[strongSwan] How to connect strongSwan 5.1.3 to Openswan 2.6.37?

Tue Apr 7 10:51:07 CEST 2015

I am trying to connect a newly set up server, running openSUSE 13.2 (kernel
3.16.7-7-default) and strongSwan 5.1.3, to an existing router that runs OpenWRT
Backfire 10.03.1 (kernel 2.6.32.27) and Openswan IPsec 2.6.37.

The IKE phase of setting up the connection appears to work, but the ESP phase fails with

Apr  7 10:05:39 racoon2 ipsec[12837]: 08[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ
Apr  7 10:05:39 racoon2 ipsec[12837]: 08[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Apr  7 10:05:39 racoon2 ipsec[12837]: 08[IKE] received 28800s lifetime, configured 3600s
Apr  7 10:05:39 racoon2 ipsec[12837]: 08[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN

(this is the log on the strongSwan side).

No matter what I do, I can't seem to get the two to agree on an algorithm.
I already tried the suggestion from

   https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#no-proposal-chosen-returned-by-ZyXELLinksysx-router

but that didn't help.

I would greatly appreciate any hints that might help me get this connection
up and running.

Following are logs and configurations on both machines. Maybe somebody
with better knowledge of this subject can see what's wrong here:

Here's the complete log on the strongSwan side:

Apr  7 10:22:56 racoon2 ipsec[12960]: Starting strongSwan 5.1.3 IPsec [starter]...
Apr  7 10:22:56 racoon2 ipsec_starter[12960]: Starting strongSwan 5.1.3 IPsec [starter]...
Apr  7 10:22:56 racoon2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-7-default, x86_64)
Apr  7 10:22:56 racoon2 charon: 00[LIB] openssl FIPS mode(0) - disabled
Apr  7 10:22:56 racoon2 charon: 00[CFG] HA config misses local/remote address
Apr  7 10:22:56 racoon2 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Apr  7 10:22:56 racoon2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr  7 10:22:56 racoon2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr  7 10:22:56 racoon2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr  7 10:22:56 racoon2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr  7 10:22:56 racoon2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr  7 10:22:56 racoon2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr  7 10:22:56 racoon2 charon: 00[CFG]   loaded IKE secret for @panther.tvdr.de @racoon2.tvdr.de
Apr  7 10:22:56 racoon2 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Apr  7 10:22:56 racoon2 charon: 00[CFG] loaded 0 RADIUS server configurations
Apr  7 10:22:56 racoon2 charon: 00[TNC] TNC recommendation policy is 'default'
Apr  7 10:22:56 racoon2 charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Apr  7 10:22:56 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr  7 10:22:56 racoon2 charon: 00[CFG] missing PDP server name, PDP disabled
Apr  7 10:22:56 racoon2 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Apr  7 10:22:56 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Apr  7 10:22:56 racoon2 charon: 00[CFG] coupling file path unspecified
Apr  7 10:22:56 racoon2 charon: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr 
kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv 
tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Apr  7 10:22:56 racoon2 charon: 00[LIB] unable to load 15 plugin features (12 due to unmet dependencies)
Apr  7 10:22:56 racoon2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr  7 10:22:56 racoon2 charon: 00[JOB] spawning 16 worker threads
Apr  7 10:22:56 racoon2 ipsec_starter[12960]: charon (12969) started after 40 ms
Apr  7 10:22:56 racoon2 charon: 02[CFG] received stroke: add connection 'racoon2-panthernet'
Apr  7 10:22:56 racoon2 charon: 02[CFG] added configuration 'racoon2-panthernet'
Apr  7 10:22:56 racoon2 charon: 08[CFG] received stroke: initiate 'racoon2-panthernet'
Apr  7 10:22:56 racoon2 charon: 08[IKE] unable to resolve %any, initiate aborted
Apr  7 10:22:56 racoon2 charon: 08[MGR] tried to check-in and delete nonexisting IKE_SA
Apr  7 10:22:56 racoon2 ipsec[12960]: charon (12969) started after 40 ms
Apr  7 10:23:09 racoon2 charon: 10[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (592 bytes)
Apr  7 10:23:09 racoon2 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Apr  7 10:23:09 racoon2 charon: 10[ENC] received unknown vendor ID: 4f:45:75:5c:64:5c:6a:79:5c:5c:61:70
Apr  7 10:23:09 racoon2 charon: 10[IKE] received DPD vendor ID
Apr  7 10:23:09 racoon2 charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
Apr  7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Apr  7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr  7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr  7 10:23:09 racoon2 charon: 10[IKE] 93.212.212.36 is initiating a Main Mode IKE_SA
Apr  7 10:23:09 racoon2 charon: 10[IKE] 93.212.212.36 is initiating a Main Mode IKE_SA
Apr  7 10:23:09 racoon2 charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr  7 10:23:09 racoon2 charon: 10[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (136 bytes)
Apr  7 10:23:09 racoon2 charon: 11[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (356 bytes)
Apr  7 10:23:09 racoon2 charon: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr  7 10:23:09 racoon2 charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr  7 10:23:09 racoon2 charon: 11[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (372 bytes)
Apr  7 10:23:09 racoon2 charon: 12[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (76 bytes)
Apr  7 10:23:09 racoon2 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
Apr  7 10:23:09 racoon2 charon: 12[CFG] looking for pre-shared key peer configs matching 88.198.76.220...93.212.212.36[panther.tvdr.de]
Apr  7 10:23:09 racoon2 charon: 12[CFG] selected peer config "racoon2-panthernet"
Apr  7 10:23:09 racoon2 charon: 12[IKE] IKE_SA racoon2-panthernet[2] established between 88.198.76.220[racoon2.tvdr.de]...93.212.212.36[panther.tvdr.de]
Apr  7 10:23:09 racoon2 charon: 12[IKE] IKE_SA racoon2-panthernet[2] established between 88.198.76.220[racoon2.tvdr.de]...93.212.212.36[panther.tvdr.de]
Apr  7 10:23:09 racoon2 charon: 12[IKE] scheduling reauthentication in 10047s
Apr  7 10:23:09 racoon2 charon: 12[IKE] maximum IKE_SA lifetime 10587s
Apr  7 10:23:09 racoon2 charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
Apr  7 10:23:09 racoon2 charon: 12[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (76 bytes)
Apr  7 10:23:10 racoon2 charon: 14[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (508 bytes)
Apr  7 10:23:10 racoon2 charon: 14[ENC] parsed QUICK_MODE request 2128104217 [ HASH SA No KE ID ID ]
Apr  7 10:23:10 racoon2 charon: 14[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ
Apr  7 10:23:10 racoon2 charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Apr  7 10:23:10 racoon2 charon: 14[IKE] received 28800s lifetime, configured 3600s
Apr  7 10:23:10 racoon2 charon: 14[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
Apr  7 10:23:10 racoon2 charon: 14[ENC] generating INFORMATIONAL_V1 request 2256479768 [ HASH N(NO_PROP) ]
Apr  7 10:23:10 racoon2 charon: 14[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (76 bytes)

