I'd like to override part of the (IPSec) routing table (routing to 10.108.0.0/16 locally via eth0, not via IPSec tunnel) my IPSEC config conn vpc type=tunnel authby=secret left=172.16.0.200 leftid=x.x.x.x leftsubnet=172.16.0.0/16 leftfirewall=yes right=y.y.y.y rightsubnet=10.0.0.0/8 #pfs=yes auto=start As You can see, over the tunnel the 10.0.0.0/8 is routed # ip r s t all 10.0.0.0/8 via 172.16.0.1 dev eth0 table 220 proto static src 172.16.0.200 default via 172.16.0.1 dev eth0 10.108.0.0/16 via 172.16.0.1 dev eth0 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.200 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 172.16.0.0 dev eth0 table local proto kernel scope link src 172.16.0.200 local 172.16.0.200 dev eth0 table local proto kernel scope host src 172.16.0.200 broadcast 172.16.0.255 dev eth0 table local proto kernel scope link src 172.16.0.200 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 fe80::/64 dev eth0 proto kernel metric 256 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 local ::1 dev lo table local proto none metric 0 local fe80::52:b2ff:fe65:b0fe dev lo table local proto none metric 0 ff00::/8 dev eth0 table local metric 256 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 # ipsec statusall Listening IP addresses: 172.16.0.200 Connections: vpc: 172.16.0.200...x.x.x.x IKEv1/2 vpc: local: [x.x.x.x ] uses pre-shared key authentication vpc: remote: [y.y.y.y] uses pre-shared key authentication vpc: child: 172.16.0.0/16 === 10.0.0.0/8 TUNNEL Security Associations (1 up, 0 connecting): vpc: ESTABLISHED 30 minutes ago, 172.16.0.200[x.x.x.x]...y.y.y.y[] vpc{1}: 172.16.0.0/16 === 10.0.0.0/8 I've specifically added the #ip r a 10.108.0.0/16 via 172.16.0.1 10.108.0.0/16 via 172.16.0.1 dev eth0 I hoped it would catch 'before' the table 220, but but traffic still goes through IPSec tunnel. I must be missing some layer. I know I could change rightsubnet=10.0.0.0/8 to rightsubnet=10.0.0.0/16 but I'd like to change only one route ----------------------- Just checking the # ip xfrm policy src 10.0.0.0/8 dst 172.16.0.0/16 dir fwd priority 1955 tmpl src x.x.x.x dst 172.16.0.200 proto esp reqid 1 mode tunnel src 10.0.0.0/8 dst 172.16.0.0/16 dir in priority 1955 tmpl src x.x.x.x dst 172.16.0.200 proto esp reqid 1 mode tunnel src 172.16.0.0/16 dst 10.0.0.0/8 dir out priority 1955 tmpl src 172.16.0.200 dst x.x.x.x proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 maybe I can change something here ------------------------ I'd like to **route 10.108.0.0/16 via local eth0, not via IPSec tunnel** EDIT I've extended the policy with: ip xfrm policy update dir in src 172.16.0.0/16 dst 10.108.0.0/16 ip xfrm policy update dir out src 172.16.0.0/16 dst 10.108.0.0/16 ip xfrm policy update dir fwd src 172.16.0.0/16 dst 10.108.0.0/16 # ip xfrm policy src 10.0.0.0/8 dst 172.16.0.0/16 dir fwd priority 1955 tmpl src 54.77.116.107 dst 172.16.0.200 proto esp reqid 1 mode tunnel src 10.0.0.0/8 dst 172.16.0.0/16 dir in priority 1955 tmpl src 54.77.116.107 dst 