<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
As I type, I am using 3.17 and currently have three clients all
behind the same NAT router all with active ipsec connections to two
different remote servers - and can ping both. This setup normally
works fine, although I have noticed the occasional confusion which
usually requires a NAT router reset to resolve. It could be your
problem is with the router rather than libreswan.<br>
<br>
There's nothing clever about my setup. A mix of Ubuntu 12.04 and
14.04 with basic road warrior setups. The server sides looks like
this, with netkey and nat-traversal:<br>
<br>
conn server-side<br>
authby=rsasig<br>
type=tunnel<br>
ike=3des-sha1;modp2048<br>
phase2alg=3des-sha1;modp2048<br>
dpddelay=30<br>
dpdtimeout=120<br>
left=<my ip><br>
leftcert="mycert"<br>
leftrsasigkey=%cert<br>
leftid=%fromcert<br>
right=%any<br>
dpdaction=clear<br>
rightsubnet=vhost:%no,%priv<br>
rightrsasigkey=%cert<br>
rightid="C=GB,ST=here,L=there,O=myorg,OU=Road Warriors,CN=*"<br>
auto=add<br>
<br>
Client looks like:<br>
conn client-side<br>
authby=rsasig<br>
type=tunnel<br>
ike=3des-sha1;modp2048<br>
phase2alg=3des-sha1;modp2048<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
left=%defaultroute<br>
leftcert="mycert"<br>
leftrsasigkey=%cert<br>
leftid=%fromcert<br>
right=<my local ip><br>
rightrsasigkey=%cert<br>
rightid="C=GB,ST=here,L=there,O=myorg,OU=Secure Web
Server,CN=MyRemoteServer"<br>
auto=start<br>
<br>
Hope this helps<br>
<br>
<div class="moz-cite-prefix">On 15/06/16 22:22, Schmidt, Michael M
wrote:<br>
</div>
<blockquote
cite="mid:BY2PR01MB1765073B3843E32D162B7ADD92550@BY2PR01MB1765.prod.exchangelabs.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi there,</p>
<p><br>
</p>
<p>I am having the exact same problem as this guy did a couple
years ago. Unfortunately it doesn't look like he received an
answer.</p>
<p><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size:12pt;
color:#000000; background-color:#FFFFFF;
font-family:Calibri,Arial,Helvetica,sans-serif">
<p><a moz-do-not-send="true"
href="https://lists.libreswan.org/pipermail/swan/2014/000818.html"
class="OWAAutoLink" id="LPlnk661369"
title="https://lists.libreswan.org/pipermail/swan/2014/000818.html
Cmd+Click or tap to follow the link">https://lists.libreswan.org/pipermail/swan/2014/000818.html</a><br>
</p>
<p><br>
</p>
<p>Whenever a 2nd client connects that is behind the same
public IP as the 1st client, the 1st client can no longer
route packets across the tunnel. The IPSec connection
stays connected, but pings/TCP connections are all
dropped. The 2nd client has no problem until someone else
tries to connect behind the same IP. There's nothing in
the server-side logs that indicate Libreswan notices this.</p>
<p><br>
</p>
<p>I've tried switching between auto=add and auto=route with
no luck. Played with iptables a bit. Not really sure what
else to do.</p>
<p><br>
</p>
<p>I am on v3.17</p>
<p><br>
</p>
<p>If you need more information, please let me know. I would
really appreciate some help :)</p>
<p><br>
</p>
<p>## ipsec.conf ##</p>
<p><br>
</p>
<div>config setup</div>
<div>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.4.0.0/16</div>
<div> protostack=netkey</div>
<div> nhelpers=0</div>
<div> interfaces=%defaultroute</div>
<div> uniqueids=no</div>
<div> plutostderrlog=/var/log/ipsec</div>
<div><br>
</div>
<div>conn shared</div>
<div> left=10.4.254.10</div>
<div> leftid=X.X.X.X</div>
<div> right=%any</div>
<div> forceencaps=yes</div>
<div> authby=secret</div>
<div> pfs=no</div>
<div> rekey=no</div>
<div> keyingtries=5</div>
<div> dpddelay=30</div>
<div> dpdtimeout=120</div>
<div> dpdaction=clear</div>
<div><br>
</div>
<div>conn xauth-psk</div>
<div> auto=route</div>
<div> leftsubnet=10.4.0.0/16</div>
