[Openswan Users] openswan does not set up routes automatically

Ted Kaczmarek tedkaz at optonline.net
Tue Aug 10 10:40:23 CEST 2004 

On Sun, 2004-08-08 at 12:30 -0400, Ted Kaczmarek wrote:
> On Sat, 2004-08-07 at 23:21 +0200, Irek Slonina wrote:
> > Hello,
> > this is my first post on the list, first attempt to openswan and so on
> > so please do not lynch me too hard.
> > 
> > I have set up three connections:
> > gw1-gw2
> > gw1net-gw2
> > gw1-gw2net
> > 
> > The gw boxes are pretty the same:
> > gw1 - PLD Ac, kernel-2.6.4, openswan-2.1.4
> > gw2 - PLD Ac, kernel-2.6.7, openswan-2.1.4
> > 
> > I can do ping:
> > gw1 from gw2
> > gw2 from gw1
> > gw2net from gw1
> > 
> > but i can't do gw1net from gw2
> > (ipsec verify says that ip forwarding is on, on both of the gw's)
> > 
> > iptables rules are empty on both of gw's
> > 
> > ipsec auto --status
> > says that every connection have been established.
> > 
> > my config:
> > 
> > conn gw2-gw1net
> > 	leftsubnet=192.168.0.0/24
> > 	also=gw2-gw1
> > conn gw2net-gw1
> > 	rightsubnet=10.0.0.0/24
> > 	also=gw2-gw1
> > also=gw2-gw1
> > 	conn gw2-gw1
> > 	left=LEFTIP
> > 	leftid=@gw1.pl
> > 	leftrsasigkey=...
> > 	leftnexthop=%defaultroute
> > 	right=RIGHTIP
> > 	rightid=@gw2.pl
> > 	rightrsasigkey=...
> > 	rightnexthop=%defaultroute
> > 	auto=start
> > 
> > the one thing that differs the gw's are additional routes set by openswan...
> > 
> > on gw2:
> > Destination Gateway   Genmask         Flags Metric Ref Use Iface
> > 192.168.0.0 mynexthop 255.255.255.0   UG    0      0   0   ppp0
> > gw1	    mynexthop 255.255.255.255 UGH   0      0   0   ppp0
> > 
> > and none additional on gw1
> > 
> > tcpdump on gw1 says that ping from gw2 -> gw1 net are arriving, but
> > none icmp reply's are sent to gw2:
> > 
> > 03:17:57.991680 IP gw2 > gw1:
> > ESP(spi=0xbc83e13f,seq=0x15)
> > 03:17:57.991680 IP gw2 > 192.168.0.1: icmp 64:
> > echo request seq 1
> > 03:17:57.991887 arp who-has 192.168.0.1 tell 192.168.0.102
> > 03:17:57.991986 arp reply 192.168.0.1 is-at 00:50:bf:ed:18:2a
> > 03:17:57.992000 IP gw2 > 192.168.0.1: icmp 64:
> > echo request seq 1
> > 03:17:57.992008 arp reply 192.168.0.1 is-at 00:30:4f:26:de:7d
> > 03:17:58.987422 IP gw2 > gw1:
> > ESP(spi=0xbc83e13f,seq=0x16)
> > 03:17:58.987422 IP gw2 > 192.168.0.1: icmp 64:
> > echo request seq 2
> > 
> > does the routes could make the difference? if so then where to find
> > what could make openswan to do not set them correctly?
> > 
> > i would be very happy if sb could point me in the right direction,
> > if there are needed some barf's or sth then just tell me
> > 
> > --
> > Irek Slonina
> > 
> > 
> > 
> route add -host "host ip" dev ipsec0
> route add -net "network ip" dev ipsec0
> 
> Alternately you can have zebra daemon synced to ipsec and have it add
> routes. Daemon must be started after ipsec0 is up.
> 
> As far as I know their are no capabilities for updating rib table in
> Openswan at present, but I may be wrong. I know that openswan 2.1.4
> does not for me with Fedora Core 1 or RH9.
> 
> czesc,
> Ted
> 
I am definetly wrong, in my case my zebra daemon's config was not
allowing the updates to the rib. Reminder to self, clean up old zebra
configs :-)

In Fedora Core 1 and Rh9 the routes get do get added via ipsec start.

Ted

More information about the Users mailing list