172.16.0.200 proto esp reqid 1 mode tunnel src 172.16.0.0/16 dst 10.0.0.0/8 dir out priority 1955 tmpl src 172.16.0.200 dst 54.77.116.107 proto esp reqid 1 mode tunnel src 172.16.0.0/16 dst 10.108.0.0/16 dir fwd priority 0 src 172.16.0.0/16 dst 10.108.0.0/16 dir out priority 0 src 172.16.0.0/16 dst 10.108.0.0/16 dir in priority 0 another try: ip xfrm policy add dir out src 172.16.0.0/16 dst 172.16.0.1 ip xfrm policy add dir in src 172.16.0.0/16 dst 172.16.0.1 ip xfrm policy add dir fwd src 172.16.0.0/16 dst 172.16.0.1 # ip xfrm policy src 172.16.0.0/16 dst 172.16.0.1/32 dir fwd priority 0 src 172.16.0.0/16 dst 172.16.0.1/32 dir in priority 0 src 172.16.0.0/16 dst 172.16.0.1/32 dir out priority 0 src 10.0.0.0/8 dst 172.16.0.0/16 dir fwd priority 1955 tmpl src 54.77.116.107 dst 172.16.0.200 proto esp reqid 1 mode tunnel src 10.0.0.0/8 dst 172.16.0.0/16 dir in priority 1955 tmpl src 54.77.116.107 dst 172.16.0.200 proto esp reqid 1 mode tunnel src 172.16.0.0/16 dst 10.0.0.0/8 dir out priority 1955 tmpl src 172.16.0.200 dst 54.77.116.107 proto esp reqid 1 mode tunnel still it does not look like a good 'redirect'

I am trying to bring up VPN using Openswan (version 5.6.2) on an Ubuntu machine. But when I initiate the following command, it says "missing configuration name": sudo swanctl --initiate vpn-name initiate failed: missing configuration name This is the output of IPSEC Statusall command: sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.3.0-1032-aws, x86_64): uptime: 11 hours, since Aug 07 14:43:36 2020 malloc: sbrk 2568192, mmap 0, used 550784, free 2017408 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters Listening IP addresses: 172.X.Y.Z 172.X.0.X Connections: Security Associations (0 up, 0 connecting): none The following is the config for /etc/ipsec.conf cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup strictcrlpolicy=no uniqueids = yes charondebug="all" #nat_traversal=yes # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections conn vpn-name type=tunnel keyexchange=ikev2 authby=secret #leftid=172.x.x.x #Left is me left=3.x.x.x leftsubnet=172.32.X.X #leftsubnet=10.1.4.0/16 #right is MTN CIV right=19.X.X.X rightsubnet=10.18.X.0/24 ike=3des-sha1,aes256-sha1,aes128-sha1! esp=3des-sha1,aes256-sha1 auto=route lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart auto=start

As I understand, virtual_private configuration option declares which subnets should be allowed through the tunnel and which should be excluded. For example if I have following configuration: virtual_private=%v4:10.6.100.0/24,%v4:!192.168.11.0/24,%v4:10.10.0.254/24 ..then according to ipsec auto --status command 10.6.100.0/24 and 10.10.0.0/24 networks are allowed and 192.168.11.0/24 is disallowed: 000 virtual_private (%priv): 000 - allowed 2 subnets: 10.6.100.0/24, 10.10.0.0/24 000 - disallowed 1 subnet: 192.168.11.0/24 000 What does this allowed and disallowed mean? What does this mean under the hood? Are there some routes created? Does it affect some xfrm framework policies?