<div> rightaddresspool=10.4.254.129-10.4.254.191</div>
<div> modecfgdns1=10.4.0.10</div>
<div> modecfgdns2=10.4.0.11</div>
<div> modecfgdomain=X.X</div>
<div> leftxauthserver=yes</div>
<div> rightxauthclient=yes</div>
<div> leftmodecfgserver=yes</div>
<div> rightmodecfgclient=yes</div>
<div> modecfgpull=yes</div>
<div> xauthby=pam</div>
<div> ike-frag=yes</div>
<div> ikev2=never</div>
<div> cisco-unity=yes</div>
<div> also=shared</div>
<div><br>
</div>
<div>## iptables ##</div>
<div><br>
</div>
<div>
<div>*nat</div>
<div>:PREROUTING ACCEPT [0:0]</div>
<div>:POSTROUTING ACCEPT [403:28020]</div>
<div>:OUTPUT ACCEPT [403:28020]</div>
<div>-A POSTROUTING -s 10.4.0.0/16 -o eth+ -j SNAT
--to-source 10.4.254.10</div>
<div>-A POSTROUTING -s 10.4.254.0/24 -o eth+ -m policy
--dir out --pol none -j SNAT --to-source 10.4.254.10</div>
<div>COMMIT</div>
<div>*filter</div>
<div>:INPUT ACCEPT [1711:674994]</div>
<div>:FORWARD ACCEPT [0:0]</div>
<div>:OUTPUT ACCEPT [2264:316654]</div>
<div>:f2b-SSH - [0:0]</div>
<div>-A INPUT -p tcp -m tcp --dport 22 -j f2b-SSH</div>
<div>-A INPUT -p udp -m multiport --dports 500,4500 -j
ACCEPT</div>
<div>-A INPUT -p udp -m udp --dport 1701 -m policy --dir
in --pol ipsec -j ACCEPT</div>
<div>-A INPUT -p udp -m udp --dport 1701 -j DROP</div>
<div>-A INPUT -p udp -m udp --dport 68 -j ACCEPT</div>
<div>-A FORWARD -m conntrack --ctstate INVALID -j DROP</div>
<div>-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT</div>
<div>-A FORWARD -i ppp+ -o eth+ -j ACCEPT</div>
<div>-A FORWARD -d 10.4.254.0/24 -i eth+ -m conntrack
--ctstate RELATED,ESTABLISHED -j ACCEPT</div>
<div>-A FORWARD -s 10.4.254.0/24 -o eth+ -j ACCEPT</div>
<div>-A FORWARD -j DROP</div>
<div>-A f2b-SSH -j RETURN</div>
<div>COMMIT</div>
<br>
</div>
<div><br>
</div>
<div>## ipsec logs of two clients connecting from the same
IP ##</div>
<div><br>
</div>
<div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: responding to Main Mode from unknown peer
<<PUBLIC NAT IP>></div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1</div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: STATE_MAIN_R1: sent MR1, expecting MI2</div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2</div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: ignoring informational payload
IPSEC_INITIAL_CONTACT, msgid=00000000, length=28</div>
<div>Jun 14 16:13:10: | ISAKMP Notification Payload</div>
<div>Jun 14 16:13:10: | 00 00 00 1c 00 00 00 01 01 10
60 02</div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: Main mode peer ID is ID_IPV4_ADDR:
'10.32.32.55'</div>
<div>Jun 14 16:13:10: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: switched from "xauth-psk"[1]
<<PUBLIC NAT IP>> to "xauth-psk"</div>
<div>Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: deleting connection "xauth-psk" instance
with peer <<PUBLIC NAT IP>>
{isakmp=#0/ipsec=#0}</div>
<div>Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3</div>
<div>Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: new NAT mapping for #1, was
<<PUBLIC NAT IP>>:118, now <<PUBLIC
NAT IP>>:37467</div>
<div>Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256
integ=OAKLEY_SHA2_256 group=MODP2048}</div>
<div>Jun 14 16:13:10: | event EVENT_v1_SEND_XAUTH #1
STATE_MAIN_R3</div>
<div>Jun 14 16:13:10: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: XAUTH: Sending Username/Password request
(XAUTH_R0)</div>
<div>Jun 14 16:13:10: XAUTH: User <<CLIENT
1>>: Attempting to login</div>
<div>Jun 14 16:13:10: XAUTH: pam authentication being
called to authenticate user <<CLIENT 1>></div>
<div>Jun 14 16:13:11: XAUTH: User <<CLIENT
1>>: Authentication Successful</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: XAUTH: xauth_inR1(STF_OK)</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: transition from state STATE_XAUTH_R1 to
