<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div>HI Everyone,</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I have two machines one running strongswan 5.0.4-1(Left) and other Openswan on Centos 2.6.35 ( Right).</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">They are both behind the NAT. Right
server is reachable via public IP( but eth0 is behind NAT) address and left one gets Mobil IP from carriers.</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I am able to establish successful connection between theses two using the following ipsec.conf file but I can't ping them.</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial,
'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">LEFt ipsec.conf:</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="background-color: transparent;">version 2</div><div style="background-color: transparent;">config setup</div><div style="background-color: transparent;"> charondebug = "ike 2,knl 2"</div><div style="background-color: transparent;">conn 1</div><div style="background-color: transparent;"> keylife=60m</div><div style="background-color: transparent;">
rekeymargin=9m</div><div style="background-color: transparent;"> keyingtries=2</div><div style="background-color: transparent;"> keyexchange=ikev1</div><div style="background-color: transparent;"> left=%any</div><div style="background-color: transparent;"> right=216.177.93.234</div><div style="background-color: transparent;"> authby=secret</div><div style="background-color: transparent;"> auto=add</div><div style="background-color: transparent;"> leftid="@lmu55"</div><div style="background-color: transparent;"> #leftsourceip=10.4.3.1</div><div style="background-color: transparent;"> #rightsourceip=10.4.3.2</div><div style="background-color:
transparent;"> <span style="background-color: transparent; font-size: 8pt;">rightid="@lmudiag"</span></div><div style="background-color: transparent;"> leftfirewall=yes</div><div style="background-color: transparent;"> compress=no</div><div style="background-color: transparent;"> #mobike=no</div><div style="background-color: transparent;"> type=tunnel</div><div style="background-color: transparent;"><br></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;"><br></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;
font-style: normal;">RIGHt ipsec.conf:</div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;"><br></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;"><br></div><div style="background-color: transparent; color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;"><br></div><div style="background-color: transparent;"># basic configuration</div><div style="background-color: transparent;">config setup</div><div style="background-color: transparent;"> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div
style="background-color: transparent;"> # klipsdebug=none</div><div style="background-color: transparent;"> plutostderrlog="/var/log/ipsec7.log"</div><div style="background-color: transparent;"> plutodebug="control parsing"</div><div style="background-color: transparent;"> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div style="background-color: transparent;"> protostack=auto</div><div style="background-color: transparent;"> nat_traversal=yes</div><div style="background-color: transparent;"> #virtual_private=</div><div style="background-color: transparent;"> oe=off</div><div style="background-color: transparent;"> # Enable this if you see "failed to find any available worker"</div><div
style="background-color: transparent;"> nhelpers=0</div><div style="background-color: transparent;"><br></div><div style="background-color: transparent;">conn lmu</div><div style="background-color: transparent;"> #left=xx.xx.xx.xx</div><div style="background-color: transparent;"> left=10.0.12.34</div><div style="background-color: transparent;"> leftid=@lmudiag</div><div style="background-color: transparent;"> #ikev2=insist</div><div style="background-color: transparent;"> #ikev2=yes</div><div style="background-color: transparent;"> keyexchange=ike</div><div style="background-color: transparent;"> right=%any</div><div style="background-color: transparent;"> rightid=@lmu55</div><div
style="background-color: transparent;"> type=tunnel</div><div style="background-color: transparent;"> authby=secret</div><div style="background-color: transparent;"> auth=esp</div><div style="background-color: transparent;"> pfs=no</div><div style="background-color: transparent;"> <span style="background-color: transparent; font-size: 8pt;">#aggrmode=no</span></div><div style="background-color: transparent;"> #leftsourceip=10.4.3.2</div><div style="background-color: transparent;"> #rightsourceip=10.4.3.1</div><div style="background-color: transparent;"> <span style="background-color: transparent; font-size: 8pt;"> #rightsubnet=vhost:%no,%priv</span></div><div style="background-color: transparent;">
<span style="background-color: transparent; font-size: 8pt;">compress=no</span></div><div style="background-color: transparent;"> auto=add</div><div style="background-color: transparent;"><br></div><div><br></div><div><br></div><div><br></div><div>Here is the tcpdump output from mobile device on wan interface:</div><div><br></div><div><br></div><div><div class=""><span style="font-family:"Courier New"">22:02:30.574491
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x1), length 132<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">22:02:31.588682
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x2), length 132<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">22:02:32.608384
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x3), length 132<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">22:02:33.618381
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x4), length 132<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">22:02:34.628406
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x5), length 132<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">22:02:35.638375
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x6), length 132<o:p></o:p></span></div></div><div><br></div><div><br></div><div><br></div><div>Here is the tcpdum out put on Right machine : ( why the source and destination address is the same as the other end and why it is not ESP)</div><div><br></div><div><div class=""><span style="font-family:"Courier New"">15:02:28.955252
