<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">Dear T.J Yang,<br>

      <br>

      At first glance, my Web site is up and accessible. Time is now

      19:52 French time and the last access to my

      <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/tima/">http://vouters.dyndns.org/tima/</a> Web directory is at 19:36:09 as

      pzer what tells me Apache.<br>

      <pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)

URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>

SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>

      Le 08/03/2013 18:18, T.J. Yang a &eacute;crit&nbsp;:<br>

    </div>

    <blockquote

cite="mid:CAD2GW8odtNGM250-=BzkFM8Ccwp2AA6YjeJvoepWOFRNOZs++A@mail.gmail.com"

      type="cite">

      <div dir="ltr">Thank Philippe,

        <div><br>

        </div>

        <div>Looking forward to see that URL, Are you sure your&nbsp;<a

            moz-do-not-send="true" href="http://vouters.dyndns.org/"

            target="_blank" style="white-space:pre-wrap">http://vouters.dyndns.org/</a>&nbsp;is

          up ?</div>

        <div><br>

        </div>

        <div>

          <div><br>

          </div>

          <div style="">tj</div>

        </div>

      </div>

      <div class="gmail_extra"><br>

        <br>

        <div class="gmail_quote">On Fri, Mar 8, 2013 at 10:50 AM,

          Philippe Vouters <span dir="ltr">&lt;<a

              moz-do-not-send="true"

              href="mailto:philippe.vouters@laposte.net" target="_blank">philippe.vouters@laposte.net</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000">

              <div>Hi,<br>

                <br>

                Have a look to <a moz-do-not-send="true"

href="http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html"

                  target="_blank">http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven.html</a>

                and its '#ipsec auto --status' command. Do consider how

                Philippe_PSK and FIXED_RIGHT_IP conns are retrieved.<br>

                <br>

                On your side and even if not connected to the Cisco

                remote peer, the '#ipsec auto --status' should show up

                centos6-asa-net-net.<br>

                Yours truly,

                <div class="im"><br>

                  <pre cols="72">Philippe Vouters (Fontainebleau/France)

URL: <a moz-do-not-send="true" href="http://vouters.dyndns.org/" target="_blank">http://vouters.dyndns.org/</a>

SIP: <a moz-do-not-send="true" href="mailto:sip:Vouters@sip.linphone.org" target="_blank">sip:Vouters@sip.linphone.org</a></pre>

                </div>

                Le 08/03/2013 17:24, T.J. Yang a &eacute;crit&nbsp;:<br>

              </div>

              <blockquote type="cite">

                <div>

                  <div class="h5">

                    <div dir="ltr">

                      <div>1. &nbsp;new /etc/ipsec.conf with tabs, no pound

                        signs, public ip masked.</div>

                      <div>

                        <div>version 2.0</div>

                        <div>config setup</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; plutodebug="control parsing"</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; plutostderrlog=/var/log/ipsec.log</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; protostack=netkey</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; nat_traversal=yes</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; virtual_private=</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; oe=no</div>

                        <div>conn centos6-asa-net-net</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; keyingtries=3</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; authby=secret</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; left=x.x.x..5</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsubnet=<a

                            moz-do-not-send="true"

                            href="http://192.168.50.0/24"

                            target="_blank">192.168.50.0/24</a></div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; leftsourceip=192.168.50.254</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; right=x.x.x..4</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; rightsubnet=<a

                            moz-do-not-send="true"

                            href="http://192.168.40.0/24"

                            target="_blank">192.168.40.0/24</a></div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; rightsourceip=192.168.40.254</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; auto=start</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; keyexchange=ike</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; type=tunnel</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; pfs=no</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; phase2=esp</div>

