[Openswan dev] [Patch] error: "cannot route -- route already in use for"

avesh agarwal avagarwa at redhat.com
Wed Oct 1 21:13:30 EDT 2008 

Hi Paul,

Thanks for your reply.

Paul Wouters wrote:
> On Thu, 25 Sep 2008, avesh agarwal wrote:
>
> Hi Avesh,
>
> Sorry for the late reply....
>
>> host1 has two interfaces: eth0 (IP address: 10.14.0.139) and eth0:1 
>> (virtual interface with IP address 10.14.0.149)
>> host2 has one interface:  eth1(with IP address 10.14.0.140)
>>
>> I want to establish 2 ipsec channels between these two as follows.
>>
>> IP addresesses are as below for each
>> host1<----------------->host2
>> eth0(10.14.0.139)<---------------------->eth1(10.14.0.140)
>>
>> eth0:1 (10.14.0.149)<------------------->eth1(10.14.0.140)
>
> [...]
>
>> The connection 139-140 (which is between 10.14.0.139 and 10.14.0.140) 
>> gets established without any problem.
>> However, when the connection 149-140 (which is between 10.14.0.149 
>> and 10.14.0.140)  is setup, it gives following error:
>>
>> 117 "149-140" #4: STATE_QUICK_I1: initiate
>> 003 "149-140" #4: cannot route -- route already in use for "139-140"
>> 032 "149-140" #4: STATE_QUICK_I1: internal error
>>
>> Although, I have tried ipsec setup in transport mode, i think the 
>> same problem happens in tunnel mode too.
>>
>> The patch to solve this problem is attached with this mail. The patch 
>> is created for lastest release which is 2.6.16.
>
> The patch seems to address the route in use error, but I am not yet 
> entirely
> sure this resolves the problem. One question that comes to mind is this..
>
> If host 2 initiates both tunnels, to what it believes are two different
> hosts, it will have two phase 1 and two phase 2 states.
>
> If host 1 initiates both tunnels, it would re-use the phase 1, since it
> already has a phase 1 up with host 2, but host 2 is not aware of this
> and would not re-use its own phase 1.
>
Based on the testing I have done, I noticed that host 1 was initiating 
"new phase 1" while creating "2nd" connection. So it seems to me that 
host 1 will also have two phase 1 and two phase 2.
 
> So I am not sure yet, if allowing the phase 2 to success, which your 
> patch
> does, we have resolved the problem, or just moved it around. This will
> require some testcases for our testing/pluto/ infrastructure to bring up
> various combinations of these two tunnels to see if everything keeps
> working as expected. 
> Paul

Thanks and Regards
Avesh Agarwal

More information about the Dev mailing list