# ipse openswan connecting two networks

## py-ro

Hi,

I am trying to connect to Nets together.

Booth endpoints are reachable without NAT involved.

ipsec.conf

```

version 2.0

config setup

        dumpdir=/var/run/pluto/

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

        oe=off

        protostack=auto

conn %default

    keyingtries=3

    compress=no

    disablearrivalcheck=no

    keyexchange=ike

    ikelifetime=3600s

    keylife=60m

conn Test-5

    leftprotoport=17/1701

    rightprotoport=17/1701

    rekey=no

    authby=secret

    pfs=no

    type=tunnel

    left=89.238.81.16

    leftnexthop=89.238.81.1

    leftsubnet=10.0.0.0/16

    right=89.238.aa.aa

    rightsubnet=10.1.0.0/16

    auto=start

```

ipsec look

```

vpn Thu Jun 20 16:27:20 CEST 2013

XFRM state:

src 89.238.aa.aa dst 89.238.bb.bb

        proto esp spi 0x66a1ff40 reqid 16385 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0x051e1d59b0aeb9c0b93bcd7b97af923bdf1dcbbc 96

        enc cbc(aes) 0x4b5b73558b5002b9d327fd1fd2e005e3

src 89.238.bb.bb dst 89.238.aa.aa

        proto esp spi 0xa80143b3 reqid 16385 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0xdb67fa31e24f526a5565aef59e09ee77f0717fd6 96

        enc cbc(aes) 0xf76e56df94de55057cbd2ecad7a33684

src 89.238.bb.bb dst 89.238.aa.aa

        proto esp spi 0xfc3b1b4f reqid 16385 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0x114bc1c3561fb599df9df20c41acbba76881c247 96

        enc cbc(aes) 0x74bb0e3e42eba42db1f8c38aca096bb3

src 89.238.aa.aa dst 89.238.bb.bb

        proto esp spi 0xe8399fa3 reqid 16385 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0xb162c23bc52a450cf363d26e4ce09864dad5db4f 96

        enc cbc(aes) 0x45b8e7abcf13686d388dc2013abe50c3

XFRM policy:

src 10.0.0.0/16 dst 10.1.0.0/16 proto udp sport 1701 dport 1701

        dir out priority 2608

        tmpl src 89.238.aa.aa dst 89.238.bb.bb

                proto esp reqid 16385 mode tunnel

src 10.1.0.0/16 dst 10.0.0.0/16 proto udp sport 1701 dport 1701

        dir fwd priority 2608

        tmpl src 89.238.bb.bb dst 89.238.aa.aa

                proto esp reqid 16385 mode tunnel

src 10.1.0.0/16 dst 10.0.0.0/16 proto udp sport 1701 dport 1701

        dir in priority 2608

        tmpl src 89.238.bb.bb dst 89.238.aa.aa

                proto esp reqid 16385 mode tunnel

src ::/0 dst ::/0

        socket out priority 0

src ::/0 dst ::/0

        socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0

XFRM done

IPSEC mangle TABLES

iptables: No chain/target/match by that name.

ip6tables: No chain/target/match by that name.

NEW_IPSEC_CONN mangle TABLES

iptables: No chain/target/match by that name.

ip6tables: No chain/target/match by that name.

ROUTING TABLES

default via 89.238.81.1 dev ifext  metric 3

10.0.0.0/16 dev ifext  proto kernel  scope link  src 10.0.0.16

89.238.aa.aa/24 dev ifext  proto kernel  scope link  src 89.238.aa.aa

fe80::/64 dev ifext  proto kernel  metric 256

