<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 11pt; font-family: Tahoma,Arial,Helvetica,sans-serif'>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-family: 'andale mono', monospace;">Dear friends/ Team</span><br /><span style="font-family: 'andale mono', monospace;">I have two sites which I am trying to connect using a site-to-site VPN. Initially I had a lot of challenges because at the HO, the Linux machine had a Public IP directly configured, while at the Site Office the Linux machine was behind an ISP router. Anyhow the tunnel gets established now, but machines on both sides cannot reach each other.</span><br /><br /><span style="font-family: 'andale mono', monospace;">However, when I reboot the Site Office machine and it comes up, tunnel also gets established and both sides can reach each other for roughly less than a minute and then it stops.</span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-family: 'andale mono', monospace;">FYI, the machine at HO is running Libreswan 4.3 and the one at Site Office is running Libreswan 4.4</span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-family: 'andale mono', monospace;">What is changing when the machine comes up after a reboot...?</span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><strong><span style="font-family: 'andale mono', monospace;">The HO Configuration </span></strong></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">
<pre class="notranslate"><code class="notranslate">conn PLUTOSUBNET
also=EUROPA-PLUTO
leftsubnet=10.10.128.0/24
leftsourceip=10.10.128.100
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
auto=start
conn EUROPA-PLUTO
type=tunnel
left=W.X.Y.Z
right=A.B.C.D
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes
</code><br /><br /><br /><strong><span style="font-family: 'andale mono', monospace; font-size: 11pt;">The Site Office configuration</span></strong><br /><br /></pre>
<pre class="notranslate"><code class="notranslate">conn PLSUBNET
also=PLUTO-EUROPA
leftsubnet=10.10.128.0/24
leftsourceip=10.10.128.100
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
auto=start
conn PLUTO-EUROPA
type=tunnel
left=%defaultroute
leftid=W.X.Y.Z
right=A.B.C.D
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes
</code><br /><br /><br /></pre>
<pre class="notranslate"><strong><span style="font-family: 'andale mono', monospace; font-size: 11pt;">The Logs from the HO machine</span></strong><code class="notranslate">
980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 16 seconds for response
984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 32 seconds for response
634277: "PLUTOSUBNET" #9: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_521[first-match]
636046: "PLUTOSUBNET" #9: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}
"PLUTOSUBNET" #9: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
"PLUTOSUBNET" #9: IKEv2 mode peer ID is ID_IPV4_ADDR: 'W.X.Y.Z'
"PLUTOSUBNET" #9: authenticated using authby=secret
"PLUTOSUBNET": local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals):
"PLUTOSUBNET": 1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED
"PLUTOSUBNET" #10: proposal 1:ESP=AES_CBC_256-HMAC_SHA2_512_256-DISABLED SPI=cff38461 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
"PLUTOSUBNET" #10: negotiated connection [192.168.1.0-192.168.1.255:0-65535 0] -> [10.10.128.0-10.10.128.255:0-65535 0]
"PLUTOSUBNET" #10: IPsec SA established tunnel mode {ESPinUDP=>0xcff38461 <0x51123a6c xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active}
"PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded #9 try=4; drop this negotiation
"PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and NOT sending notification
</code></pre>
<pre class="notranslate"><br /><br /><br />Any help please.<br /><br /><br />Thanks, BA<br /><br /><br /><br /><br /></pre>
</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
</body></html>