                        <div>&nbsp; &nbsp; &nbsp; &nbsp; phase2alg=3des-sha1</div>

                        <div><br>

                        </div>

                      </div>

                      <div>2. &nbsp;/etc/ipsec.d/psk.secrets, with

                        ip,password masked.&nbsp;</div>

                      <div><br>

                      </div>

                      <div>

                        <div>[root@mlab-centos6-01 ipsec.d]# cat

                          /etc/ipsec.d/psk.secrets</div>

                        <div>x.x.x.3 &nbsp;x.x.x.5: PSK "MyPassword"</div>

                        <div>x.x.x..5 x.x.x.4: PSK "MyPassword"</div>

                        <div>[root@mlab-centos6-01 ipsec.d]#</div>

                        <div><br>

                        </div>

                        <div>3. here is ipsec.log after runing libreswan

                          3.0 ipsec command.</div>

                        <div><br>

                        </div>

                      </div>

                      <div> <br>

                      </div>

                      <div>

                        <div>[root@mlab-centos6-01 ipsec.d]# ipsec setup

                          stop;sleep 2;&gt;/var/log/ipsec.lo\</div>

                        <div>g;ipsec setup start;sleep 2;tail

                          /var/log/ipsec.log</div>

                        <div>Redirecting to: service ipsec stop</div>

                        <div>Shutting down pluto IKE daemon</div>

                        <div>002 shutting down</div>

                        <div><br>

                        </div>

                        <div>Redirecting to: service ipsec start</div>

                        <div>Starting pluto IKE daemon for IPsec:

                          ^[[60G[^[[0;32m &nbsp;OK &nbsp;^[[0;39m]</div>

                        <div>listening for IKE messages</div>

                        <div>adding interface em1/em1 <a

                            moz-do-not-send="true"

                            href="http://192.168.50.254:500"

                            target="_blank">192.168.50.254:500</a></div>

                        <div>adding interface em1/em1 <a

                            moz-do-not-send="true"

                            href="http://192.168.50.254:4500"

                            target="_blank">192.168.50.254:4500</a></div>

                        <div>adding interface em1/em1 x.x.x.5:500</div>

                        <div>adding interface em1/em1 x.x.x.5:4500</div>

                        <div>adding interface lo/lo <a

                            moz-do-not-send="true"

                            href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></div>

                        <div>adding interface lo/lo <a

                            moz-do-not-send="true"

                            href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div>

                        <div>adding interface lo/lo ::1:500</div>

                        <div>loading secrets from "/etc/ipsec.secrets"</div>

                        <div>loading secrets from

                          "/etc/ipsec.d/psk.secrets"</div>

                        <div>[root@mlab-centos6-01 ipsec.d]#</div>

                      </div>

                      <div><br>

                      </div>

                      <div>4. No traffic on Cisco ADSM latest syslog

                        message window.</div>

                      <div><br>

                      </div>

                      <div>5. output from ipsec status command</div>

                      <div> <br>

                      </div>

                      <div>

                        <div>[root@mlab-centos6-01 ~]# ipsec status</div>

                        <div>000 using kernel interface: netkey</div>

                        <div>000 interface lo/lo ::1</div>

                        <div>000 interface lo/lo 127.0.0.1</div>

                        <div>000 interface lo/lo 127.0.0.1</div>

                        <div>000 interface em1/em1 x.x.x.5</div>

                        <div>000 interface em1/em1 x.x.x.5</div>

                        <div>000 interface em1/em1 192.168.50.254</div>

                        <div>000 interface em1/em1 192.168.50.254</div>

                        <div>000 %myid = (none)</div>

                        <div>000 debug parsing+control</div>

                        <div>000</div>

                        <div>000 virtual_private (%priv):</div>

                        <div>000 - allowed 0 subnets:</div>

                        <div>000 - disallowed 0 subnets:</div>

                        <div>000 WARNING: Either virtual_private= is not

                          specified, or there is a syntax</div>

                        <div>000 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;error in that line.

                          'left/rightsubnet=vhost:%priv' will not work!</div>

                        <div>000 WARNING: Disallowed subnets in

                          virtual_private= is empty. If you have</div>

                        <div>000 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;private address space in

