Re: [j-nsp] VPN tunnel between OpenSwan and SRX220
Hi Laurent. Is your ultimate goal to get the GRE running over IPSEC, or just a vanilla IPSEC tunnel? Your configuration will need to change either way: If you want GRE over IPSEC: You need to remove the /32 on the st0.0 interface and the Openswan rightsourceip and make them a contiguous subnet eg: 172.31.254.41/30 on the Juniper side 172.31.254.42/30 on the Openswan side Now adjust your GRE configuration to use these addresses for source and destination on both ends Now adjust your remote proxy-id on the SRX and leftsubnet on Openswan to match (just the IPs, leave the mask as /32). The logic behind this is that you will only encrypt traffic between 172.31.254.41/32 and 172.31.254.42/32 which will be your GRE tunnelled traffic (all other traffic will be wrapped up inside this GRE). As an aside - the last time I checked, the SRX seemed to only use the Proxy-ID to negotiate the tunnel and then promptly ignored it and allowed you to send and receive whatever traffic your routes and policy allowed. If you're just trying to do vanilla IPSEC tunnels: Again, change the /32s on the st0.0 and Openswan rightsourceip: 172.31.254.41/30 on the Juniper side (or leave it unnumbered) 172.31.254.42/30 on the Openswan side Now on the SRX change your proxy-id local to 192.168.123.0/24 and remote to whatever is sitting behind the Openswan box (eg: leftsubnet) On Openswan, change the right-subnet to 192.168.123.0/24 and left-subnet to whatever you're trying to tunnel across (or leave it as-is if it's just this host, or you're source-natting) Once you've got this in place and st0.0 comes up, you'll just need to point static routes on the SRX side to st0.0 or the Openswan next-hop (172.31.254.42) and vice-versa. If it's still not working, send through the output of: show security ipsec security-associations Cheers, Ben On 07/08/2013, at 1:55 AM, Laurent CARON wrote: > Hi, > > I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box. > > SRX is: > Model: srx220h > JUNOS Software Release [12.1X44-D20.3] > > OpenSwan: 2.6.37 > > Both are currently hooked on a test LAN. > > 192.168.0.18 = openswan box on lan > 192.168.0.120 = juniper box on lan > > 172.31.254.41 = ipsec on juniper box > 172.31.254.27 = ipsec on openswan box > > 172.31.255.27 = loopback on juniper box > > Not relevant for now: > 10.254.2.33 = gre tunnel on openswan side > 10.254.2.34 = gre tunnel on juniper side > > Here is the config on the Juniper side: > > set interfaces ge-0/0/0 mtu 1514 > set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24 > > set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 > set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27 > set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32 > > set interfaces lo0 unit 0 family inet address 172.31.255.41/32 > > set interfaces st0 unit 0 family inet address 172.31.254.41/32 > > set interfaces vlan unit 0 family inet address 192.168.123.1/24 > > set routing-options static route 172.31.254.27/32 next-hop st0.0 > > set security ike traceoptions file vpn-debug-ike > set security ike traceoptions flag all > > set security ike proposal ike_aes_128 authentication-method pre-shared-keys > > set security ike proposal ike_aes_128 dh-group group2 > set security ike proposal ike_aes_128 authentication-algorithm sha1 > set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc > set security ike proposal ike_aes_128 lifetime-seconds 3600 > > set security ike policy phase1_aes_128 mode main > set security ike policy phase1_aes_128 proposals ike_aes_128 > set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd" > > set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 > set security ike gateway RTR-SIEGE-001 address 192.168.0.18 > set security ike gateway RTR-SIEGE-001 no-nat-traversal > set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0 > > set security ipsec proposal ipsec_aes_128 protocol esp > set security ipsec proposal ipsec_aes_128 authentication-algorithm > hmac-sha1-96 > > set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc > set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600 > > set security ipsec policy phase2_aes_128 proposals ipsec_aes_128 > > set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 > set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local > 172.31.254.41/32 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote > 172.31.254.27/32 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any > set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 > set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately > > set security flow traceoptions file vpn-debug > set security flow traceoptions flag basic-datapath > set security flow traceoptions flag packe
Re: [j-nsp] VPN tunnel between OpenSwan and SRX220