Environment: # uname -a Linux shrimpwagon 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux I have already installed: # apt-get install strongswan xl2tpd I'm trying to connect to a Meraki VPN. I spoke to a Meraki tech and he said that it looks like it is not authenticating but didn't give me much more detail: # ipsec up L2TP-PSK generating QUICK_MODE request 2711688330 [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 10.0.0.4 to 50.123.152.194 (252 bytes) received packet: from 50.123.152.194 to 10.0.0.4 (68 bytes) parsed INFORMATIONAL_V1 request 2555305796 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'L2TP-PSK' failed ipsec.conf: config setup virtual_private=%v4:10.0.0.0/8 # nat_traversal=yes protostack=auto oe=off plutoopts="--interface=eth0" conn L2TP-PSK keyexchange=ikev1 ike=aes128-sha1-modp1024,3des-sha1-modp1024! phase2=ah phase2alg=aes128-sha1-modp1024,3des-sha1-modp1024! authby=secret aggrmode=yes pfs=no auto=add keyingtries=2 # dpddelay=30 # dpdtimeout=120 # dpdaction=clear # rekey=yes ikelifetime=8h keylife=1h type=transport left=%defaultroute # leftnexthop=%defaultroute # leftprotoport=udp/l2tp right=50.123.152.194 rightsubnet=10.2.150.0/24 ipsec.secrets: %any %any : PSK "****" xl2tpd.conf: [lac vpn-connection] lns = 50.123.152.194 ;refuse chap = yes ;refuse pap = no ;require authentication = yes ;name = vpn-server ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes options.l2tpd.client: ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug lock connect-delay 5000 name swelch password **** I have gotten most of my instructions from this site: https://www.elastichosts.com/blog/linux-l2tpipsec-vpn-client/ I did have to put it into aggresive mode, specify ikev1 and set the ike algorithms. Once I did that then I was able to start communicating to the MX. But I'm getting this error now and I am at a total loss. Thanks in advance!

I am trying to deploy a VPN server (I choose Openswan flavor) into a systemd-nspawn container on a raspberry pi running Arch Linux. For now I can login into the container, ping, goes outside from within the container (I managed to bring Internet in it). Here is my systemd config file for my container. (override.conf) [Service] ExecStart= ExecStart=/usr/bin/systemd-nspawn \ --quiet --keep-unit --boot --link-journal=try-guest \ -D /usr/lib/machines/%I \ --machine=%I Edit: I create a openswan.nspawn configuration and refactor the configuration in the override file. So this file is like this: [alarm@alarmpi ~]$ sudo cat /etc/systemd/nspawn/openswan.nspawn [Exec] Capability=CAP_NET_ADMIN CAP_NET_BIND_SERVICE [Network] Private=yes VirtualEthernet=yes Port=udp:500:500 Port=udp:4500:4500 Port=udp:1701:1701 Port=tcp:500:500 Port=tcp:4500:4500 Port=tcp:80:80 My container boot correctly and the different services related to openswan are spwan correctly inside the container: $ systemctl status systemd-nspawn@openswan.service ● systemd-nspawn@openswan.service - Container openswan Loaded: loaded (/usr/lib/systemd/system/systemd-nspawn@.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/systemd-nspawn@openswan.service.d └─override.conf Active: active (running) since lun 2016-07-04 11:36:55 CEST; 1 day 1h ago Docs: man:systemd-nspawn(1) Main PID: 15805 (systemd-nspawn) Status: "Container running." CGroup: /machine.slice/systemd-nspawn@openswan.service ├─15805 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --private-network --network-veth --capability=CAP_NET_ADMIN --mach ├─init.scope │ └─15810 /usr/lib/systemd/... └─system.slice ├─console-getty.service │ └─15853 /sbin/agetty --no... ├─dbus.service │ └─15838 /usr/bin/dbus-dae... ├─openswan.service │ ├─18417 /bin/sh /usr/lib/... │ ├─18418 logger -s -p daem... │ ├─18419 /bin/sh /usr/lib/... │ ├─18420 /bin/sh /usr/lib/... │ ├─18423 /usr/lib/openswan... │ ├─18425 _pluto_adns -- I setup the container with --network-veth. > > My question now, is how to actually like in docker "publish" those > ports (udp 500/4500/1701) and make them available from outside the > container? > > Like: > > Road warrior --> cloud --> Arch pi --> systemd-nspawn container -- > > I know this would be trivial to forward traffic using iptables but > that's not what I want. > > I maybe need to have a bridged setup? Edit: using the "Port" directive, I am now able to forward traffic inside my container, great! :D The only problem I am facing now is that pluto is crashing when dealing with the Security Association (ISAKMP) with the following message: "L2TP-PSK-NAT" 178.50.79.197 #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488 "L2TP-PSK-NAT" 178.50.79.197 #1: ABORT at /build/openswan/src/openswan-2.6.47/programs/pluto/keys.c:488 If it ring a bell to someone, please tell me. I will look at the code when I'll have time.. To be continued..

