Hi list:<div>Please help. SA established,but can't route to destination</div><div><br></div><div>Here's two machines:</div><div><br></div><div>A:</div><div>eth0 192.168.100.201 (local subnet)</div><div>eth1 192.168.111.201</div>
<div><br></div><div>default route to 192.168.111.1</div><div>connect to Internet through 192.168.111.1</div><div><br></div><div>UDP port 50 ,4500 is mapped to A.</div><div><br></div><div>B:</div><div>Gate way ,connect to Internet with PPPOE</div>
<div>eth1 192.168.60.1 local sub net 192.168.60.0</div><div><br></div><div>1.my config file:</div><div><div>conn cylan</div><div> type = tunnel</div><div> left = %defaultroute</div><div> right = RIGHTSIDE_DOMAINNAME</div>
<div> leftsubnet = <a href="http://192.168.100.0/255.255.255.0">192.168.100.0/255.255.255.0</a></div><div> rightsubnet = <a href="http://192.168.60.0/255.255.255.0">192.168.60.0/255.255.255.0</a></div><div> auto = start</div>
<div> keyexchange = ike</div><div> authby = secret</div><div> auth = esp</div><div> pfs = yes</div><div> esp = 3DES-SHA1</div><div> ike = 3DES-SHA-MODP1024</div><div> aggrmode = yes</div>
<div> leftid = @bb</div><div> rightid = @aa</div><div><br></div><div><br></div><div>2.part of .config (Network option section)</div><div><div><br></div><div>#</div><div># Networking options</div><div>#</div>
<div>CONFIG_PACKET=y</div><div># CONFIG_PACKET_MMAP is not set</div><div>CONFIG_UNIX=y</div><div># CONFIG_NET_KEY is not set</div><div>CONFIG_INET=y</div><div>CONFIG_IP_MULTICAST=y</div><div>CONFIG_IP_ADVANCED_ROUTER=y</div>
<div>CONFIG_ASK_IP_FIB_HASH=y</div><div># CONFIG_IP_FIB_TRIE is not set</div><div>CONFIG_IP_FIB_HASH=y</div><div>CONFIG_IP_MULTIPLE_TABLES=y</div><div># CONFIG_IP_ROUTE_MULTIPATH is not set</div><div># CONFIG_IP_ROUTE_VERBOSE is not set</div>
<div>CONFIG_IP_PNP=y</div><div>CONFIG_IP_PNP_DHCP=y</div><div># CONFIG_IP_PNP_BOOTP is not set</div><div># CONFIG_IP_PNP_RARP is not set</div><div>CONFIG_NET_IPIP=y</div><div>CONFIG_NET_IPGRE=y</div><div>CONFIG_NET_IPGRE_BROADCAST=y</div>
<div># CONFIG_IP_MROUTE is not set</div><div># CONFIG_ARPD is not set</div><div># CONFIG_SYN_COOKIES is not set</div><div>CONFIG_IPSEC_NAT_TRAVERSAL=y</div><div># CONFIG_INET_AH is not set</div><div># CONFIG_INET_ESP is not set</div>
<div># CONFIG_INET_IPCOMP is not set</div><div># CONFIG_INET_XFRM_TUNNEL is not set</div><div>CONFIG_INET_TUNNEL=y</div><div># CONFIG_INET_XFRM_MODE_TRANSPORT is not set</div><div># CONFIG_INET_XFRM_MODE_TUNNEL is not set</div>
<div># CONFIG_INET_XFRM_MODE_BEET is not set</div><div>CONFIG_INET_DIAG=y</div><div>CONFIG_INET_TCP_DIAG=y</div><div># CONFIG_TCP_CONG_ADVANCED is not set</div><div>CONFIG_TCP_CONG_CUBIC=y</div><div>CONFIG_DEFAULT_TCP_CONG="cubic"</div>
<div># CONFIG_TCP_MD5SIG is not set</div><div># CONFIG_IP_VS is not set</div><div># CONFIG_IPV6 is not set</div><div># CONFIG_INET6_XFRM_TUNNEL is not set</div><div># CONFIG_INET6_TUNNEL is not set</div><div># CONFIG_NETWORK_SECMARK is not set</div>
<div>CONFIG_NETFILTER=y</div><div># CONFIG_NETFILTER_DEBUG is not set</div><div>CONFIG_BRIDGE_NETFILTER=y</div><div><br></div><div><br></div></div><div>2.ifconfig</div><div><div><br></div><div>suibian linux-2.6.22 # ifconfig </div>
<div>eth1 Link encap:Ethernet HWaddr 00:0F:EA:25:51:37 </div><div> inet addr:192.168.100.201 Bcast:192.168.100.255 Mask:255.255.255.0</div><div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div>
<div> RX packets:20432 errors:2 dropped:2 overruns:1 frame:0</div><div> TX packets:21702 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:1000 </div><div> RX bytes:8654345 (8.2 Mb) TX bytes:4594130 (4.3 Mb)</div>
<div> Interrupt:21 Base address:0x8000 </div><div><br></div><div>eth3 Link encap:Ethernet HWaddr 00:21:27:95:00:54 </div><div> inet addr:192.168.111.201 Bcast:192.168.111.255 Mask:255.255.255.0</div>
<div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:2970 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:253 errors:0 dropped:0 overruns:0 carrier:0</div><div>
collisions:0 txqueuelen:1000 </div><div> RX bytes:251151 (245.2 Kb) TX bytes:25370 (24.7 Kb)</div><div> Interrupt:21 Base address:0x6000 </div><div><br></div><div>ipsec0 Link encap:Ethernet HWaddr 00:21:27:95:00:54 </div>
<div> inet addr:192.168.111.201 Mask:255.255.255.0</div><div> UP RUNNING NOARP MTU:16260 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:0 errors:147 dropped:0 overruns:0 carrier:0</div>
<div> collisions:0 txqueuelen:10 </div><div> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)</div><div><br></div><div>lo Link encap:Local Loopback </div><div> inet addr:127.0.0.1 Mask:255.0.0.0</div>
<div> UP LOOPBACK RUNNING MTU:16436 Metric:1</div><div> RX packets:56 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:56 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:0 </div>
