<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 11pt; font-family: Tahoma,Arial,Helvetica,sans-serif'>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-family: 'courier new', courier, monospace;">Hi Paul</span><br /><span style="font-family: 'courier new', courier, monospace;">I changed the <strong>HO's statement to auto=add</strong> while keeping <strong>auto=start at the Site Office</strong>. Also removed encapsulation statement at both ends, However there is no change in status, both machines are unable to reach each other. The tunnel is getting established as always, attaching the logs from both sides FYI.</span><br /><br />
<p><span style="font-family: 'courier new', courier, monospace;"><strong>At Site Office</strong></span></p>
<p><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">643271: "PLSUBNET" #1: initiating IKEv2 connection</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">643284: "PLSUBNET": local IKE proposals (IKE SA initiator selecting KE): </span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">643290: "PLSUBNET": 1:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_521</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">645097: "PLSUBNET" #1: sent IKE_SA_INIT request</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">685003: "PLSUBNET": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): </span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">685026: "PLSUBNET": 1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">685066: "PLSUBNET" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">760199: "PLSUBNET" #1: authenticated using authby=secret and peer ID_IPV4_ADDR 'A.B.C.D'</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">797979: "PLSUBNET" #2: negotiated connection [10.10.128.0-10.10.128.255:0-65535 0] -> [192.168.1.0-192.168.1.255:0-65535 0]</span><br /><span style="font-size: 9pt; font-family: 'courier new', courier, monospace;">798003: "PLSUBNET" #2: IPsec SA established tunnel mode {ESPinUDP=>0xf326adb4 <0x3227b8ff xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=A.B.C.D:4500 DPD=active}</span></p>
<p><br /><span style="font-family: 'courier new', courier, monospace;"><strong>At HO</strong></span></p>
<p><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">657566: "PLUTOSUBNET": local IKE proposals (IKE SA responder matching remote proposals): </span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">657597: "PLUTOSUBNET": 1:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_521</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">657625: "PLUTOSUBNET" #8: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=ECP_521[first-match]</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">659422: "PLUTOSUBNET" #8: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">705240: "PLUTOSUBNET" #8: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">705270: "PLUTOSUBNET" #8: IKEv2 mode peer ID is ID_IPV4_ADDR: 'W.X.Y.Z'</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">705323: "PLUTOSUBNET" #8: authenticated using authby=secret</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">705429: "PLUTOSUBNET": local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals): </span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">705438: "PLUTOSUBNET": 1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">705445: "PLUTOSUBNET" #9: proposal 1:ESP=AES_CBC_256-HMAC_SHA2_512_256-DISABLED SPI=3227b8ff chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">741491: "PLUTOSUBNET" #9: negotiated connection [192.168.1.0-192.168.1.255:0-65535 0] -> [10.10.128.0-10.10.128.255:0-65535 0]</span><br /><span style="font-family: 'courier new', courier, monospace; font-size: 9pt;">741513: "PLUTOSUBNET" #9: IPsec SA established tunnel mode {ESPinUDP=>0x3227b8ff <0xf326adb4 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active}</span></p>
</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-family: 'courier new', courier, monospace;">Thanks, Regards<br /></span></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="font-family: 'courier new', courier, monospace;">BA</span><br /><br /><br /><br /><br />On 2023-01-30 06:29, Paul Wouters wrote:
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">On Sun, 29 Jan 2023, <a href="mailto:ud@blueaquan.com">ud@blueaquan.com</a> wrote:<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">I have two sites which I am trying to connect using a site-to-site VPN. Initially I had a lot of<br />challenges because at the HO, the Linux machine had a Public IP directly configured, while at the<br />Site Office the Linux machine was behind an ISP router. Anyhow the tunnel gets established now, but<br />machines on both sides cannot reach each other.</blockquote>
<br />On the HO use auto=add and not auto=ondemand or auto=start<br />On the Site Office, use auto=start<br /><br />That should hopefully prevent two connections racing each other<br />and one of them failing impacting the other.<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">The HO Configuration<br /><br />conn PLUTOSUBNET<br /> also=EUROPA-PLUTO<br /> leftsubnet=10.10.128.0/24<br /> leftsourceip=10.10.128.100<br /> rightsubnet=192.168.1.0/24<br /> rightsourceip=192.168.1.1<br /> auto=start</blockquote>
<br />you cannot use auto=start because you cannot initiate to a machine<br />behind NAT. The other end should initiate to here.<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"> encapsulation=yes</blockquote>
<br />It's better not to specify this and let the auto-detection handle this.<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">The Site Office configuration<br /><br />conn PLSUBNET<br /> also=PLUTO-EUROPA<br /> leftsubnet=10.10.128.0/24<br /> leftsourceip=10.10.128.100<br /> rightsubnet=192.168.1.0/24<br /> rightsourceip=192.168.1.1<br /> auto=start<br />conn PLUTO-EUROPA<br /> type=tunnel<br /> left=%defaultroute<br /> leftid=W.X.Y.Z<br /> right=A.B.C.D<br /> authby=secret<br /> ikev2=insist<br /> pfs=no<br /> ike=aes256-sha2_512+sha2_256-dh21<br /> esp=aes256-sha2_512+sha1+sha2_256;dh21<br /> dpddelay=5<br /> dpdtimeout=120<br /> dpdaction=restart<br /> encapsulation=yes</blockquote>
<br />Same here, remove the encapsulation=yes here too.<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">The Logs from the HO machine</blockquote>
<br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">980030: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 16 seconds for response<br />984155: "PLUTOSUBNET" #8: STATE_PARENT_I1: retransmission; will wait 32 seconds for response<br />634277: "PLUTOSUBNET" #9: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen f</blockquote>
<br />Looks like state 8 and 9 are fighting here.<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">"PLUTOSUBNET" #10: negotiated connection [192.168.1.0-192.168.1.255:0-65535 0] -> [10.10.128.0-10.10.<br />128.255:0-65535 0]<br />"PLUTOSUBNET" #10: IPsec SA established tunnel mode {ESPinUDP=>0xcff38461 <0x51123a6c xfrm=AES_CBC_25<br />6-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active}<br />"PLUTOSUBNET" #8: suppressing retransmit because IKE SA was superseded #9 try=4; drop this negotiatio<br />n<br />"PLUTOSUBNET" #8: deleting state (STATE_PARENT_I1) aged 64.012686s and NOT sending notification</blockquote>
<br />9 won and 8 was deleted. This _should_ be fine. But perhaps the other<br />end did something different.<br /><br />Paul</blockquote>
</div>
</body></html>