state STATE_MAIN_R3</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
established</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
INTERNAL_ADDRESS_EXPIRY received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
APPLICATION_VERSION received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
MODECFG_BANNER received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
MODECFG_DOMAIN received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_SPLIT_DNS received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_SPLIT_INC received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_SPLIT_EXCLUDE received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_DO_PFS received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_SAVE_PW received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_FW_TYPE received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_BACKUP_SERVER received.</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: Unsupported modecfg long attribute
CISCO_UNKNOWN_SEEN_ON_IPHONE received.</div>
<div>Jun 14 16:13:11: | We are sending
'<<DOMAIN>>' as domain</div>
<div>Jun 14 16:13:11: | We are not sending a banner</div>
<div>Jun 14 16:13:11: | We are sending our subnet as
CISCO_SPLIT_INC</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: modecfg_inR0(STF_OK)</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: transition from state STATE_MODE_CFG_R0
to state STATE_MODE_CFG_R1</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: STATE_MODE_CFG_R1: ModeCfg Set sent,
expecting Ack</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #1: the peer proposed: 10.4.0.0/16:0/0 ->
10.4.254.129/32:0/0</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: responding to Quick Mode proposal
{msgid:1ada84a1}</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: us:
10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN
PUBLIC IP>>,MS+XS+S=C]</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: them: <<PUBLIC NAT
IP>>[10.32.32.55,+MC+XC+S=C]===10.4.254.129/32</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: STATE_QUICK_R1: sent QR1, inbound IPsec
SA installed, expecting QI2 tunnel mode
{ESP/NAT=>0x08ae73c0 <0xd8db7c34
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC
NAT IP>>:37467 DPD=active username=<<CLIENT
1>>}</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2</div>
<div>Jun 14 16:13:11: "xauth-psk"[2] <<PUBLIC NAT
IP>> #2: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP/NAT=>0x08ae73c0 <0xd8db7c34
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC
NAT IP>>:37467 DPD=active username=<<CLIENT
1>>}</div>
<div>Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: max number of retransmissions (8) reached
STATE_MAIN_R2</div>
<div>Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT
IP>> #1: deleting state #1 (STATE_MAIN_R2)</div>
<div>Jun 14 16:13:14: "xauth-psk"[1] <<PUBLIC NAT
IP>>: deleting connection "xauth-psk" instance
with peer <<PUBLIC NAT IP>>
{isakmp=#0/ipsec=#0}</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: responding to Main Mode from unknown peer
<<PUBLIC NAT IP>></div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: STATE_MAIN_R1: sent MR1, expecting MI2</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: ignoring informational payload
IPSEC_INITIAL_CONTACT, msgid=00000000, length=28</div>
<div>Jun 14 16:13:29: | ISAKMP Notification Payload</div>
<div>Jun 14 16:13:29: | 00 00 00 1c 00 00 00 01 01 10
60 02</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: Main mode peer ID is ID_IPV4_ADDR:
'10.32.32.76'</div>
<div>Jun 14 16:13:29: "xauth-psk"[2] <<PUBLIC NAT
IP>> #3: switched from "xauth-psk"[2]
<<PUBLIC NAT IP>> to "xauth-psk"</div>
<div>Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3</div>
