[Openswan dev] Getting routes from modecfg added when talking to Cisco...

Michael H. Warfield mhw at WittsEnd.com
Thu Feb 25 18:02:51 EST 2010 

Hey all,

So, I'm trying to work with getting OpenSwan to play nice with a Cisco
3000 concentrator.  We've gotten past several problems and issues
already and the connection is coming up.  I did figure out that I needed
to add this to my configuration:

remote_peer_type=cisco

That gets OpenSwan to request all the extra parameters we need including
all the routes and goodies the Cisco is feeding up.  And all the proper
SA's are being created in the policy database so it should work.  But...
None of the routes get added except the primary route.

What I found was that pluto is calling _updown for each route with 
PLUTO_VERB=up-client.

I made this change to _updown.netkey and it then works properly...

--- _updown.netkey 2010-02-25 14:07:08.000000000 -0500
+++ _updown-cisco.netkey 2010-02-25 17:50:28.000000000 -0500
@@ -274,10 +274,12 @@
     up-client)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
+ uproute
;;
     down-client)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
+ downroute
;;
     #
     # IPv6

Otherwize, _updown.netkey is just ignoring "up-client" and "down-client"
verbs and doing nothing.

This "fixes" it but I'm not real sure that's the "correct" fix or if the
correct fix is to make pluto do an updown with "PLUTO_VERB=route-client"
which really would make sense.  But that would impact more than just
NetKey.

Thoughts?

DNS parameters are next on my list to work on...

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20100225/9d6929da/attachment.bin

More information about the Dev mailing list