                          internal use, it should be excluded!</div>

                        <div>000</div>

                        <div>000 algorithm ESP encrypt: id=2,

                          name=ESP_DES, ivlen=8, keysizemin=64,

                          keysizemax=64</div>

                        <div>000 algorithm ESP encrypt: id=3,

                          name=ESP_3DES, ivlen=8, keysizemin=192,

                          keysizemax=192</div>

                        <div>000 algorithm ESP encrypt: id=6,

                          name=ESP_CAST, ivlen=8, keysizemin=40,

                          keysizemax=128</div>

                        <div>000 algorithm ESP encrypt: id=7,

                          name=ESP_BLOWFISH, ivlen=8, keysizemin=40,

                          keysizemax=448</div>

                        <div>000 algorithm ESP encrypt: id=11,

                          name=ESP_NULL, ivlen=0, keysizemin=0,

                          keysizemax=0</div>

                        <div>000 algorithm ESP encrypt: id=12,

                          name=ESP_AES, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=13,

                          name=ESP_AES_CTR, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=14,

                          name=ESP_AES_CCM_A, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=15,

                          name=ESP_AES_CCM_B, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=16,

                          name=ESP_AES_CCM_C, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=18,

                          name=ESP_AES_GCM_A, ivlen=8, keysizemin=160,

                          keysizemax=288</div>

                        <div>000 algorithm ESP encrypt: id=19,

                          name=ESP_AES_GCM_B, ivlen=12, keysizemin=160,

                          keysizemax=288</div>

                        <div>000 algorithm ESP encrypt: id=20,

                          name=ESP_AES_GCM_C, ivlen=16, keysizemin=160,

                          keysizemax=288</div>

                        <div>000 algorithm ESP encrypt: id=22,

                          name=ESP_CAMELLIA, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=252,

                          name=ESP_SERPENT, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP encrypt: id=253,

