[Openswan Users] server fails to add route to roadwarrior
Robert W. Burgholzer
rburgholzer at maptech-inc.com
Fri Mar 26 11:54:46 CET 2004
>So the client is behind a NAT gateway, at 10.20.1.x, and your server is
>141.152.55.223? Is the client NAT'd behind the 141.152.55.223 address, or
>is it somewhere else?
>
>Can you include a dump of your ipsec.conf and routing tables?
OK, here is my situation. Thanks for the help.
Server = 12.5.17.226
Client = 141.152.55.223 (current value, but non-static)
Gateway = 10.22.1.1 (never changes)
Server Routing Table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
12.5.16.0 * 255.255.252.0 U 0 0 0 eth1
12.5.16.0 * 255.255.252.0 U 0 0 0 ipsec0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default * 0.0.0.0 U 0 0 0 eth1
Client Routing Table:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.22.1.1 * 255.255.255.255 UH 0 0 0 ppp0
10.22.1.1 * 255.255.255.255 UH 0 0 0 ipsec0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 10.22.1.1 255.255.255.0 UG 0 0 0 ipsec0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.22.1.1 0.0.0.0 UG 0 0 0 ppp0
SERVERSIDE ipsec.conf
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=/etc/ipsec.d/www2.maptech-inc.com.pem
leftid="/C=US/ST=Virginia/L=Blacksburg/O=MapTech
Incorporated/OU=VPNGateway/CN=www2/Email=sysadmin at maptech-inc.com"
leftsubnet=192.168.1.0/24
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn maptech-net
leftsubnet=192.168.1.0/24
also=maptech-client
conn maptech-client
right=%any
left=12.5.17.226
leftsubnet=192.168.1.0/24
leftcert=/etc/ipsec.d/www2.maptech-inc.com.pem
leftid="/C=US/ST=Virginia/L=Blacksburg/O=MapTech
Incorporated/OU=VPNGateway/CN=www2/Email=sysadmin at maptech-inc.com"
auto=add
pfs=yes
CLIENT SIDE ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn maptech-net
leftsubnet=192.168.1.0/24
also=maptech-client
conn maptech-client
left=12.5.17.226
leftsubnet=192.168.1.0/24
leftcert=/etc/ipsec.d/www2.maptech-inc.com.pem
right=%defaultroute
rightcert=/etc/ipsec.d/soulswimmer.maptech-inc.com.pem
auto=add
pfs=yes
Server Log with error:
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[1] 141.152.55.223 #1:
responding to Main Mode from unknown peer 141.152.55.223
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[1] 141.152.55.223 #1:
Peer ID is ID_DER_ASN1_DN: 'C=US, ST=Virginia, L=Richmond, O=MapTech
Incorporated, OU=soulswimmer, CN=soulswimmer, E=rburgholzer at maptech-inc.com'
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #1:
deleting connection "maptech-client" instance with peer 141.152.55.223
{isakmp=#0/ipsec=#0}
Mar 26 10:40:20 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #1:
sent MR3, ISAKMP SA established
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2:
responding to Quick Mode
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2:
route-client output: RTNETLINK answers: Network is unreachable
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2:
route-client output: /usr/local/lib/ipsec/_updown: `ip route add
141.152.55.223/32 via 141.152.55.223 dev ipsec0' failed
Mar 26 10:40:21 www2 pluto[26697]: "maptech-client"[2] 141.152.55.223 #2:
route-client command exited with status 2
Robert Burgholzer
Environmental Engineer
MapTech Inc.
http://www.maptech-inc.com/
More information about the Users
mailing list