<div> RX bytes:4340 (4.2 Kb) TX bytes:4340 (4.2 Kb)</div><div><br></div><div><br></div><div>3.netstat -rn</div><div><div>suibian linux-2.6.22 # netstat -rn</div><div>Kernel IP routing table</div><div>Destination Gateway Genmask Flags MSS Window irtt Iface</div>
<div>192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1</div><div>192.168.60.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0</div><div>192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3</div>
<div>192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0</div><div>127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo</div><div>0.0.0.0 192.168.111.1 0.0.0.0 UG 0 0 0 eth3</div>
<div>suibian linux-2.6.22 # </div></div></div><div><br></div><div>4. IPSEC tunnel established:</div><div>out put from `ipsec whack --status`:<br></div><div><br></div><div><div>000 "cylan": <a href="http://192.168.100.0/24===192.168.111.201[@bb,+S=C]...202.105.158.145">192.168.100.0/24===192.168.111.201[@bb,+S=C]...202.105.158.145</a><RIGHTSIDE_DOMAINNAME>[@aa,+S=C]===<a href="http://192.168.60.0/24">192.168.60.0/24</a>; erouted; eroute owner: #2</div>
<div>000 "cylan": myip=unset; hisip=unset;</div><div>000 "cylan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "cylan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth3; </div>
<div>000 "cylan": newest ISAKMP SA: #1; newest IPsec SA: #2; </div><div>000 "cylan": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict</div><div>000 "cylan": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2, </div>
<div>000 "cylan": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</div><div>000 "cylan": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict</div><div>000 "cylan": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160</div>
<div>000 "cylan": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<Phase1></div><div>000 </div><div>000 #2: "cylan":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27814s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate</div>
<div>000 #2: "cylan" used 101s ago; <a href="mailto:esp.dc7e6e91@202.105.158.145">esp.dc7e6e91@202.105.158.145</a> <a href="mailto:esp.1ab13ad4@192.168.111.201">esp.1ab13ad4@192.168.111.201</a> <a href="mailto:tun.1001@202.105.158.145">tun.1001@202.105.158.145</a> <a href="mailto:tun.1002@192.168.111.201">tun.1002@192.168.111.201</a> ref=3 refhim=1</div>
<div>000 #1: "cylan":4500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); EVENT_SA_REPLACE in 2304s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div>000 </div><div><br></div><div>
5.eroute exist</div><div><div>suibian linux-2.6.22 # ipsec eroute</div><div>8 <a href="http://192.168.100.0/24">192.168.100.0/24</a> -> <a href="http://192.168.60.0/24">192.168.60.0/24</a> => <a href="mailto:tun0x1001@202.105.158.145">tun0x1001@202.105.158.145</a></div>
<div>suibian linux-2.6.22 # </div><div><br></div><div><br></div><div>6.ping from local sub net to remote sub net shows error message in debug log file:</div><div><br></div><div>ping -I 192.168.100.201 192.168.60.1</div><div>
package is dropper:<br></div><div><br></div><div><div><br></div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_neigh_setup:</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_hard_header: skb->dev=ipsec0 dev=ipsec0.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_hard_header: Revectored 0p00000000->0pef1a1aa4 len=84 type=2048 dev=ipsec0->eth3 dev_addr=00:21:27:95:00:54 ip=c0a864c9->c0a83c01</div><div>Feb 9 15:58:21 suibian kernel: </div>
<div>Feb 9 15:58:21 suibian kernel: </div><div>Feb 9 15:58:21 suibian kernel: ipsec_tunnel_start_xmit: STARTING<6>klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 00:21:27:95:00:54:00:21:27:95:00:54:08:00 </div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:6286 saddr:192.168.100.201 daddr:192.168.60.1 type:code=8:0</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 2,28</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_findroute: 192.168.100.201:0-><a href="http://192.168.60.1:0">192.168.60.1:0</a> 1</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: * See if we match exactly as a host destination</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ** try to match a leaf, t=0pedf71d80</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE packet saddr=c0a864c9, er=0pedf71d80, daddr=c0a83c01, er_dst=ca699e91, proto=1 sport=0 dport=0</div>
