[Openswan dev] [Patch] error: "cannot route -- route already in use for"

Paul Wouters paul at xelerance.com
Wed Oct 1 18:38:54 EDT 2008

On Thu, 25 Sep 2008, avesh agarwal wrote:

Hi Avesh,

Sorry for the late reply....

> host1 has two interfaces: eth0 (IP address: and eth0:1 (virtual 
> interface with IP address
> host2 has one interface:  eth1(with IP address
> I want to establish 2 ipsec channels between these two as follows.
> IP addresesses are as below for each
> host1<----------------->host2
> eth0(<---------------------->eth1(
> eth0:1 (<------------------->eth1(


> The connection 139-140 (which is between and gets 
> established without any problem.
> However, when the connection 149-140 (which is between and 
>  is setup, it gives following error:
> 117 "149-140" #4: STATE_QUICK_I1: initiate
> 003 "149-140" #4: cannot route -- route already in use for "139-140"
> 032 "149-140" #4: STATE_QUICK_I1: internal error
> Although, I have tried ipsec setup in transport mode, i think the same 
> problem happens in tunnel mode too.
> The patch to solve this problem is attached with this mail. The patch is 
> created for lastest release which is 2.6.16.

The patch seems to address the route in use error, but I am not yet entirely
sure this resolves the problem. One question that comes to mind is this..

If host 2 initiates both tunnels, to what it believes are two different
hosts, it will have two phase 1 and two phase 2 states.

If host 1 initiates both tunnels, it would re-use the phase 1, since it
already has a phase 1 up with host 2, but host 2 is not aware of this
and would not re-use its own phase 1.

So I am not sure yet, if allowing the phase 2 to success, which your patch
does, we have resolved the problem, or just moved it around. This will
require some testcases for our testing/pluto/ infrastructure to bring up
various combinations of these two tunnels to see if everything keeps
working as expected.


More information about the Dev mailing list