[Openswan dev] Re: [Openswan Users] iproute2, 26sec

Paul Wouters paul at xelerance.com
Thu Oct 7 01:22:53 CEST 2004

On Wed, 6 Oct 2004, Hans Fugal wrote:

> Pardon my bluntness, but this is absolutely broken.

It's always good to first wonder neutrally, before reaching a

> I have a pretty simple setup.
> falcon:
>  - eth0:
>  - eth1:
> gwythaint:
>  - eth0:
>  - eth0, after NAT:
> On falcon,
> default via dev ppp0
> I set up ipsec.conf like so:
> conn falcon-wencor
>  left=falcon.fugal.net
>  leftsrsasigkey=%cert
>  leftcert=falcon-cert.pem
>  right=%defaultroute
>  rightrsasigkey=%cert
>  rightcert=gwythaint-cert.pem
>  leftsubnet=
>  rightsubnet=
> This works fine, but routing isn't configured properly. _updown tries
> to set up a bogus route (from falcon's perspective):
> ... _updown: doroute `ip route add via dev eth0
> ' failed (RTNETLINK answers: Network is unreachable)

It seems falcon cannot properly orient itself. Is falcon.fugal.net resolvable to via dns or hosts file? Try specifying it by its IP address
otherwise. And try adding leftnexthop-

You are also incorrectly specifying a rightsubnet that is really not a
rightsubnet but a NATed subnet.

> The simplest correct route to create would be:
>  ip route add dev ppp0
> Notice no via, and ppp0 which is the device of the default route.  In
> addition, I would like to add "src". To do so would require
> knowing which local IP is wanted, and there's no good way of doing

You can specify src by using left/rightsrcip

> If I change {left,right}nexthop I get strange behavior that I still
> don't understand. It causes error messages like this:
> cannot respond to IPsec SA request because no connection is known for
>[C=US, O=fugal.net, CN=falcon.fugal.net,
> E=hans at fugal.net]...[C=US, ST=Utah, L=Provo,
> O=fugal.net, CN=Hans Fugal, E=hans at fugal.net]===

port 4500, so nat-traversal, but CN=Hans Fugal is using nat-t's /32
and not a rightsubnet with /24.

You need to decide what you want to do. Break through the NAT using
nat-t, or hook the left and right subnet together using an IPsec tunnel.

> I'm not just complaining; I have suggestions and even some code. My
> first suggestion is a way to specify in the config file that I don't
> want to do routing. I can set up my routes once and not have to worry
> about it.

Routing is nececssary for KLIPS to capture packets. It's not some
optional luxury issue.

> As it is, even when I do manually set the routes they get
> deleted. (even though I have short-circuited doroute() in _updown,
> apparently something else deletes the routes on restart?)

Yes, routes to KLIPS devices are obviouasly deleted if you stop openswan
and remove the klips interfaces, just like any route to a no longer
functional interface dispears with the interface.

> My second suggestion is to not try so hard and use a simpler route
> command. I think this boils down to PLUTO_NEXT_HOP is always set now,
> even though in the code it looks like it expects it not to be set
> sometimes. So maybe some smarts to see if PLUTO_NEXT_HOP is a local
> network that we can reach directly, or maybe just leaving out any via
> clause altogether.

There is a known bug where sometimes easy network configurations cannot
be determined by pluto. It has been entered in the bug tracking database
on bugs.openswan.org a while ago but hasn't been resolved yet. An easy
workaround is to specify a correct nexthop setting, which in your case
does not work because of incorrect mixing of subnet and NAT-T.

> My third suggestion is some way in the config file to set
> PLUTO_MY_SOURCEIP per connection. /etc/sysconfig/defaultsource, apart
> from being in a distro-specific location, is pretty global.



More information about the Dev mailing list