And here's the log on the Openswan side:

Apr  7 10:23:05 panther user.info kernel: klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.6.37
Apr  7 10:23:05 panther user.info kernel: NET: Registered protocol family 15
Apr  7 10:23:05 panther user.warn kernel: registered KLIPS /proc/sys/net
Apr  7 10:23:05 panther user.info kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
Apr  7 10:23:05 panther user.info kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
Apr  7 10:23:05 panther user.warn kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
Apr  7 10:23:05 panther user.warn kernel: ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
Apr  7 10:23:05 panther user.warn kernel: ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
Apr  7 10:23:05 panther user.info kernel: KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0)
Apr  7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(twofish): not found
Apr  7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(serpent): not found
Apr  7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(cast5): not found
Apr  7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(blowfish): not found
Apr  7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(des3_ede): not found
Apr  7 10:23:06 panther daemon.err ipsec_setup: KLIPS debug `none'
Apr  7 10:23:06 panther daemon.err ipsec_setup: KLIPS ipsec0 on pppoe-wan 93.212.212.36/ pointtopoint 217.0.119.8/32 mtu 1492
Apr  7 10:23:07 panther authpriv.err ipsec__plutorun: Starting Pluto subsystem...
Apr  7 10:23:07 panther daemon.err ipsec_setup: ...Openswan IPsec started
Apr  7 10:23:07 panther daemon.err ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Apr  7 10:23:07 panther user.warn syslog: adjusting ipsec.d to /etc/ipsec.d
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: LEAK_DETECTIVE support [disabled]
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: OCF support for IKE [disabled]
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: SAref support [disabled]: Protocol not available
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: SAbind support [disabled]: Protocol not available
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: NSS support [disabled]
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: HAVE_STATSD notification support not compiled in
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Setting NAT-Traversal port-4500 floating to on
Apr  7 10:23:07 panther authpriv.warn pluto[8629]:    port floating activation criteria nat_t=1/port_float=1
Apr  7 10:23:07 panther authpriv.warn pluto[8629]:    NAT-Traversal support  [enabled]
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: using /dev/urandom as source of random entropy
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: starting up 1 cryptographic helpers
Apr  7 10:23:07 panther authpriv.warn pluto[8636]: using /dev/urandom as source of random entropy
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: started helper pid=8636 (fd:6)
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Kernel interface auto-pick
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: No Kernel NETKEY interface detected
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Using KLIPS IPsec interface code on 2.6.32.27
Apr  7 10:23:07 panther daemon.err ipsec_setup: Starting Openswan IPsec 2.6.37...
Apr  7 10:23:07 panther daemon.err ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Changed path to directory '/etc/ipsec.d/cacerts'
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Changed path to directory '/etc/ipsec.d/aacerts'
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: Changing to directory '/etc/ipsec.d/crls'
Apr  7 10:23:07 panther authpriv.warn pluto[8629]:   Warning: empty directory
Apr  7 10:23:07 panther authpriv.warn pluto[8629]: added connection description "racoon2-panthernet"
Apr  7 10:23:07 panther daemon.err ipsec__plutorun: 002 added connection description "racoon2-panthernet"
Apr  7 10:23:08 panther authpriv.warn pluto[8629]: listening for IKE messages
Apr  7 10:23:08 panther authpriv.warn pluto[8629]: adding interface ipsec0/pppoe-wan 93.212.212.36:500
Apr  7 10:23:08 panther authpriv.warn pluto[8629]: adding interface ipsec0/pppoe-wan 93.212.212.36:4500
Apr  7 10:23:08 panther authpriv.warn pluto[8629]: loading secrets from "/etc/ipsec.secrets"
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: initiating Main Mode
Apr  7 10:23:09 panther daemon.err ipsec__plutorun: 104 "racoon2-panthernet" #2: STATE_MAIN_I1: initiate