There is an IPsec Tunnel created with OpenSwan that works perfectly well packets going through answers received etc until at some point in time traffic stops. I can regenerate the tunnel doing ipsec auto --down tunnelName ipsec auto --up tunnelName But eventually it will collapse again, sometimes after hours sometimes after days. I am not able to find any error messages for example in pluto.log that indicate that the tunnel collapsed, the last lines found are the ones reporting Quick_Mode entry. Our side: Ubuntu 14.04.4 LTS, Linux Openswan U2.6.38/K3.13.0-91-generic (netkey) Other side: SAP Router and unknown firewall I tapped this using tcpdump while the tunnel was not doing its job: 10:30:53.357186 IP us.isakmp > them.isakmp: isakmp: phase 1 I ident 10:30:53.384168 IP them.isakmp > us.isakmp: isakmp: phase 1 R ident 10:30:53.384880 IP us.isakmp > them.isakmp: isakmp: phase 1 I ident 10:30:53.425034 IP them.isakmp > us.isakmp: isakmp: phase 1 R ident 10:30:53.425770 IP us.isakmp > them.isakmp: isakmp: phase 1 I ident[E] 10:30:53.451727 IP them.isakmp > us.isakmp: isakmp: phase 1 R ident[E] 10:32:01.089957 IP us > them: ESP(spi=0x6e51327d,seq=0x14b), length 100 10:32:02.089097 IP us > them: ESP(spi=0x6e51327d,seq=0x14c), length 100 First part seems to be a succesful tunnel rekey negotiation second part two failing requests, or not? Netstat says that requests sent into the tunnel reach nothing more than SYN_SENT and then time out. Are there any other logs I could search as I am not allowed to debug the other end of the tunnel?

I want to forward traffic to ipsec vpn tunnel created by openswan. I searched the internet but i couldn't find the solution. check below :- 1- VPN tunnel is created and it's name is demo-connection-vpn. 2- I need to forward all traffic that destination is 185.127.140.1 to vpn tunnel. Check my below ipsec.conf file config setup plutodebug=all plutostderrlog=/var/log/pluto.log protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off conn demo-connection-vpn authby=secret auto=start ike=AES128-SHA1 ## phase 1 ## keyexchange=ike aggrmode=no ikelifetime=86400s ## phase 2 ## phase2=esp phase2alg=aes128 ikelifetime=86400s compress=no pfs=no type=tunnel left=208.109.152.48 leftsourceip=208.109.152.48 leftsubnet=208.109.152.48/32 right=185.127.140.32 rightsubnet=185.127.140.0/27

I'm struggling with IPSec while trying to configure to a Windows server. I need to use IPSec only in the 172.30.1.0/24 network. Linux Settings -------------- Running in AWS EB 4.4.15-25.57.amzn1.x86_64 GNU/Linux, I did sudo yum install openswan and put the 2 files: (pay attention to the leftand rightparameters as I'm not sure what to do there, I want all the traffic inside that subnet encrypted) **/etc/ipsec.config** version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup protostack=netkey nat_traversal=yes virtual_private=%v4:172.30.1.0/24 plutoopts="--perpeerlog" conn aws-vpc authby=secret auto=start type=tunnel pfs=yes left=%any leftsubnet=172.30.1.0/24 right=%any rightsubnet=172.30.1.0/24 ike=aes256-sha1;modp2048 phase2=esp phase2alg=aes256-sha1;modp2048 **/etc/ipsec.secrets** %any %any : PSK "---long key here---" To try it, I'm doing a PING to the Windows server and it's not working (but it does work from the other Windows server) Windows Settings ---------------- This is configured in 2 computers and working

I've got a problem I wasn't able to solve in the last days. I've installed StrongSWAN on a Raspberry Pi with Rasbian (Debian GNU/Linux 7.11 (wheezy) / Linux 4.1.19-v7+ armv7l). There is also openVPN running on this Pi. The Subnets are seperated by VLANs (IEEE 802.1q tagged). The intention is to connect my IPad from any location to my LAN as I do it already with my Laptop via openVPN. The tunnel is coming up and everything looks good - But the Traffic. At the moment the Tunnel comes up, I can't access any IP anymore. (At this point I don't want to have Split-Tunneling.) The iPad routing-table looks good Dest IP/Prefix Gateway IFace 0.0.0.0/0 link#8 ipsec0 0.0.0.0/0 192.168.99.1 (local Gw) en0 10.2.200.254 link#8 ipsec0 The Router itself has no dropping chains in IPTables and no manual rules. When I ping from the IPad I can't see any traffic from the public source IP on my Firewall. There are only the Keepalives (UDP/500 and UDP/4500). So for me it looks like the iPad isn't sending the payload correct. 