn pluto[1568]: OCF support for IKE [disabled]<BR>Jan 1 00:02:34
authpriv warn pluto[1568]: NSS support [disabled]<BR>Jan 1 00:02:34
authpriv warn pluto[1568]: HAVE_STATSD notification support not compiled
in<BR>Jan 1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal
port-4500 floating to off<BR>Jan 1 00:02:34 authpriv warn
pluto[1568]: port floating activation criteria
nat_t=0/port_float=1<BR>Jan 1 00:02:34 authpriv warn
pluto[1568]: NAT-Traversal support
[disabled]<BR>Jan 1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom
as source of random entropy<BR>Jan 1 00:02:34 authpriv warn pluto[1568]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>Jan 1
00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)<BR>Jan 1 00:02:34 authpriv warn pluto[1568]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>Jan 1
00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographic
helpers<BR>Jan 1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as
source of random entropy<BR>Jan 1 00:02:34 authpriv warn pluto[1568]:
started helper pid=1583 (fd:6)<BR>Jan 1 00:02:34 authpriv warn
pluto[1568]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental
code)<BR>Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)<BR>Jan 1 00:02:36 authpriv warn
pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type
already exists<BR>Jan 1 00:02:36 authpriv warn pluto[1568]:
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)<BR>Jan 1
00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id
'0', Algorithm type already exists<BR>Jan 1 00:02:36 authpriv warn
pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED
(ret=-17)<BR>Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add():
ERROR: algo_type '0', algo_id '0', Algorithm type already exists<BR>Jan 1
00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)<BR>Jan 1 00:02:36 authpriv warn pluto[1568]:
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists<BR>Jan 1 00:02:36 authpriv warn pluto[1568]:
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)<BR>Jan 1
00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id
'0', Algorithm type already exists<BR>Jan 1 00:02:36 authpriv warn
pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED
(ret=-17)<BR>Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to
directory '/var/ipsec.d/cacerts': No such file or directory<BR>Jan 1
00:02:37 authpriv warn pluto[1568]: Could not change to directory
'/var/ipsec.d/aacerts': No such file or directory<BR>Jan 1 00:02:37
authpriv warn pluto[1568]: Could not change to directory
'/var/ipsec.d/ocspcerts': No such file or directory<BR>Jan 1 00:02:37
authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/crls': 2
No such file or directory<BR>Jan 1 00:02:37 authpriv warn pluto[1568]:
added connection description "sample"<BR>Jan 1 00:02:37 daemon err
ipsec__plutorun: 002 added connection description "sample"<BR>Jan 1
00:02:37 authpriv warn pluto[1568]: listening for IKE messages<BR>Jan 1
00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1
172.17.21.80:500<BR>Jan 1 00:02:37 authpriv warn pluto[1568]: adding
interface br0/br0 192.168.1.254:500<BR>Jan 1 00:02:37 authpriv warn
pluto[1568]: adding interface lo/lo 127.0.0.1:500<BR>Jan 1 00:02:37
authpriv warn pluto[1568]: adding interface lo/lo ::1:500<BR>Jan 1
00:02:37 authpriv warn pluto[1568]: loading secrets from
"/var/ipsec.secrets"<BR>Jan 1 00:02:38 authpriv warn pluto[1568]: "sample"
#1: initiating Main Mode<BR>Jan 1 00:02:38 daemon err ipsec__plutorun: 104
"sample" #1: STATE_MAIN_I1: initiate<BR>Jan 1 00:02:38 authpriv warn
pluto[1568]: "sample" #1: received Vendor ID payload [Dead Peer
Detection]<BR>Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Jan 1
00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sent MI2,
expecting MR2<BR>Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>Jan 1
00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sent MI3,
expecting MR3<BR>Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1:
Main mode peer ID is ID_IPV4_ADDR: '172.17.21.87'<BR>Jan 1 00:02:39
authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4<BR>Jan 1 00:02:39 authpriv warn pluto[1568]: "sample"
#1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<BR>Jan 1
00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:eef2291d
proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}<BR>========================================</FONT></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Verdana><FONT color=#000000 size=3
face=新細明體><test step><BR>When wan interface up<BR>1.configuration
ipsec.conf<BR>2.configuration ipsec.secrets<BR>3.ipsec setup
start<BR><BR><BR>Best
Regards,<BR>Ozai</FONT><BR></DIV></FONT></FONT></DIV></BODY></HTML>