<div>Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: new NAT mapping for #3, was
<<PUBLIC NAT IP>>:57, now <<PUBLIC NAT
IP>>:29518</div>
<div>Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256
integ=OAKLEY_SHA2_256 group=MODP2048}</div>
<div>Jun 14 16:13:29: | event EVENT_v1_SEND_XAUTH #3
STATE_MAIN_R3</div>
<div>Jun 14 16:13:29: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: XAUTH: Sending Username/Password request
(XAUTH_R0)</div>
<div>Jun 14 16:13:36: XAUTH: User <<CLIENT
2>>: Attempting to login</div>
<div>Jun 14 16:13:36: XAUTH: pam authentication being
called to authenticate user <<CLIENT 2>></div>
<div>Jun 14 16:13:36: XAUTH: User <<CLIENT
2>>: Authentication Successful</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: XAUTH: xauth_inR1(STF_OK)</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: transition from state STATE_XAUTH_R1 to
state STATE_MAIN_R3</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
established</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
INTERNAL_ADDRESS_EXPIRY received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
APPLICATION_VERSION received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
MODECFG_BANNER received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
MODECFG_DOMAIN received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_SPLIT_DNS received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_SPLIT_INC received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_SPLIT_EXCLUDE received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_DO_PFS received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_SAVE_PW received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_FW_TYPE received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_BACKUP_SERVER received.</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: Unsupported modecfg long attribute
CISCO_UNKNOWN_SEEN_ON_IPHONE received.</div>
<div>Jun 14 16:13:36: | We are sending
'<<DOMAIN>>' as domain</div>
<div>Jun 14 16:13:36: | We are not sending a banner</div>
<div>Jun 14 16:13:36: | We are sending our subnet as
CISCO_SPLIT_INC</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: modecfg_inR0(STF_OK)</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: transition from state STATE_MODE_CFG_R0
to state STATE_MODE_CFG_R1</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: STATE_MODE_CFG_R1: ModeCfg Set sent,
expecting Ack</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #3: the peer proposed: 10.4.0.0/16:0/0 ->
10.4.254.130/32:0/0</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: responding to Quick Mode proposal
{msgid:5a4c8ec3}</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: us:
10.4.0.0/16===10.4.254.10<10.4.254.10>[<<LIBRESWAN
PUBLIC IP>>,MS+XS+S=C]</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: them: <<PUBLIC NAT
IP>>[10.32.32.76,+MC+XC+S=C]===10.4.254.130/32</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: transition from state STATE_QUICK_R0 to
state STATE_QUICK_R1</div>
<div>Jun 14 16:13:36: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: STATE_QUICK_R1: sent QR1, inbound IPsec
SA installed, expecting QI2 tunnel mode
{ESP/NAT=>0x046b9b3f <0x6b137349
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC
NAT IP>>:29518 DPD=active username=<<CLIENT
2>>}</div>
<div>Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: transition from state STATE_QUICK_R1 to
state STATE_QUICK_R2</div>
<div>Jun 14 16:13:37: "xauth-psk"[3] <<PUBLIC NAT
IP>> #4: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP/NAT=>0x046b9b3f <0x6b137349
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<<PUBLIC
NAT IP>>:29518 DPD=active username=<<CLIENT
2>>}</div>
<br>
</div>
<br>
<p><br>
</p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>