[Openswan Users] openswan does not set up routes automatically

Ted Kaczmarek tedkaz at optonline.net
Sun Aug 8 13:30:14 CEST 2004 

On Sat, 2004-08-07 at 23:21 +0200, Irek Slonina wrote:
> Hello,
> this is my first post on the list, first attempt to openswan and so on
> so please do not lynch me too hard.
> 
> I have set up three connections:
> gw1-gw2
> gw1net-gw2
> gw1-gw2net
> 
> The gw boxes are pretty the same:
> gw1 - PLD Ac, kernel-2.6.4, openswan-2.1.4
> gw2 - PLD Ac, kernel-2.6.7, openswan-2.1.4
> 
> I can do ping:
> gw1 from gw2
> gw2 from gw1
> gw2net from gw1
> 
> but i can't do gw1net from gw2
> (ipsec verify says that ip forwarding is on, on both of the gw's)
> 
> iptables rules are empty on both of gw's
> 
> ipsec auto --status
> says that every connection have been established.
> 
> my config:
> 
> conn gw2-gw1net
> 	leftsubnet=192.168.0.0/24
> 	also=gw2-gw1
> conn gw2net-gw1
> 	rightsubnet=10.0.0.0/24
> 	also=gw2-gw1
> also=gw2-gw1
> 	conn gw2-gw1
> 	left=LEFTIP
> 	leftid=@gw1.pl
> 	leftrsasigkey=...
> 	leftnexthop=%defaultroute
> 	right=RIGHTIP
> 	rightid=@gw2.pl
> 	rightrsasigkey=...
> 	rightnexthop=%defaultroute
> 	auto=start
> 
> the one thing that differs the gw's are additional routes set by openswan...
> 
> on gw2:
> Destination Gateway   Genmask         Flags Metric Ref Use Iface
> 192.168.0.0 mynexthop 255.255.255.0   UG    0      0   0   ppp0
> gw1	    mynexthop 255.255.255.255 UGH   0      0   0   ppp0
> 
> and none additional on gw1
> 
> tcpdump on gw1 says that ping from gw2 -> gw1 net are arriving, but
> none icmp reply's are sent to gw2:
> 
> 03:17:57.991680 IP gw2 > gw1:
> ESP(spi=0xbc83e13f,seq=0x15)
> 03:17:57.991680 IP gw2 > 192.168.0.1: icmp 64:
> echo request seq 1
> 03:17:57.991887 arp who-has 192.168.0.1 tell 192.168.0.102
> 03:17:57.991986 arp reply 192.168.0.1 is-at 00:50:bf:ed:18:2a
> 03:17:57.992000 IP gw2 > 192.168.0.1: icmp 64:
> echo request seq 1
> 03:17:57.992008 arp reply 192.168.0.1 is-at 00:30:4f:26:de:7d
> 03:17:58.987422 IP gw2 > gw1:
> ESP(spi=0xbc83e13f,seq=0x16)
> 03:17:58.987422 IP gw2 > 192.168.0.1: icmp 64:
> echo request seq 2
> 
> does the routes could make the difference? if so then where to find
> what could make openswan to do not set them correctly?
> 
> i would be very happy if sb could point me in the right direction,
> if there are needed some barf's or sth then just tell me
> 
> --
> Irek Slonina
> 
> 
> 
route add -host "host ip" dev ipsec0
route add -net "network ip" dev ipsec0

Alternately you can have zebra daemon synced to ipsec and have it add
routes. Daemon must be started after ipsec0 is up.

As far as I know their are no capabilities for updating rib table in
Openswan at present, but I may be wrong. I know that openswan 2.1.4
does not for me with Fedora Core 1 or RH9.

czesc,
Ted

More information about the Users mailing list