Any resolve? On Aug 6, 2013 10:34 AM, "Laurent CARON" wrote: > Hi, > > I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box. > > SRX is: > Model: srx220h > JUNOS Software Release [12.1X44-D20.3] > > OpenSwan: 2.6.37 > > Both are currently hooked on a test LAN. > > 192.168.0.18 = openswan box on lan > 192.168.0.120 = juniper box on lan > > 172.31.254.41 = ipsec on juniper box > 172.31.254.27 = ipsec on openswan box > > 172.31.255.27 = loopback on juniper box > > Not relevant for now: > 10.254.2.33 = gre tunnel on openswan side > 10.254.2.34 = gre tunnel on juniper side > > Here is the config on the Juniper side: > > set interfaces ge-0/0/0 mtu 1514 > set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24 > > set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 > set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27 > set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32 > > set interfaces lo0 unit 0 family inet address 172.31.255.41/32 > > set interfaces st0 unit 0 family inet address 172.31.254.41/32 > > set interfaces vlan unit 0 family inet address 192.168.123.1/24 > > set routing-options static route 172.31.254.27/32 next-hop st0.0 > > set security ike traceoptions file vpn-debug-ike > set security ike traceoptions flag all > > set security ike proposal ike_aes_128 authentication-method pre-shared-keys > > set security ike proposal ike_aes_128 dh-group group2 > set security ike proposal ike_aes_128 authentication-algorithm sha1 > set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc > set security ike proposal ike_aes_128 lifetime-seconds 3600 > > set security ike policy phase1_aes_128 mode main > set security ike policy phase1_aes_128 proposals ike_aes_128 > set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd" > > set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 > set security ike gateway RTR-SIEGE-001 address 192.168.0.18 > set security ike gateway RTR-SIEGE-001 no-nat-traversal > set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0 > > set security ipsec proposal ipsec_aes_128 protocol esp > set security ipsec proposal ipsec_aes_128 authentication-algorithm > hmac-sha1-96 > > set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc > set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600 > > set security ipsec policy phase2_aes_128 proposals ipsec_aes_128 > > set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 > set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local > 172.31.254.41/32 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote > 172.31.254.27/32 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any > set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 > set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately > > set security flow traceoptions file vpn-debug > set security flow traceoptions flag basic-datapath > set security flow traceoptions flag packet-drops > > set security flow tcp-mss ipsec-vpn mss 1412 > > > Here is the config on the OpenSwan side: > > conn rtr-siege-001_TO_jun-noi-001 > left=192.168.0.18 > leftsubnet=172.31.254.27/32 > leftsourceip=172.31.254.27 > right=192.168.0.120 > rightsubnet=172.31.254.41/32 > rightsourceip=172.31.254.41 > ike=3des-sha1 > auth=esp > keyingtries=0 > keyexchange=ike > authby=secret > compress=no > auto=start > pfs=no > mtu=1412 > > The connection establishes fine but drops 10 seconds after and is > renegociated, then drops again, endlessly. > > I do have those logs on the openswan side): > Aug 6 17:42:42 rtr-siege-001 pluto[28569]: added connection description > "rtr-siege-001_TO_jun-noi-001" > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: initiating Main Mode > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: received Vendor ID payload [Dead Peer Detection] > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: ignoring unknown Vendor ID payload [**699369228741c6d4ca094c93e242c9** > de19e7b7c600050500] > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: STATE_MAIN_I2: sent MI2, expecting MR2 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: STATE_MAIN_I3: sent MI3, expecting MR3 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.120' > Aug 6 17:42:43 rtr-siege-001 p
Re: [j-nsp] VPN tunnel between OpenSwan and SRX220
try turning up your IKE debug on the SRX to help expose more: >request security ike debug-enable local remote level 15 On Tue, Aug 6, 2013 at 9:55 AM, Laurent CARON wrote: > Hi, > > I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box. > > SRX is: > Model: srx220h > JUNOS Software Release [12.1X44-D20.3] > > OpenSwan: 2.6.37 > > Both are currently hooked on a test LAN. > > 192.168.0.18 = openswan box on lan > 192.168.0.120 = juniper box on lan > > 172.31.254.41 = ipsec on juniper box > 172.31.254.27 = ipsec on openswan box > > 172.31.255.27 = loopback on juniper box > > Not relevant for now: > 10.254.2.33 = gre tunnel on openswan side > 10.254.2.34 = gre tunnel on juniper side > > Here is the config on the Juniper side: > > set interfaces ge-0/0/0 mtu 1514 > set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24 > > set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 > set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27 > set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32 > > set interfaces lo0 unit 0 family inet address 172.31.255.41/32 > > set interfaces st0 unit 0 family inet address 172.31.254.41/32 > > set interfaces vlan unit 0 family inet address 