                          name=ESP_TWOFISH, ivlen=8, keysizemin=128,

                          keysizemax=256</div>

                        <div>000 algorithm ESP auth attr: id=1,

                          name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,

                          keysizemax=128</div>

                        <div>000 algorithm ESP auth attr: id=2,

                          name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,

                          keysizemax=160</div>

                        <div>000 algorithm ESP auth attr: id=5,

                          name=AUTH_ALGORITHM_HMAC_SHA2_256,

                          keysizemin=256, keysizemax=256</div>

                        <div>000 algorithm ESP auth attr: id=6,

                          name=AUTH_ALGORITHM_HMAC_SHA2_384,

                          keysizemin=384, keysizemax=384</div>

                        <div>000 algorithm ESP auth attr: id=7,

                          name=AUTH_ALGORITHM_HMAC_SHA2_512,

                          keysizemin=512, keysizemax=512</div>

                        <div>000 algorithm ESP auth attr: id=8,

                          name=AUTH_ALGORITHM_HMAC_RIPEMD,

                          keysizemin=160, keysizemax=160</div>

                        <div>000 algorithm ESP auth attr: id=9,

                          name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,

                          keysizemax=128</div>

                        <div>000 algorithm ESP auth attr: id=251,

                          name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0,

                          keysizemax=0</div>

                        <div>000</div>

                        <div>000 algorithm IKE encrypt: id=0,

                          name=(null), blocksize=16, keydeflen=131</div>

                        <div>000 algorithm IKE encrypt: id=5,

                          name=OAKLEY_3DES_CBC, blocksize=8,

                          keydeflen=192</div>

                        <div>000 algorithm IKE encrypt: id=7,

                          name=OAKLEY_AES_CBC, blocksize=16,

                          keydeflen=128</div>

                        <div>000 algorithm IKE hash: id=1,

                          name=OAKLEY_MD5, hashsize=16</div>

                        <div>000 algorithm IKE hash: id=2,

                          name=OAKLEY_SHA1, hashsize=20</div>

                        <div>000 algorithm IKE hash: id=4,

                          name=OAKLEY_SHA2_256, hashsize=32</div>

                        <div>000 algorithm IKE hash: id=5,

                          name=OAKLEY_SHA2_384, hashsize=48</div>

                        <div>000 algorithm IKE hash: id=6,

                          name=OAKLEY_SHA2_512, hashsize=64</div>

                        <div>000 algorithm IKE dh group: id=2,

                          name=OAKLEY_GROUP_MODP1024, bits=1024</div>

                        <div>000 algorithm IKE dh group: id=5,

                          name=OAKLEY_GROUP_MODP1536, bits=1536</div>

                        <div>000 algorithm IKE dh group: id=14,

                          name=OAKLEY_GROUP_MODP2048, bits=2048</div>

                        <div>000 algorithm IKE dh group: id=15,

                          name=OAKLEY_GROUP_MODP3072, bits=3072</div>

                        <div>000 algorithm IKE dh group: id=16,

                          name=OAKLEY_GROUP_MODP4096, bits=4096</div>

                        <div>000 algorithm IKE dh group: id=17,

                          name=OAKLEY_GROUP_MODP6144, bits=6144</div>

                        <div>000 algorithm IKE dh group: id=18,

                          name=OAKLEY_GROUP_MODP8192, bits=8192</div>

                        <div>000 algorithm IKE dh group: id=22,

                          name=OAKLEY_GROUP_DH22, bits=1024</div>

                        <div>000 algorithm IKE dh group: id=23,

                          name=OAKLEY_GROUP_DH23, bits=2048</div>

                        <div>000 algorithm IKE dh group: id=24,

                          name=OAKLEY_GROUP_DH24, bits=2048</div>

                        <div>000</div>

                        <div>000 stats db_ops: {curr_cnt, total_cnt,

                          maxsz} :context={0,0,0} trans={0,0,0}

                          attrs={0,0,0}</div>

                        <div>000</div>

                        <div>000</div>

                        <div>000</div>

                        <div>/usr/sbin/ipsec: unknown IPsec command

                          `status' (`ipsec --help' for list)</div>

                        <div>[root@mlab-centos6-01 ~]#</div>

                        <div><br>

                        </div>

                      </div>

                    </div>

                    <div class="gmail_extra"> <br>

                      <br>

                      <div class="gmail_quote">On Fri, Mar 8, 2013 at

                        9:39 AM, Paul Wouters <span dir="ltr">&lt;<a

                            moz-do-not-send="true"

                            href="mailto:pwouters@redhat.com"

                            target="_blank">pwouters@redhat.com</a>&gt;</span>

                        wrote:<br>

                        <blockquote class="gmail_quote" style="margin:0

                          0 0 .8ex;border-left:1px #ccc

                          solid;padding-left:1ex">

                          <div>On Fri, 8 Mar 2013, T.J. Yang wrote:<br>

                            <br>

                            <blockquote class="gmail_quote"

                              style="margin:0 0 0 .8ex;border-left:1px

                              #ccc solid;padding-left:1ex"> Thanks to

                              Paul and Philippe's pointers. I tried the

                              "oe" and spacing suggestion without

                              success. when I do<br>

                              a "ipsec auto --add centos6-asa" to add

                              connection manually. /var/log/ipsec.log

                              only showing &nbsp;one line but<br>

                              no other message.<br>

                              I will keep digging<br>

                            </blockquote>

                            <br>

                          </div>

                          I am confused. Do not do this:<br>

                          <br>

                          conn foo<br>

                          &nbsp; &nbsp; some=value<br>

                          &nbsp; &nbsp; other=value<br>

                          <br>

                          &nbsp; &nbsp; third=value<br>

                          <br>

                          And don't do this:<br>

                          <br>

                          conn foo<br>

                          &nbsp; &nbsp; some=value<br>

                          &nbsp; &nbsp; other=value<br>

                          # &nbsp; &nbsp;third=value<br>

                          &nbsp; &nbsp; fourth=value<br>

                          <br>

                          But do this:<br>

                          <br>

                          conn foo<br>

                          &nbsp; &nbsp; some=value<br>

                          &nbsp; &nbsp; other=value<br>

                          &nbsp; &nbsp; #third=value<br>

                          &nbsp; &nbsp; fourth=value<span><font color="#888888"><br>

                              <br>

                              Paul<br>

                            </font></span></blockquote>

                      </div>

                      <br>

                      <br clear="all">

                      <div><br>

                      </div>

                      -- <br>

                      T.J. Yang </div>

                    <br>

                    <fieldset></fieldset>

                    <br>

                  </div>

                </div>

                <div class="im">

                  <pre>_______________________________________________

Swan mailing list

<a moz-do-not-send="true" href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a>

<a moz-do-not-send="true" href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a>

</pre>

                </div>

              </blockquote>

              <br>

            </div>

          </blockquote>

        </div>

        <br>

        <br clear="all">

        <div><br>

        </div>

        -- <br>

        T.J. Yang

      </div>

    </blockquote>

    <br>

  </body>

</html>