Thanks for your help, Paul. I switched the type to tunnel but that didn't
help. It just hangs now. Here's the output of ipsec auto --up:
002 "ner" #22: initiating Main Mode
104 "ner" #22: STATE_MAIN_I1: initiate
003 "ner" #22: received Vendor ID payload [RFC 3947]
003 "ner" #22: received Vendor ID payload [Dead Peer Detection]
002 "ner" #22: enabling possible NAT-traversal with method RFC 3947
(NAT-Traversal)
002 "ner" #22: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "ner" #22: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ner" #22: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender
port 500: I am behind NAT+peer behind NAT
002 "ner" #22: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "ner" #22: STATE_MAIN_I3: sent MI3, expecting MR3
002 "ner" #22: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.21'
002 "ner" #22: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "ner" #22: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_128 integ=sha group=MODP1024}
002 "ner" #22: Dead Peer Detection (RFC 3706): enabled
002 "ner" #23: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using
isakmp#22 msgid:61187bd5 proposal=defaults pfsgroup=no-pfs}
117 "ner" #23: STATE_QUICK_I1: initiate
010 "ner" #23: STATE_QUICK_I1: retransmission; will wait 10s for response
010 "ner" #23: STATE_QUICK_I1: retransmission; will wait 20s for response
On Sun, Jan 11, 2015 at 9:00 AM, Paul Wouters <[email protected]> wrote:
> On Sun, 11 Jan 2015, Ali Gangji wrote:
>
> ipsec.conf connection config:
>>
>> type=transport
>> pfs=no
>> keyingtries=0
>> left=192.168.1.102
>> leftsubnet=192.168.1.0/24
>> right=XXX.dyndns.org
>> rightid=192.168.0.X
>> rightsubnet=192.168.0.0/24
>>
>
> wait, you must use type=tunnel if you have subnets.
>
> Paul
>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
