[Openswan Users] openswan does not set up routes automatically

Irek Slonina br at linuxnews.pl
Sun Aug 8 00:21:33 CEST 2004 

Hello,
this is my first post on the list, first attempt to openswan and so on
so please do not lynch me too hard.

I have set up three connections:
gw1-gw2
gw1net-gw2
gw1-gw2net

The gw boxes are pretty the same:
gw1 - PLD Ac, kernel-2.6.4, openswan-2.1.4
gw2 - PLD Ac, kernel-2.6.7, openswan-2.1.4

I can do ping:
gw1 from gw2
gw2 from gw1
gw2net from gw1

but i can't do gw1net from gw2
(ipsec verify says that ip forwarding is on, on both of the gw's)

iptables rules are empty on both of gw's

ipsec auto --status
says that every connection have been established.

my config:

conn gw2-gw1net
	leftsubnet=192.168.0.0/24
	also=gw2-gw1
conn gw2net-gw1
	rightsubnet=10.0.0.0/24
	also=gw2-gw1
also=gw2-gw1
	conn gw2-gw1
	left=LEFTIP
	leftid=@gw1.pl
	leftrsasigkey=...
	leftnexthop=%defaultroute
	right=RIGHTIP
	rightid=@gw2.pl
	rightrsasigkey=...
	rightnexthop=%defaultroute
	auto=start

the one thing that differs the gw's are additional routes set by openswan...

on gw2:
Destination Gateway   Genmask         Flags Metric Ref Use Iface
192.168.0.0 mynexthop 255.255.255.0   UG    0      0   0   ppp0
gw1	    mynexthop 255.255.255.255 UGH   0      0   0   ppp0

and none additional on gw1

tcpdump on gw1 says that ping from gw2 -> gw1 net are arriving, but
none icmp reply's are sent to gw2:

03:17:57.991680 IP gw2 > gw1:
ESP(spi=0xbc83e13f,seq=0x15)
03:17:57.991680 IP gw2 > 192.168.0.1: icmp 64:
echo request seq 1
03:17:57.991887 arp who-has 192.168.0.1 tell 192.168.0.102
03:17:57.991986 arp reply 192.168.0.1 is-at 00:50:bf:ed:18:2a
03:17:57.992000 IP gw2 > 192.168.0.1: icmp 64:
echo request seq 1
03:17:57.992008 arp reply 192.168.0.1 is-at 00:30:4f:26:de:7d
03:17:58.987422 IP gw2 > gw1:
ESP(spi=0xbc83e13f,seq=0x16)
03:17:58.987422 IP gw2 > 192.168.0.1: icmp 64:
echo request seq 2

does the routes could make the difference? if so then where to find
what could make openswan to do not set them correctly?

i would be very happy if sb could point me in the right direction,
if there are needed some barf's or sth then just tell me

--
Irek Slonina

More information about the Users mailing list