[Openswan dev] "%pass 0 no routed template covers this pair" error

Paul Wouters paul at xelerance.com
Mon Jul 12 13:47:50 EDT 2010

We noticed on our l2tp server that sometimes we end up with bogus %pass
route. From ipsec auto --status:

000 "l2tp-psk":<>[+S=C]:17/1701...%virtual[+S=C]:17/%any===?; unrouted; eroute owner: #0
000 "l2tp-psk":     myip=unset; hisip=unset;
000 "l2tp-psk":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "l2tp-psk":   policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0; 
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 -0-> => %pass 0    no routed template covers this pair

The last line is the issue.  The IP comes from a client, who can then
no longer reconnect until openswan is restarted.

Is there ever a valid reason for a "no routed template covers this pair"
type of %pass route? Or is it safe to delete these?


More information about the Dev mailing list