```

Log:

```

Jun 20 16:10:15 vpn pluto[28456]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:28456

Jun 20 16:10:15 vpn pluto[28456]: LEAK_DETECTIVE support [disabled]

Jun 20 16:10:15 vpn pluto[28456]: OCF support for IKE [disabled]

Jun 20 16:10:15 vpn pluto[28456]: SAref support [disabled]: Protocol not available

Jun 20 16:10:15 vpn pluto[28456]: SAbind support [disabled]: Protocol not available

Jun 20 16:10:15 vpn pluto[28456]: NSS support [disabled]

Jun 20 16:10:15 vpn pluto[28456]: HAVE_STATSD notification support not compiled in

Jun 20 16:10:15 vpn pluto[28456]: Setting NAT-Traversal port-4500 floating to on

Jun 20 16:10:15 vpn pluto[28456]:    port floating activation criteria nat_t=1/port_float=1

Jun 20 16:10:15 vpn pluto[28456]:    NAT-Traversal support  [enabled]

Jun 20 16:10:15 vpn pluto[28456]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)

Jun 20 16:10:15 vpn pluto[28456]: starting up 7 cryptographic helpers

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28458 (fd:6)

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28460 (fd:7)

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28461 (fd:8)

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28462 (fd:9)

Jun 20 16:10:15 vpn pluto[28460]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28458]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28463 (fd:10)

Jun 20 16:10:15 vpn pluto[28461]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28465 (fd:11)

Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28466 (fd:12)

Jun 20 16:10:15 vpn pluto[28456]: Kernel interface auto-pick

Jun 20 16:10:15 vpn pluto[28456]: Using Linux 2.6 IPsec interface code on 3.9.1 (experimental code)

Jun 20 16:10:15 vpn pluto[28462]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28463]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28465]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28466]: using /dev/urandom as source of random entropy

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists

Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)

Jun 20 16:10:15 vpn pluto[28456]: added connection description "Test-5"

Jun 20 16:10:15 vpn ipsec__plutorun: 002 added connection description "Test-5"

Jun 20 16:10:15 vpn pluto[28456]: listening for IKE messages

Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 10.0.0.16:500

Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 10.0.0.16:4500

Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 89.238.81.16:500

Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 89.238.81.16:4500

Jun 20 16:10:15 vpn pluto[28456]: adding interface lo/lo 127.0.0.1:500

Jun 20 16:10:15 vpn pluto[28456]: adding interface lo/lo 127.0.0.1:4500

Jun 20 16:10:15 vpn pluto[28456]: adding interface lo/lo ::1:500

Jun 20 16:10:15 vpn pluto[28456]: loading secrets from "/etc/ipsec.secrets"

Jun 20 16:10:15 vpn pluto[28456]: loaded private key for keyid: PPK_RSA:AQOGX63hC

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: initiating Main Mode

Jun 20 16:10:15 vpn ipsec__plutorun: 104 "Test-5" #1: STATE_MAIN_I1: initiate

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [Dead Peer Detection]

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [RFC 3947] method set to=115

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [CAN-IKEv2]

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: Main mode peer ID is ID_IPV4_ADDR: '89.238.75.159'

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:216579df proposal=defaults pfsgroup=no-pfs}

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xe8399fa3 <0xfc3b1b4f xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [Dead Peer Detection]

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [RFC 3947] method set to=115

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115

Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: responding to Main Mode

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: STATE_MAIN_R1: sent MR1, expecting MI2

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: STATE_MAIN_R2: sent MR2, expecting MI3

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: Main mode peer ID is ID_IPV4_ADDR: '89.238.75.159'

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: the peer proposed: 10.0.0.0/16:17/1701 -> 10.1.0.0/16:17/1701

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: responding to Quick Mode proposal {msgid:57241b03}

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4:     us: 10.0.0.0/16===89.238.81.16<89.238.81.16>:17/1701---89.238.81.1

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4:   them: 89.238.75.159<89.238.75.159>:17/1701===10.1.0.0/16

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: keeping refhim=4294901761 during rekey

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x66a1ff40 <0xa80143b3 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

```

I assigned 10.0.0.16 to 89.238.aa.aa and 10.1.0.1 to 89.238.bb.bb, but can't getting a connection over these IPs.

Some Hint would be useful.  :Sad: 

----------