<div>Feb 9 15:58:21 suibian kernel: ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=129 of <a href="mailto:SA%3Atun.1001@202.105.158.145">SA:tun.1001@202.105.158.145</a> requested.</div><div>Feb 9 15:58:21 suibian kernel: ipsec_sa_get: ipsec_sa e7d71000 <a href="mailto:SA%3Atun.1001@202.105.158.145">SA:tun.1001@202.105.158.145</a>, ref:1 reference count (2++) incremented by ipsec_sa_getbyid:552.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> <a href="mailto:tun.1001@202.105.158.145">tun.1001@202.105.158.145</a></div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: calling room for <IPIP>, <a href="mailto:SA%3Atun.1001@202.105.158.145">SA:tun.1001@202.105.158.145</a></div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: calling room for <ESP_3DES_HMAC_SHA1>, <a href="mailto:SA%3Aesp.dc7e6e91@202.105.158.145">SA:esp.dc7e6e91@202.105.158.145</a></div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: Required head,tailroom: 16,24</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: existing head,tailroom: 2,28 before applying xforms with head,tailroom: 36,24 .</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:36 tottr:24 mtudiff:60 ippkttotlen:84</div><div>Feb 9 15:58:21 suibian kernel: klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 65 to 1435</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: head,tailroom: 16,28 after hard_header stripped.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:6286 saddr:192.168.100.201 daddr:192.168.60.1 type:code=8:0</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_init2: head,tailroom: 68,104 after allocation</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:6286 saddr:192.168.100.201 daddr:192.168.60.1 type:code=8:0</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: calling output for <IPIP>, <a href="mailto:SA%3Atun.1001@202.105.158.145">SA:tun.1001@202.105.158.145</a></div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: pushing 20 bytes, putting 0, proto 4.</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: head,tailroom: 48,104 before xform.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: after <IPIP>, <a href="mailto:SA%3Atun.1001@202.105.158.145">SA:tun.1001@202.105.158.145</a>:</div><div>Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:30113 frag_off:0 ttl:64 proto:4 chk:27524 saddr:192.168.111.201 daddr:202.105.158.145</div>
<div>Feb 9 15:58:21 suibian kernel: ipsec_sa_put: ipsec_sa e7d71000 <a href="mailto:SA%3Atun.1001@202.105.158.145">SA:tun.1001@202.105.158.145</a>, ref:1 reference count (3--) decremented by ipsec_xmit_cont:1096.</div><div>
Feb 9 15:58:21 suibian kernel: ipsec_sa_get: ipsec_sa e7d71800 <a href="mailto:SA%3Aesp.dc7e6e91@202.105.158.145">SA:esp.dc7e6e91@202.105.158.145</a>, ref:2 reference count (3++) incremented by ipsec_xmit_cont:1101.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: calling output for <ESP_3DES_HMAC_SHA1>, <a href="mailto:SA%3Aesp.dc7e6e91@202.105.158.145">SA:esp.dc7e6e91@202.105.158.145</a></div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: pushing 16 bytes, putting 16, proto 50.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: head,tailroom: 32,88 before xform.</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_alg_esp_encrypt: entering with encalg=3, ixt_e=f01f8300</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=3 ips_key_e=e03bce00 idat=df18d444 ilen=88 iv=df18d43c, encrypt=1</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_alg_esp_encrypt: returned ret=1</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_encap_once: after <ESP_3DES_HMAC_SHA1>, <a href="mailto:SA%3Aesp.dc7e6e91@202.105.158.145">SA:esp.dc7e6e91@202.105.158.145</a>:</div><div>Feb 9 15:58:21 suibian kernel: klips_debug: IP: ihl:20 ver:4 tos:0 tlen:136 id:30113 frag_off:0 ttl:64 proto:50 (ESP) chk:27446 saddr:192.168.111.201 daddr:202.105.158.145</div>
<div>Feb 9 15:58:21 suibian kernel: ipsec_sa_put: ipsec_sa e7d71800 <a href="mailto:SA%3Aesp.dc7e6e91@202.105.158.145">SA:esp.dc7e6e91@202.105.158.145</a>, ref:2 reference count (4--) decremented by ipsec_xmit_cont:1096.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_findroute: 192.168.111.201:0-><a href="http://202.105.158.145:0">202.105.158.145:0</a> 50</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: * See if we match exactly as a host destination</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ** try to match a leaf, t=0pedf71d80</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: *** start searching up the tree, t=0pedf71d80</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: **** t=0pedf71d98</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: **** t=0pef1a17c0</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ***** cp2=0pe4882ea8 cp3=0pee9eec90</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:rj_match: ***** not found.</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_tunnel_start_xmit: encapsuling packet into UDP (NAT-Traversal) (2 8)</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,80</div>
<div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,80</div><div>Feb 9 15:58:21 suibian kernel: klips_debug:ipsec_xmit_send: ip_route_output failed with error code -22, dropped</div>
</div></div></div></div><div><br></div><div><br>-- <br>from Romeo<br>
</div>