200.0.0.1 is the dynamic public IP of the remote client. **/etc/ipsec.conf** config setup charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2$ esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha$ dpdaction=clear dpddelay=300s left=%any leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.pem leftid="vpn.site2.example.com" leftsendcert=always lefthostaccess=yes right=%any rightdns=10.2.200.254 rightid="*@site02.example.com" rightsourceip=10.102.1.0/24 righthostaccess=yes conn IPSec-IKEv2 auto=add **/var/log/syslog** Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1 to 10.2.250.2 Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets Oct 13 13:18:02 RTR-200-254 charon: 06[NET] received packet: from 200.0.0.1 to 10.2.250.2 (432 bytes) Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] looking for an ike config for 10.2.250.2...200.0.0.1 Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] candidate: %any...%any, prio 28 Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] found matching ike config: %any...%any with prio 28 Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] 200.0.0.1 is initiating an IKE_SA Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] IKE_SA (unnamed) state change: CREATED => CONNECTING Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] proposal matches Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] local host is behind NAT, sending keep alives Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] remote host is behind NAT Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "C=DE, O=Example, CN=Example IPSec CA" Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "CN=ca.vpn.site02.example.com, ST=NDS, L=Somewhere, OU=IT, O=Example, C=DE, E=certmaster@example.com" Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 13 13:18:02 RTR-200-254 charon: 06[NET] sending packet: from 10.2.250.2 to 200.0.0.1 (485 bytes) Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2 to 200.0.0.1 Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1 to 10.2.250.2 Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets Oct 13 13:18:02 RTR-200-254 charon: 05[NET] received packet: from 200.0.0.1 to 10.2.250.2 (1804 bytes) Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received end entity cert "C=DE, O=Example, CN=JohnDoe@site2.example.com" Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for peer configs matching 10.2.250.2[vpn.site02.example.com]...200.0.0.1[JohnDoe@site2.example.com] Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] candidate "IPSec-IKEv2", match: 20/19/28 (me/other/ike) Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected peer config 'IPSec-IKEv2' Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] using certificate "C=DE, O=Example, CN=JohnDoe@site2.example.com" Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate "C=DE, O=Example, CN=JohnDoe@site2.example.com" key: 2048 bit RSA Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] using trusted ca certificate "C=DE, O=Example, CN=Example IPSec CA" Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] checking certificate status of "C=DE, O=Example, CN=JohnDoe@site2.example.com" Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] ocsp check skipped, no ocsp found Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate status is not available Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate "C=DE, O=Example, CN=Example IPSec CA" key: 4096 bit RSA Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] reached self-signed root ca with a path length of 0 Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of 'JohnDoe@site2.example.com' with RSA signature successful Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DHCP attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DNS attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_NETMASK attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DHCP attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DNS attribute Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer supports MOBIKE Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of 'vpn.site02.example.com' (myself) with RSA signature successful Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2 established between 10.2.250.2[vpn.site02.example.com]...200.0.0.1[JohnDoe@site2.example.com] Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2 