192.168.123.1/24 > > set routing-options static route 172.31.254.27/32 next-hop st0.0 > > set security ike traceoptions file vpn-debug-ike > set security ike traceoptions flag all > > set security ike proposal ike_aes_128 authentication-method pre-shared-keys > > set security ike proposal ike_aes_128 dh-group group2 > set security ike proposal ike_aes_128 authentication-algorithm sha1 > set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc > set security ike proposal ike_aes_128 lifetime-seconds 3600 > > set security ike policy phase1_aes_128 mode main > set security ike policy phase1_aes_128 proposals ike_aes_128 > set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd" > > set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 > set security ike gateway RTR-SIEGE-001 address 192.168.0.18 > set security ike gateway RTR-SIEGE-001 no-nat-traversal > set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0 > > set security ipsec proposal ipsec_aes_128 protocol esp > set security ipsec proposal ipsec_aes_128 authentication-algorithm > hmac-sha1-96 > > set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc > set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600 > > set security ipsec policy phase2_aes_128 proposals ipsec_aes_128 > > set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 > set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local > 172.31.254.41/32 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote > 172.31.254.27/32 > set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any > set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 > set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately > > set security flow traceoptions file vpn-debug > set security flow traceoptions flag basic-datapath > set security flow traceoptions flag packet-drops > > set security flow tcp-mss ipsec-vpn mss 1412 > > > Here is the config on the OpenSwan side: > > conn rtr-siege-001_TO_jun-noi-001 > left=192.168.0.18 > leftsubnet=172.31.254.27/32 > leftsourceip=172.31.254.27 > right=192.168.0.120 > rightsubnet=172.31.254.41/32 > rightsourceip=172.31.254.41 > ike=3des-sha1 > auth=esp > keyingtries=0 > keyexchange=ike > authby=secret > compress=no > auto=start > pfs=no > mtu=1412 > > The connection establishes fine but drops 10 seconds after and is > renegociated, then drops again, endlessly. > > I do have those logs on the openswan side): > Aug 6 17:42:42 rtr-siege-001 pluto[28569]: added connection description > "rtr-siege-001_TO_jun-noi-001" > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: initiating Main Mode > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: received Vendor ID payload [Dead Peer Detection] > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: ignoring unknown Vendor ID payload [**699369228741c6d4ca094c93e242c9** > de19e7b7c600050500] > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: STATE_MAIN_I2: sent MI2, expecting MR2 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" > #6: STATE_MAIN_I3: sent MI3, expecting MR3 > Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-s
Re: [j-nsp] VPN tunnel between OpenSwan and SRX220
Thats a confusing config Why do you need GRE interfaces? I have numerous VPNs running between SRX boxes and OpenSwan, I use policy based VPNs all the time, they seem to work better with OpenSwan Maybe give that a try. -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Laurent CARON Sent: Wednesday, 7 August 2013 1:55 AM To: juniper-nsp Subject: [j-nsp] VPN tunnel between OpenSwan and SRX220 Hi, I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box. SRX is: Model: srx220h JUNOS Software Release [12.1X44-D20.3] OpenSwan: 2.6.37 Both are currently hooked on a test LAN. 192.168.0.18 = openswan box on lan 192.168.0.120 = juniper box on lan 172.31.254.41 = ipsec on juniper box 172.31.254.27 = ipsec on openswan box 172.31.255.27 = loopback on juniper box Not relevant for now: 10.254.2.33 = gre tunnel on openswan side 10.254.2.34 = gre tunnel on juniper side Here is the config on the Juniper side: set interfaces ge-0/0/0 mtu 1514 set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24 set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27 set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32 set interfaces lo0 unit 0 family inet address 172.31.255.41/32 set interfaces st0 unit 0 family inet address 172.31.254.41/32 set interfaces vlan unit 0 family inet address 192.168.123.1/24 set routing-options static route 172.31.254.27/32 next-hop st0.0 set security ike traceoptions file vpn-debug-ike set security ike traceoptions flag all set security ike proposal ike_aes_128 authentication-method pre-shared-keys set security ike proposal ike_aes_128 dh-group group2 set security ike proposal ike_aes_128 authentication-algorithm sha1 set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc set security ike proposal ike_aes_128 lifetime-seconds 3600 set security ike policy phase1_aes_128 mode main set security ike policy phase1_aes_128 proposals ike_aes_128 set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd" set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 