[Openswan Users] OpenS/WAN <-> freeS/WAN failure - routing problem?

Paul Wouters paul at xelerance.com
Thu Nov 11 12:06:50 CET 2004 

On Thu, 11 Nov 2004, Itai Tavor wrote:

> version 2.0     # conforms to second version of ipsec.conf specification
>
> config setup
>        interfaces=%defaultroute

> conn Tir-Na-Nogth-IM
>        right=%defaultroute

I am not entirely sure if this works as expected.

can you try to swap left and right in this conn, so that you have 
left=%defaultroute ?

> + egrep 'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
> # CONFIG_NETLINK_DEV is not set

This is bad, you need netlink.

> established
> Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #2: initiating Quick 
> Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #2: transition from 
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #2: sent QI2, IPsec SA 
> established {ESP=>0xa57ee5b0 <0x01106a70}

It all looks fine, I am not sure why you need to add routes.

> Checking NAT and MASQUERADEing
> Checking tun0x1002 at 203.217.34.219 from 10.0.2.0/24 to 10.0.1.0/24 
> [FAILED]
> ppp0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 10.0.1.0/24

Your NAT rules might break something though

> conn %default
>        # Allow only 1 try since we are the passive end
>        keyingtries=1
>        #
>        # Security gateway - left
>        left=210.229.239.65
>        leftsubnet=10.0.2.0/24
>        leftnexthop=154.33.4.102
>        leftupdown=/usr/local/lib/ipsec/_updown_imgfx
>        #
>        # Add but don't start connection on startup
>        auto=add
>        #
>        # RSA authentication
>        authby=rsasig
>        leftid=@edo.insentiv.co.jp
>        leftrsasigkey=[keyid AQOrd0max]

> # Connection from Tir-Na-Nog'th gateway
> conn Tir-Na-Nogth-IM
>        # Right - Tir-Na-Nog'th security gateway
>        right=0.0.0.0

This is wrong. You mean right=%any

>        rightsubnet=10.0.1.0/24
>        rightnexthop=

I would also either fill this in or leave it out entirely.

> Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219 #2: 
> up-client output: /usr/local/lib/ipsec/_updown_imgfx
> Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219 #2: 
> prepare-client output: /usr/local/lib/ipsec/_updown_imgfx
> Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219 #2: 
> route-client output: /usr/local/lib/ipsec/_updown_imgfx
> Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219 #2: 
> IPsec SA established {ESP=>0x01106a70 <0xa57ee5b0}

Looks good too.

Paul

More information about the Users mailing list