state change: CONNECTING => ESTABLISHED Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] scheduling reauthentication in 9849s Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] maximum IKE_SA lifetime 10389s Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] sending end entity cert "C=DE, O=Example, CN=vpn.site02.example.com" Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] reassigning offline lease to 'JohnDoe@site2.example.com' Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] assigning virtual IP 10.102.1.1 to peer 'JohnDoe@site2.example.com' Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any6 Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] no virtual IP found for %any6 requested by 'JohnDoe@site2.example.com' Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] building INTERNAL_IP4_DNS attribute Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for us: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] 0.0.0.0/0 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for other: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] 10.102.1.1/32 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] candidate "IPSec-IKEv2" with prio 10+2 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] found matching child config "IPSec-IKEv2" with prio 12 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable INTEGRITY_ALGORITHM found Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable INTEGRITY_ALGORITHM found Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposal matches Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for us: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 0.0.0.0/0, received: ::/0 => no match Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for other: Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 10.102.1.1/32, received: 0.0.0.0/0 => match: 10.102.1.1/32 Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 10.102.1.1/32, received: ::/0 => no match Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] CHILD_SA IPSec-IKEv2{2} established with SPIs cfc7c697_i 09e87caf_o and TS 0.0.0.0/0 === 10.102.1.1/32 Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Oct 13 13:18:02 RTR-200-254 charon: 05[NET] sending packet: from 10.2.250.2 to 200.0.0.1 (1772 bytes) Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2 to 200.0.0.1 **iptables-save** # Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016 *nat :PREROUTING ACCEPT [333:25621] :INPUT ACCEPT [104:10720] :OUTPUT ACCEPT [1264:104724] :POSTROUTING ACCEPT [1493:119625] COMMIT # Completed on Thu Oct 13 13:25:44 2016 # Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016 *filter :INPUT ACCEPT [22151:4547969] :FORWARD ACCEPT [7303:2080414] :OUTPUT ACCEPT [22707:4537290] COMMIT # Completed on Thu Oct 13 13:25:44 2016 **iptables** eth0 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.0.254 Bcast:10.2.0.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:507930 errors:0 dropped:0 overruns:0 frame:0 TX packets:510583 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX bytes:436916075 (416.6 MiB) TX bytes:448900377 (428.1 MiB) eth0.10 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.10.254 Bcast:10.2.10.255 Maske:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:1818 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:0 (0.0 B) TX bytes:497281 (485.6 KiB) eth0.11 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.11.254 Bcast:10.2.11.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:5857 errors:0 dropped:0 overruns:0 frame:0 TX packets:4833 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:1402095 (1.3 MiB) TX bytes:760454 (742.6 KiB) eth0.20 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.20.254 Bcast:10.2.20.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:0 (0.0 B) TX bytes:472837 (461.7 KiB) eth0.51 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.51.254 Bcast:10.2.51.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:472 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:0 (0.0 B) TX bytes:36720 (35.8 KiB) eth0.100 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.100.254 Bcast:10.2.100.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:180916 errors:0 dropped:0 overruns:0 frame:0 TX packets:277135 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:52955753 (50.5 MiB) TX bytes:368243511 (351.1 MiB) eth0.110 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.110.254 Bcast:10.2.110.