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Vendor ID payload [XAUTH]
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Vendor ID payload [Dead Peer Detection]
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Vendor ID payload [RFC 3947] method set to=109
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: enabling possible NAT-traversal with method 4
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: Main mode peer ID is ID_FQDN: '@racoon2.tvdr.de'
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Apr  7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:194bd87e proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Apr  7 10:23:10 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Apr  7 10:23:10 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received and ignored informational message
Apr  7 10:23:18 panther authpriv.warn pluto[8629]: initiate on demand from 192.168.100.2:0 to 88.198.76.220:0 proto=0 state: fos_start because: acquire
Apr  7 10:23:18 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:f62db0f3 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Apr  7 10:23:18 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Apr  7 10:23:18 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received and ignored informational message
Apr  7 10:23:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: ignoring informational payload, type INVALID_HASH_INFORMATION msgid=00000000
Apr  7 10:23:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received and ignored informational message
Apr  7 10:23:34 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Delete SA payload: deleting ISAKMP State #2
Apr  7 10:23:34 panther authpriv.warn pluto[8629]: packet from 88.198.76.220:500: received and ignored informational message
Apr  7 10:23:34 panther authpriv.warn pluto[8629]: ERROR: asynchronous network error report on pppoe-wan (sport=500) for message to 88.198.76.220 port 500, complainant 88.198.76.220: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
Apr  7 10:23:40 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: ERROR: asynchronous network error report on pppoe-wan (sport=500) for message to 88.198.76.220 port 500, complainant 88.198.76.220: Connection refused [errno 146, origin ICMP type 3 code 3 (not aut
Apr  7 10:23:48 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #5: ERROR: asynchronous network error report on pppoe-wan (sport=500) for message to 88.198.76.220 port 500, complainant 88.198.76.220: Connection refused [errno 146, origin ICMP type 3 code 3 (not aut
Apr  7 10:24:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr  7 10:24:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: starting keying attempt 2 of an unlimited number
Apr  7 10:24:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #6: initiating Main Mode

The /etc/ipsec.conf on the strongSwan side is:

----------------------------------------------------------------------------------------------
conn racoon2-panthernet
         also=racoon2
         also=panther
         rightsubnet=192.168.100.0/24
         authby=secret
         keyexchange=ikev1
         auto=start

conn racoon2
         leftid=@racoon2.tvdr.de
         left=88.198.76.220

conn panther
         rightid=@panther.tvdr.de
         right=%any
----------------------------------------------------------------------------------------------

The /etc/ipsec.conf on the Openswan side is:

----------------------------------------------------------------------------------------------
version 2.0     # conforms to second version of ipsec.conf specification

config setup
         dumpdir=/var/run/pluto/
         nat_traversal=yes
         oe=off
         protostack=auto

conn panther
         leftid=@panther.tvdr.de
         left=%defaultroute

conn racoon2-panthernet
         also=racoon2
         also=panther
         leftsubnet=192.168.100.0/24
         authby=secret
         auto=start

conn racoon2
         rightid=@racoon2.tvdr.de
         right=88.198.76.220
----------------------------------------------------------------------------------------------

The /etc/ipsec.secrets on both sides is:

----------------------------------------------------------------------------------------------
@panther.tvdr.de @racoon2.tvdr.de : PSK "MySecretFakePassword"
----------------------------------------------------------------------------------------------

Klaus Schmidinger