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 4,
length 64<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">15:02:29.952576
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 5,
length 64<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">15:02:30.992655
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 6,
length 64<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">15:02:31.991295
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 7,
length 64<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">15:02:32.997846
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 8,
length 64<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">15:02:33.975175
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 9,
length 64<o:p></o:p></span></div></div><div><br></div><div><br></div><div><br></div><div><br></div><div>Then I tried to use Virtual IP on both side and hoping if that helps me to connect two machines but I am not able to even establish a connection . As you can see above if I added the lines with rightsourceip and leftsourceip on both sides.</div><div><br></div><div><br></div><div>From Left side I see the following log data ( it gives up after 5 re-transmit):</div><div><br></div><div><br></div><div><div class=""><span style="font-family:"Courier New"">root@LMU5k:~#
ipsec up 1<o:p></o:p></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 11px; font-family: 'Courier New'; background-color: transparent; font-style: normal;"><span style="font-family:"Courier New""><br></span></div>
<div class=""><span style="font-family:"Courier New"">initiating Main
Mode IKE_SA 1[1] to 216.177.93.234<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">generating
ID_PROT request 0 [ SA V V V V ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">sending packet:
from 10.114.177.50[500] to 216.177.93.234[500] (224 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">received packet:
from 216.177.93.234[500] to 10.114.177.50[500] (140 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">parsed ID_PROT
response 0 [ SA V V V ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">received unknown
vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">received DPD
vendor ID<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">received NAT-T
(RFC 3947) vendor ID<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">generating
ID_PROT request 0 [ KE No NAT-D NAT-D ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">sending packet:
from 10.114.177.50[500] to 216.177.93.234[500] (372 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">received packet:
from 216.177.93.234[500] to 10.114.177.50[500] (356 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">parsed ID_PROT
response 0 [ KE No NAT-D NAT-D ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">local host is
behind NAT, sending keep alives<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">remote host is
behind NAT<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">generating
ID_PROT request 0 [ ID HASH ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">sending packet:
from 10.114.177.50[4500] to 216.177.93.234[4500] (76 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">received packet:
from 216.177.93.234[4500] to 10.114.177.50[4500] (76 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">parsed ID_PROT
response 0 [ ID HASH V ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">IKE_SA 1[1]
established between 10.114.177.50[lmu55]...216.177.93.234[lmudiag]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">scheduling
reauthentication in 10009s<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">maximum IKE_SA
lifetime 10549s<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">generating
TRANSACTION request 3067406310 [ HASH CP ]<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">sending packet:
from 10.114.177.50[4500] to 216.177.93.234[4500] (76 bytes)<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">sending
retransmit 1 of request message ID 3067406310, seq 4<o:p></o:p></span></div>
<div class=""><span style="font-family:"Courier New"">sending packet:
from 10.114.177.50[4500] to 216.177.93.234[4500] (76 bytes)<o:p></o:p></span></div></div><div> </div><div><br></div><div><br></div><div>On the RIGHT side ( openswan ) I captured the log.data that you can see as attachment . I looked at the data and I can see the RIGHT side drops the following messages:</div><div><br></div><div><div>*received 76 bytes from 198.228.223.179:46799 on eth0 (port=4500)</div><div>| **parse ISAKMP Message:</div><div>| initiator cookie:</div><div>| 56 a1 96 a2 b3 d2 61 8d</div><div>| responder cookie:</div><div>| 7a 26 90 f7 c2 1a 2d d4</div><div>| next payload type: ISAKMP_NEXT_HASH</div><div>| ISAKMP version: ISAKMP Version 1.0 (rfc2407)</div><div>| exchange type: ISAKMP_XCHG_MODE_CFG</div><div>| flags: ISAKMP_FLAG_ENCRYPTION</div><div>| message ID: b6 d4 e7
e6</div><div>| length: 76</div><div>| processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6)</div><div>| ICOOKIE: 56 a1 96 a2 b3 d2 61 8d</div><div>| RCOOKIE: 7a 26 90 f7 c2 1a 2d d4</div><div>| state hash entry 12</div><div>| peer and cookies match on #1, provided msgid b6d4e7e6 vs 00000000/00000000</div><div>| p15 state object not found</div><div>| ICOOKIE: 56 a1 96 a2 b3 d2 61 8d</div><div>| RCOOKIE: 7a 26 90 f7 c2 1a 2d d4</div><div>| state hash entry 12</div><div>| peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000</div><div>| p15 state object #1 found, in STATE_MAIN_R3</div><div>| processing connection lmu[1] 198.228.223.179</div><div>"lmu"[1] 198.228.223.179 #1: received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client</div><div>| * processed 0 messages from cryptographic helpers </div><div>| next event
EVENT_NAT_T_KEEPALIVE in 19 seconds</div><div>| next event EVENT_NAT_T_KEEPALIVE in 19 seconds</div><div><br></div><div><br></div><div><br></div><div>What would be proper way to establish a Virtual IP interfaces between two hosts? And Is there anyway without Virtual IP that I can make the PING working.</div><div><br></div><div><br></div><div><br></div><div>I appreciate your help.</div><div><br></div><div>Thanks and Regards,</div><div>Farid</div></div></div></body></html>