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:507 errors:0 dropped:0 overruns:0 frame:0 TX packets:1713 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:92936 (90.7 KiB) TX bytes:526225 (513.8 KiB) eth0.150 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.150.254 Bcast:10.2.150.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) eth0.200 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.200.254 Bcast:10.2.200.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:4945 errors:0 dropped:0 overruns:0 frame:0 TX packets:6059 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:596764 (582.7 KiB) TX bytes:2019159 (1.9 MiB) eth0.2500 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66 inet Adresse:10.2.250.2 Bcast:10.2.250.3 Maske:255.255.255.252 UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX packets:313144 errors:0 dropped:0 overruns:0 frame:0 TX packets:217317 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:379718967 (362.1 MiB) TX bytes:70217194 (66.9 MiB) lo Link encap:Lokale Schleife inet Adresse:127.0.0.1 Maske:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metrik:1 RX packets:27589 errors:0 dropped:0 overruns:0 frame:0 TX packets:27589 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:0 RX bytes:3368330 (3.2 MiB) TX bytes:3368330 (3.2 MiB) tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.100.12.2 P-z-P:10.100.12.1 Maske:255.255.255.255 UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1 RX packets:19147 errors:0 dropped:0 overruns:0 frame:0 TX packets:19569 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:100 RX bytes:3915884 (3.7 MiB) TX bytes:2446854 (2.3 MiB) tun1 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.102.0.1 P-z-P:10.102.0.2 Maske:255.255.255.255 UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1 RX packets:11134 errors:0 dropped:0 overruns:0 frame:0 TX packets:11398 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 Sendewarteschlangenlänge:100 RX bytes:2738720 (2.6 MiB) TX bytes:7083263 (6.7 MiB) Any Ideas? *EDIT 14.10.2016 10:37 CEST:* **Relevant part of iPMC.mobileconfig** PayloadDescription VPN-Setup for site2.example.com_IPSec PayloadDisplayName VPN-Config site2.example.com_IPSec PayloadIdentifier com.example.admin.JohnDoe.vpn.2.config PayloadType com.apple.vpn.managed PayloadUUID 87c9ece2-3e6b-56a4-8bed-2f4cba277d93 PayloadVersion 1 UserDefinedName site2.example.com_IPSec VPNType IKEv2 IKEv2 AuthenticationMethod Certificate PayloadCertificateUUID 7d35ed5d-5f97-55c8-b668-254fe57e26d4 RemoteAddress vpn.site2.example.com RemoteIdentifier vpn.site2.example.com LocalIdentifier JohnDoe@site2.example.com AuthenticationMethod Certificate ExtendedAuthEnabled 0 PayloadCertificateUUID 7d35ed5d-5f97-55c8-b668-254fe57e26d4 OnDemandEnabled 0 IKESecurityAssociationParameters EncryptionAlgorithm AES-128 IntegrityAlgorithm SHA1-96 DiffieHellmanGroup 14 ChildSecurityAssociationParameters EncryptionAlgorithm AES-128 IntegrityAlgorithm SHA1-96 DiffieHellmanGroup 14 IPv4 OverridePrimary 1 PayloadDisplayName VPN-CA-Certificate PayloadDescription Setup of a VPN-CA-Certificate PayloadIdentifier com.example.admin.JohnDoe.vpn.2.cacertificate PayloadType com.apple.security.root PayloadUUID 0b541041-c649-5563-adf9-2d56ed801ad3 PayloadVersion 1 PayloadCertificateFileName vpn_2_ca.crt PayloadContent XX0xXX0XXXxXXxXXXXXXXXXXX0XXXX0xXX0xXx0XXXXXXXXXXXx0 X0X0XXXXX0xXXxxXx0XxXX0XX0X0XXXXXxxxXxxxxxXXXXXXXxXX XXxXXXXXXXXxX0XxXXXXXxxXX0XXXXxXxxXXXxxXXxXXx0XXx0xx [... cut away ...] x0xXXXx0xXXXxXxXxXxXXXxXXxx0xXXxXx0XXxXXXXXxXxxXxXXx XXXXXXx0X0X0xXx0x0XXXxXXXxX0XXXxXxxxXXxxxXxXXxx0XX0X XxXxXxxxxX0XXXXXXXXXx0xXXXX0X0XxXxX0Xx0xXX0xXX0XXXXX XxXXXxxXXXXXXX0xXX0X PayloadDisplayName VPN-Client-Certificate PayloadDescription Setup of a Client-Certificate PayloadIdentifier com.example.admin.JohnDoe.vpn.2.certificate PayloadType com.apple.security.pkcs12 PayloadUUID 7d35ed5d-5f97-55c8-b668-254fe57e26d4 PayloadVersion 1 PayloadCertificateFileName vpn_2.p12 Password veryverylongandcomplexpassword;-) PayloadContent YYYYyYYYYyYYYYYYYYyYYYy8YYYYYyYYYYYYyyY/YYYYyyYYYyyY YYyYYYy8YYYYYyYYYyyyyyyyYyYYYYYY8YYYYyYYyyyYYYyYYYyY YyyYYYy8YYYYYYYyYyYYyyyYYYYYYyYYYyyYyYYYyYYYYy+8yYy8 [... cut away ...] YYyy8YYyyYyY8yYYYyyyYYy8yyY8YYyYYYyYYYy8YYYYYYYyYyyY YyYyYY8YYyYyYYYYYyYYYY8YYYYYYYYYyyY8YYyYYyYyYYYYYYY8 YYYyYYYyYYyYYYyYYyYyYYYYYYyyYYy//Yy8yYYY8/8Y8y88yYY/ YYy8y8YyyYY8yYYYYYY=

