<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div>Hi Everyone,</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I need help to connect my strongswan based machine to a openswan based machine behind NAT ( host-host).</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0,
0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">On my remote machine which runs strongswan h<span style="background-color: transparent;">ere is the output of >> ipsec up 1 which tries to connect to the other end:</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">It seems it never connects.</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
background-color: transparent; font-style: normal;"> <span style="font-size: 8pt;">root@LMU5k:~# ipsec up 1</span></div><div class="MsoListParagraphCxSpFirst"><o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">initiating Main Mode IKE_SA 1[2] to
216.177.93.234<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">generating ID_PROT request 0 [ SA V V V V ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending packet: from 10.133.32.81[500] to
216.177.93.234[500] (224 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">received packet: from 216.177.93.234[500]
to 10.133.32.81[500] (140 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">parsed ID_PROT response 0 [ SA V V V ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">received unknown vendor ID:
4f:45:68:79:4c:64:41:43:65:63:66:61<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">received DPD vendor ID<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">received NAT-T (RFC 3947) vendor ID<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">generating ID_PROT request 0 [ KE No NAT-D
NAT-D ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending packet: from 10.133.32.81[500] to
216.177.93.234[500] (372 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">received packet: from 216.177.93.234[500]
to 10.133.32.81[500] (356 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">parsed ID_PROT response 0 [ KE No NAT-D
NAT-D ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">local host is behind NAT, sending keep
alives<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">remote host is behind NAT<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">generating ID_PROT request 0 [ ID HASH ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (76 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">received packet: from 216.177.93.234[4500]
to 10.133.32.81[4500] (76 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">parsed ID_PROT response 0 [ ID HASH V ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">IKE_SA 1[2] established between
10.133.32.81[lmu55]...216.177.93.234[lmudiag]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">scheduling reauthentication in 9721s<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">maximum IKE_SA lifetime 10261s<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">generating QUICK_MODE request 1783046561 [
HASH SA No ]<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending retransmit 1 of request message ID
1783046561, seq 4<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending retransmit 2 of request message ID
1783046561, seq 4<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)<o:p></o:p></div>
<div class="MsoListParagraphCxSpMiddle">sending retransmit 3 of request message ID
1783046561, seq 4<o:p></o:p></div>
<div class="MsoListParagraphCxSpLast"><o:p></o:p></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span style="font-size: 8pt;">sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)</span></div><div style="color: rgb(0, 0, 0); font-size: 8pt; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Here is the ipsec.conf :</div><div style="color: rgb(0, 0, 0); font-size: 11px;
font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="background-color: transparent;"># generated by /etc/init.d/lmu_ipsec</div><div style="background-color: transparent;">version 2</div><div style="background-color: transparent;">config setup</div><div style="background-color: transparent;"> charondebug = "ike 2,knl 2"</div><div style="background-color: transparent;">conn 1</div><div style="background-color: transparent;"> keylife=60m</div><div style="background-color: transparent;"> rekeymargin=9m</div><div style="background-color: transparent;"> keyingtries=1</div><div style="background-color: transparent;"> keyexchange=ikev1</div><div style="background-color: transparent;"> left=10.133.32.81</div><div style="background-color: transparent;"> right=216.177.93.234
</div><div style="background-color: transparent;"> authby=secret</div><div style="background-color: transparent;"> auto=add</div><div style="background-color: transparent;"> leftid="@lmu55"</div><div style="background-color: transparent;"> rightid="@lmudiag"</div><div style="background-color: transparent;"> type=tunnel</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande',
sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Here is the ipsec.conf on the other end that runs openswan on it:</div><div style="background-color: transparent;"><br></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;">config setup</div><div style="background-color: transparent;"> # Debug-logging controls: "none" for (almost) none, "all" for
lots.</div><div style="background-color: transparent;"> # klipsdebug=none</div><div style="background-color: transparent;"> # plutodebug="control parsing"</div><div style="background-color: transparent;"> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div style="background-color: transparent;"> protostack=netkey</div><div style="background-color: transparent;"> nat_traversal=yes</div><div style="background-color: transparent;"> virtual_private=</div><div style="background-color: transparent;"> oe=off</div><div style="background-color: transparent;"> # Enable this if you see "failed to find any available worker"</div><div style="background-color: transparent;"> # nhelpers=0</div><div
style="background-color: transparent;"><br></div><div style="background-color: transparent;">conn lmu</div><div style="background-color: transparent;"> left=10.0.12.34</div><div style="background-color: transparent;"> leftid=@lmudiag</div><div style="background-color: transparent;"> right=%any</div><div style="background-color: transparent;"> rightid=@lmu55</div><div style="background-color: transparent;"> type=tunnel</div><div style="background-color: transparent;"> authby=secret</div><div style="background-color: transparent;"> auto=add</div><div style="background-color: transparent;"><br></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande',
sans-serif; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">And here is the output of >>ipsec auto --status from openswan part:</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style:
normal;"><br></div><div class="MsoNormal">000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0} <o:p></o:p></div><div class="MsoNormal">000 <o:p></o:p></div><div class="MsoNormal">000 "lmu":
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C]; unrouted;
eroute owner: #0<o:p></o:p></div><div class="MsoNormal">000 "lmu":
myip=unset; hisip=unset;<o:p></o:p></div><div class="MsoNormal">000 "lmu":
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0 <o:p></o:p></div><div class="MsoNormal">000 "lmu":
policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
32,32; interface: eth0; <o:p></o:p></div><div class="MsoNormal">000 "lmu":
newest ISAKMP SA: #0; newest IPsec SA: #0; <o:p></o:p></div><div class="MsoNormal">000 "lmu"[1]:
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...166.137.187.250[@lmu55,+S=C];
unrouted; eroute owner: #0<o:p></o:p></div><div class="MsoNormal">000 "lmu"[1]:
myip=unset; hisip=unset;<o:p></o:p></div><div class="MsoNormal">000 "lmu"[1]:
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0 <o:p></o:p></div><div class="MsoNormal">000 "lmu"[1]:
policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0; <o:p></o:p></div><div class="MsoNormal">000 "lmu"[1]:
newest ISAKMP SA: #1; newest IPsec SA: #0; <o:p></o:p></div><div class="MsoNormal">000 "lmu"[1]:
IKE algorithm newest: AES_CBC_128-SHA1-MODP2048<o:p></o:p></div><div class="MsoNormal">000 <o:p></o:p></div><div style="background-color: transparent;">
</div><div class="MsoNormal">000 #1: "lmu"[1] 166.137.187.250:45911
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2454s;
newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set<o:p></o:p></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">As you see I added %any for right address since it gets changed all the time. also left=10.0.12.34 is the address behind the NAT. </div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida
Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I appreciate if someone can give me some hints on this setup.</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Best
Regards,</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Farid</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande',
sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"> </div></div></body></html>