set security ike gateway RTR-SIEGE-001 address 192.168.0.18 set security ike gateway RTR-SIEGE-001 no-nat-traversal set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0 set security ipsec proposal ipsec_aes_128 protocol esp set security ipsec proposal ipsec_aes_128 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600 set security ipsec policy phase2_aes_128 proposals ipsec_aes_128 set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local 172.31.254.41/32 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote 172.31.254.27/32 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately set security flow traceoptions file vpn-debug set security flow traceoptions flag basic-datapath set security flow traceoptions flag packet-drops set security flow tcp-mss ipsec-vpn mss 1412 Here is the config on the OpenSwan side: conn rtr-siege-001_TO_jun-noi-001 left=192.168.0.18 leftsubnet=172.31.254.27/32 leftsourceip=172.31.254.27 right=192.168.0.120 rightsubnet=172.31.254.41/32 rightsourceip=172.31.254.41 ike=3des-sha1 auth=esp keyingtries=0 keyexchange=ike authby=secret compress=no auto=start pfs=no mtu=1412 The connection establishes fine but drops 10 seconds after and is renegociated, then drops again, endlessly. I do have those logs on the openswan side): Aug 6 17:42:42 rtr-siege-001 pluto[28569]: added connection description "rtr-siege-001_TO_jun-noi-001" Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer Detection] Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload [699369228741c6d4ca094c93e242c9de19e7b7c600050500] Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2 to state STATE_
[j-nsp] VPN tunnel between OpenSwan and SRX220
Hi, I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box. SRX is: Model: srx220h JUNOS Software Release [12.1X44-D20.3] OpenSwan: 2.6.37 Both are currently hooked on a test LAN. 192.168.0.18 = openswan box on lan 192.168.0.120 = juniper box on lan 172.31.254.41 = ipsec on juniper box 172.31.254.27 = ipsec on openswan box 172.31.255.27 = loopback on juniper box Not relevant for now: 10.254.2.33 = gre tunnel on openswan side 10.254.2.34 = gre tunnel on juniper side Here is the config on the Juniper side: set interfaces ge-0/0/0 mtu 1514 set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24 set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27 set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32 set interfaces lo0 unit 0 family inet address 172.31.255.41/32 set interfaces st0 unit 0 family inet address 172.31.254.41/32 set interfaces vlan unit 0 family inet address 192.168.123.1/24 set routing-options static route 172.31.254.27/32 next-hop st0.0 set security ike traceoptions file vpn-debug-ike set security ike traceoptions flag all set security ike proposal ike_aes_128 authentication-method pre-shared-keys set security ike proposal ike_aes_128 dh-group group2 set security ike proposal ike_aes_128 authentication-algorithm sha1 set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc set security ike proposal ike_aes_128 lifetime-seconds 3600 set security ike policy phase1_aes_128 mode main set security ike policy phase1_aes_128 proposals ike_aes_128 set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd" set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 set security ike gateway RTR-SIEGE-001 address 192.168.0.18 set security ike gateway RTR-SIEGE-001 no-nat-traversal set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0 set security ipsec proposal ipsec_aes_128 protocol esp set security ipsec proposal ipsec_aes_128 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600 set security ipsec policy phase2_aes_128 proposals ipsec_aes_128 set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local 172.31.254.41/32 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote 172.31.254.27/32 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately set security flow traceoptions file vpn-debug set security flow traceoptions flag basic-datapath set security flow traceoptions flag packet-drops set security flow tcp-mss ipsec-vpn mss 1412 Here is the config on the OpenSwan side: conn rtr-siege-001_TO_jun-noi-001 left=192.168.0.18 leftsubnet=172.31.254.27/32 leftsourceip=172.31.254.27 right=192.168.0.120 rightsubnet=172.31.254.41/32 rightsourceip=172.31.254.41 ike=3des-sha1 auth=esp keyingtries=0 keyexchange=ike authby=secret compress=no auto=start pfs=no mtu=1412 The connection establishes fine but drops 10 seconds after and is renegociated, then drops again, endlessly. I do have those logs on the openswan side): Aug 6 17:42:42 rtr-siege-001 pluto[28569]: added connection description "rtr-siege-001_TO_jun-noi-001" Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer Detection] Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload [699369228741c6d4ca094c93e242c9de19e7b7c600050500] Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I3: sent MI3, expecting MR3 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.120' Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Aug 6 17:42:43 rtr-siege-001 pluto[28569]: "rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_