I have problem with IPsec on centOS. While adding a connection using ipsec auto --add cx It gives multiple ip addresses, using 127.0.0.1 on venet0 On using ipsec auto --up cx I get We cannot identify ourselves with either end of this connection. ip addr output 1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: venet0: mtu 1500 qdisc noqueue state UNKNOWN link/void inet 127.0.0.1/32 scope host venet0 inet /32 brd scope global venet0:0 ipsec.conf ## general configuration parameters ## config setup plutodebug=none plutostderrlog=/var/log/pluto.log protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 ## disable opportunistic encryption in Red Hat ## oe=off ## disable opportunistic encryption in Debian ## ## Note: this is a separate declaration statement ## #include /etc/ipsec.d/examples/no_oe.conf ## connection definition in Red Hat ## conn mazeed authby=secret auto=start ike=aes256-sha auth=esp ## phase 1 ## keyexchange=ike ## phase 2 ## #phase2=esp #phase2alg=aes256-sha compress=no pfs=yes type=tunnel left= leftsubnet=192.168.30.10/24 leftnexthop=%defaultroute right= rightsubnet=172.16.198.29/24 EDIT: Ipsec Verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan U3.12/K(no kernel code presently loaded) on 2.6.32-46-pve Checking for IPsec support in kernel [FAILED] The ipsec service should be started before running 'ipsec verify' Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED] ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help However all ports are open in firewall

I am now setting a vpn client for my university's own L2TP/IPSec VPN network, using both openswan, libreswan and strongswan (for different distros). Here is the problem: The remote site (VPN server) is a domain name (say xxx.com) with multiple IP addresses (say 123.123.123.100-123.123.123.103). In this case, how should I set the conn part? I have tried something like: conn university ... left=%defaultroute right=xxx.com ... auto=route Which seems not working, since when *swan start, it parses xxx.com and setup the route by the IP returned by the DNS request (say 123.123.123.100). Then when I make a connection to xxx.com, it may parse the domain again and get a different IP (say 123.123.123.101), and the connection will not go through *swan. I have also tried the rightsubnet option, but I don't know what should be the right option. If I just use %any, *swan will give some error like No route to destination (something like that, cannot remember) and refuse to add the conn. Now my workaround is: conn university0 right=123.123.123.100 also=university auto=route conn university1 right=123.123.123.101 also=university auto=route conn university2 right=123.123.123.102 also=university auto=route conn university3 right=123.123.123.103 also=university auto=route conn university4 right=123.123.123.104 also=university auto=route conn university left=%defaultroute ... ...which works, but seems ugly and non-scalable. In the past, when I use racoon, I can use the setkey command to modify the SPD directly, so I can set policies for the corresponding IPs directly. I think this case is common and there will be a solution designed for this case in *swan. Anyone can help?

I'm connected to Internet with a simple ADSL router with NAT. I have a smartphone and a laptop running linux. I need to connect to a IPsec server using OpenSwan. First I tested that it is possible to connect to. I entered connection info into the smartphone and connection was established through the router. Now I see that router is not a problem. And I start to connect my linux laptop: # ipsec auto --up witopia 104 "witopia" #1: STATE_MAIN_I1: initiate 010 "witopia" #1: STATE_MAIN_I1: retransmission; will wait 20s for response 010 "witopia" #1: STATE_MAIN_I1: retransmission; will wait 40s for response 010 "witopia" #1: STATE_MAIN_I1: retransmission; will wait 40s for response ... My configuration file /etc/ipsec.d/witopia.conf: conn witopia left=%defaultroute leftid=@witopia leftmodecfgclient=yes leftxauthclient=yes leftxauthusername=W\johnsmith@gmail.com right=ipsec.sanfrancisco.witopia.net rightxauthserver=yes rightmodecfgserver=yes authby=secret auto=add What could be wrong here?