<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="�" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
@font-face
{font-family:"Palatino Linotype";
panose-1:2 4 5 2 5 5 5 3 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Have you ran tcpdump dumps along the line and on the both Pub and Priv interface to see where the packets are going? I too am having similar issues with my GW. I see my ESP packets coming in the Pub and then going back out the Pub with
its private address when it should be going back out the private network. Do you see similar symptoms?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr style="height:1.25in">
<td width="203" style="width:121.5pt;padding:0in 0in 0in 0in;height:1.25in">
<p class="MsoNormal" style="line-height:115%"><b>Regards,<o:p></o:p></b></p>
<p class="MsoNormal" style="line-height:115%"><o:p> </o:p></p>
<p class="MsoNormal" align="right" style="text-align:right;line-height:115%"><b><i>Adrian Milanoski</i></b><span style="font-size:8.0pt;line-height:115%"><br>
Short Range Protocols<br>
Lab Administrator<span style="color:black"><br>
</span><span style="color:#0070C0">Research In Motion Limited</span><span style="color:black">
<br>
</span>Tel.(289) 261-5801<br>
Email <span style="color:black"> </span></span><a href="mailto:amilanoski@rim.com"><span style="font-size:8.0pt;line-height:115%;color:#9E540A">amilanoski@rim.com</span></a><b><span style="color:#003049"><o:p></o:p></span></b></p>
</td>
<td width="174" style="width:104.45pt;padding:0in 0in 0in 0in;height:1.25in">
<p class="MsoNormal" align="right" style="text-align:right;line-height:115%"><o:p> </o:p></p>
<p class="MsoNormal" align="right" style="text-align:right;line-height:115%"><o:p> </o:p></p>
<p class="MsoNormal" align="center" style="text-align:center;line-height:115%"><a href="http://www.rim.com/"><span style="font-size:12.0pt;line-height:115%;text-decoration:none"><img border="0" width="115" height="50" id="Picture_x0020_1" src="cid:image002.jpg@01CD1CCB.9E9B0230" alt="www.rim.com"></span></a><span style="font-size:8.0pt;line-height:115%;font-family:"Verdana","sans-serif";color:navy"><img border="0" width="102" height="39" id="Picture_x0020_2" src="cid:image003.jpg@01CD1CCB.9E9B0230" alt="cid:image001.png@01CB37B8.EC492D80"></span><span style="font-size:12.0pt;line-height:115%"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> users-bounces+amilanoski=rim.com@lists.strongswan.org [mailto:users-bounces+amilanoski=rim.com@lists.strongswan.org]
<b>On Behalf Of </b>Shukla, Sanjay<br>
<b>Sent:</b> Monday, April 16, 2012 11:13 AM<br>
<b>To:</b> users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] help: ping behaviour when tunnel is not established<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Any insight to the below would be helpful.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-sanjay<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> users-bounces+sanjay.shukla=ipc.com@lists.strongswan.org [mailto:users-bounces+sanjay.shukla=ipc.com@lists.strongswan.org]
<b>On Behalf Of </b>Shukla, Sanjay<br>
<b>Sent:</b> Friday, April 13, 2012 3:58 PM<br>
<b>To:</b> users@lists.strongswan.org<br>
<b>Subject:</b> [strongSwan] help: ping behaviour when tunnel is not established<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I request you urgent help in understanding this behavior.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When a connection is configured in /etc/ipsec.conf but the left side of the connection is not responding (say left is unreachable) I see the ping behavior as below<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.9pt;margin-bottom:0in;margin-left:13.6pt;margin-bottom:.0001pt;text-indent:-7.5pt;text-autospace:none">
<span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:teal">root@ffd-ipsec-189 sanjay]# ping 10.204.74.188<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">basically ping is stuck or blocked.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Now if I do not have a connection configured in the /etc/ipsec.conf I see that the ping responds like this<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.9pt;margin-bottom:0in;margin-left:13.6pt;margin-bottom:.0001pt;text-indent:-7.5pt;text-autospace:none">
<span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:teal">root@ffd-ipsec-189 sanjay]# ping 10.204.74.188<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.9pt;margin-bottom:0in;margin-left:13.6pt;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:teal">PING 10.204.74.188 (10.204.74.188) 56(84) bytes of data.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.9pt;margin-bottom:0in;margin-left:13.6pt;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:teal">From 10.204.74.189 icmp_seq=2 Destination Host Unreachable<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.9pt;margin-bottom:0in;margin-left:13.6pt;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:teal">From 10.204.74.189 icmp_seq=3 Destination Host Unreachable<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:.9pt;margin-bottom:0in;margin-left:13.6pt;margin-bottom:.0001pt;text-autospace:none">
<span style="font-size:10.0pt;font-family:"Century Gothic","sans-serif";color:teal">>From 10.204.74.189 icmp_seq=5 Destination Host Unreachable<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What settings can be done for a timeout to occurs to that a program that is trying to reach an ip may not be blocked forever if ipsec SA cannot be established ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My connection setting as follows<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">#Below Are The Configuration for CCM_CCM IPSec Tunnel<o:p></o:p></p>
<p class="MsoNormal">conn LocalIP_LocalIP_10.204.74.188<o:p></o:p></p>
<p class="MsoNormal"> left=10.204.74.189<o:p></o:p></p>
<p class="MsoNormal"> leftcert=ServLcl.pem<o:p></o:p></p>
<p class="MsoNormal"> leftsendcert=yes<o:p></o:p></p>
<p class="MsoNormal"> leftupdown=/opt/ipc/security/ipsectunnel/rightdown.sh<o:p></o:p></p>
<p class="MsoNormal"> right=10.204.74.188<o:p></o:p></p>
<p class="MsoNormal"> rightid=%any<o:p></o:p></p>
<p class="MsoNormal"> keyexchange=ikev2<o:p></o:p></p>
<p class="MsoNormal"> type=transport<o:p></o:p></p>
<p class="MsoNormal"> reauth=no<o:p></o:p></p>
<p class="MsoNormal"> dpddelay=5s<o:p></o:p></p>
<p class="MsoNormal"> dpdaction=restart<o:p></o:p></p>
<p class="MsoNormal"> keyingtries=%forever<o:p></o:p></p>
<p class="MsoNormal"> auto=route<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">regards,<o:p></o:p></p>
<p class="MsoNormal">-sanjay<o:p></o:p></p>
<p> <o:p></o:p></p>
<p><i><span style="font-size:7.5pt;font-family:"Palatino Linotype","serif";color:green"><img border="0" width="19" height="18" id="_x0000_i1025" src="cid:image004.png@01CD1CCB.9E9B0230"><em><span style="font-family:"Palatino Linotype","serif"">Please consider
the environment before printing this email.</span></em></span></i><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail
messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the
risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
</div>
--------------------------------------------------------------------- <br>
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
</body>
</html>