<div dir="ltr">Thanks for your help, Paul. I switched the type to tunnel but that didn't help. It just hangs now. Here's the output of ipsec auto --up:<div><br></div><div><div>002 "ner" #22: initiating Main Mode</div><div>104 "ner" #22: STATE_MAIN_I1: initiate</div><div>003 "ner" #22: received Vendor ID payload [RFC 3947]</div><div>003 "ner" #22: received Vendor ID payload [Dead Peer Detection]</div><div>002 "ner" #22: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)</div><div>002 "ner" #22: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div><div>106 "ner" #22: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>003 "ner" #22: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT</div><div>002 "ner" #22: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>108 "ner" #22: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>002 "ner" #22: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.21'</div><div>002 "ner" #22: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div><div>004 "ner" #22: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}</div><div>002 "ner" #22: Dead Peer Detection (RFC 3706): enabled</div><div>002 "ner" #23: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#22 msgid:61187bd5 proposal=defaults pfsgroup=no-pfs}</div><div>117 "ner" #23: STATE_QUICK_I1: initiate</div><div>010 "ner" #23: STATE_QUICK_I1: retransmission; will wait 10s for response</div><div>010 "ner" #23: STATE_QUICK_I1: retransmission; will wait 20s for response</div></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 11, 2015 at 9:00 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sun, 11 Jan 2015, Ali Gangji wrote:<br>
<br>
</span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
ipsec.conf connection config:<br>
<br>
type=transport<br>
pfs=no<br>
keyingtries=0<br>
left=192.168.1.102<br>
leftsubnet=<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br>
right=<a href="http://XXX.dyndns.org" target="_blank">XXX.dyndns.org</a><br>
rightid=192.168.0.X<br>
rightsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br>
</blockquote>
<br></span>
wait, you must use type=tunnel if you have subnets.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>