<div dir="ltr">On Tue, Jul 30, 2013 at 5:14 PM, Paul Wouters <span dir="ltr"><<a href="mailto:pwouters@redhat.com" target="_blank">pwouters@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">On Tue, 30 Jul 2013, Mike C wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I am using tunnel mode already. No L2TP, just routers with 3G dongles providing net-net VPNs between offices. I don't believe XAUTH<br>
would help in this case?<br>
</blockquote>
<br></div>
Correct, then you don't need it. But then I'm not entirely sure why your<br>
connections would be failing?<span class=""><font color="#888888"><br></font></span></blockquote><div><br></div><div>(Reposting without attached logs, apologies didn't realise the size)<br></div><div><br><div>Sorry for the delay; I've now tested both IKEv1 and IKEv2 and
neither seems to like the setup. The last connection added to the
server-side using the same source can connect, the first one can't. I
tested specifying the IP for both connections as %any, and as the IP the
clients are coming from, both approaches had the same behavior. If I
define a different source IP for the last added connection, then the
first one can connect fine.<br>
<br>Using IKEv1 aggrmode=yes both come up, but for some reason traffic
isn't reaching the other end. Even if I only define a single tunnel and
bring it up, no traffic makes it. So not sure what is happening there,
although at least at the start both tunnels come up.<br>
<br></div><div>Is there a way to force connection identification to be
performed only after the peer IDs are sent in IKEv1 main mode? Or IKEv2,
but would like to stick to IKEv1 to reduce impact on clients. Based on
the above for main mode, does this appear to be a bug, could it be fixed
or is it not possible to support such an approach?<br>
<br></div><div>In case it's of use see <a href="http://pastebin.com/dVFQbcTt">http://pastebin.com/dVFQbcTt</a> with the full
plutodebug=all output. In both cases, I'm trying to bring 'routers-13',
having added it first to the server followed by 'routers-12'. <br>
</div><div><br></div>Regards,<br><br>Mike<br></div></div></div></div>