[Openswan Users] server fails to add route to roadwarrior

Robert W. Burgholzer rburgholzer at maptech-inc.com
Fri Mar 26 11:54:46 CET 2004


>So the client is behind a NAT gateway, at 10.20.1.x, and your server is
>141.152.55.223?  Is the client NAT'd behind the 141.152.55.223 address, or
>is it somewhere else?
>
>Can you include a dump of your ipsec.conf and routing tables?

OK, here is my situation.  Thanks for the help.

Server = 12.5.17.226
Client = 141.152.55.223 (current value, but non-static)
    Gateway = 10.22.1.1 (never changes)

Server Routing Table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
12.5.16.0       *               255.255.252.0   U     0      0        0 eth1
12.5.16.0       *               255.255.252.0   U     0      0        0 ipsec0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         *               0.0.0.0         U     0      0        0 eth1

Client Routing Table:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.22.1.1       *               255.255.255.255 UH    0      0        0 ppp0
10.22.1.1       *               255.255.255.255 UH    0      0        0 ipsec0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     10.22.1.1       255.255.255.0   UG    0      0        0 ipsec0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.22.1.1       0.0.0.0         UG    0      0        0 ppp0

SERVERSIDE ipsec.conf
version 2.0

config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    uniqueids=yes

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    leftcert=/etc/ipsec.d/www2.maptech-inc.com.pem
    leftid="/C=US/ST=Virginia/L=Blacksburg/O=MapTech 
Incorporated/OU=VPNGateway/CN=www2/Email=sysadmin at maptech-inc.com"
    leftsubnet=192.168.1.0/24

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

conn maptech-net
    leftsubnet=192.168.1.0/24
    also=maptech-client

conn maptech-client
    right=%any
    left=12.5.17.226
    leftsubnet=192.168.1.0/24
    leftcert=/etc/ipsec.d/www2.maptech-inc.com.pem
    leftid="/C=US/ST=Virginia/L=Blacksburg/O=MapTech 
Incorporated/OU=VPNGateway/CN=www2/Email=sysadmin at maptech-inc.com"
    auto=add
    pfs=yes


CLIENT SIDE ipsec.conf:
version 2.0

config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    uniqueids=yes

conn %default
    keyingtries=0
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

conn maptech-net
    leftsubnet=192.168.1.0/24
    also=maptech-client

conn maptech-client
    left=12.5.17.226
    leftsubnet=192.168.1.0/24
    leftcert=/etc/ipsec.d/www2.maptech-inc.com.pem
    right=%defaultroute
    rightcert=/etc/ipsec.d/soulswimmer.maptech-inc.com.pem
    auto=add
    pfs=yes


Server Log with error:
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[1] 141.152.55.223 #1: 
responding to Main Mode from unknown peer 141.152.55.223
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[1] 141.152.55.223 #1: 
Peer ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia, L=Richmond, O=MapTech 
Incorporated, OU=soulswimmer, CN=soulswimmer, E=rburgholzer at maptech-inc.com'
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #1: 
deleting connection "maptech-client" instance with peer 141.152.55.223 
{isakmp=#0/ipsec=#0}
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #1: 
sent MR3, ISAKMP SA established
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2: 
responding to Quick Mode
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2: 
route-client output: RTNETLINK answers: Network is unreachable
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2: 
route-client output: /usr/local/lib/ipsec/_updown: `ip route add 
141.152.55.223/32 via 141.152.55.223 dev ipsec0' failed
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2: 
route-client command exited with status 2


Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/ 



More information about the Users mailing list