[Openswan Users]
-!- Routing Problems %defaultroute requested but not known -!-
neptuno
neptuno at ilhadamagia.trix.net
Wed Sep 15 21:58:51 CEST 2004
Please, help me. I already try everything as i can.
The problem is: IPsec SA established but subnet HOSTS dont PING.
My scenario:
2 gateways, 2.6.4 Linux Kernel. net-to-net VPN with openswan 2.1.5
My openswan installation was 'make programs ; make install' at both sides.
(diff from /etc/ipsec.conf from LEFT box to RIGHT box is only :
'ipsec0=eth0' 'ipsec0=ppp0' and 'auto=add' 'auto=start'
version 2.0
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
type=transport
conn vpn1
left=200.176.142.38
leftsubnet=192.168.201.0/24
leftid=@brainless.rumonorte.com
leftnexthop=200.176.142.1
leftrsasigkey=0sAQNWR7mUjpednz0tQf98JqMZYO8so53FXJMwWpRMh1ERYVViavihzLX
right=200.180.4.245
rightsubnet=192.168.200.0/24
rightid=@octopus.rumonorte.com
rightnexthop=200.180.6.254
rightrsasigkey=0sAQN0TnLB5v9znqtWZzmQFhB+wg/L/kImN2zSa4UJV7lxZx0wQlK2z6
type=tunnel
auto=add
Routing Info:
(left is an cable modem bridging) 200.176.142.38
(right is an adsl router bridging) 200.180.4.245
Traceroute from LEFT box to RIGHT box is:
traceroute to 200.180.4.245 (200.180.4.245), 30 hops max, 38 byte packets
1 10.21.0.1 115.308 ms 75.064 ms 85.628 ms
2 200.247.141.2 80.747 ms 123.416 ms 81.370 ms
3 200.176.127.198 58.309 ms 118.254 ms 147.297 ms
4 200.176.8.33 188.970 ms 58.091 ms 29.999 ms
5 200.176.8.9 98.586 ms 110.210 ms 15.132 ms
6 200.176.8.1 180.459 ms 200.176.8.5 20.621 ms 37.005 ms
7 200.176.255.10 190.918 ms 99.964 ms 48.928 ms
8 200.180.143.209 57.425 ms 133.184 ms 70.234 ms
9 201.10.225.49 52.939 ms 77.760 ms 132.133 ms
10 201.10.192.253 227.036 ms 49.337 ms 159.831 ms
11 200.215.1.29 69.196 ms 237.861 ms 324.517 ms
12 200.215.1.120 196.422 ms 46.270 ms 94.728 ms
13 200.180.4.245 45.729 ms 100.972 ms *
Traceroute from RIGHT box to LEFT box is :
traceroute to 200.176.142.38 (200.176.142.38), 30 hops max, 38 byte packets
1 200.180.6.254 626.132 ms 425.159 ms 106.152 ms
2 200.215.1.68 6.394 ms 10.818 ms 62.308 ms
3 200.215.1.1 6.404 ms 6.618 ms 6.140 ms
4 201.10.192.162 18.007 ms 259.653 ms 22.151 ms
5 201.10.225.30 18.434 ms 18.460 ms 18.705 ms
6 200.180.143.214 18.741 ms 27.535 ms 111.592 ms
7 200.176.255.12 24.868 ms 18.953 ms 18.255 ms
8 200.176.8.6 19.888 ms 26.362 ms 200.176.8.2 19.933 ms
9 200.176.8.10 20.196 ms 19.177 ms 21.195 ms
10 200.176.8.34 33.482 ms 192.378 ms 474.490 ms
11 200.247.141.5 438.036 ms 319.287 ms 499.884 ms
12 200.176.142.38 247.834 ms 149.007 ms 84.945 ms
ip route from LEFT: (VPN established)
192.168.201.0/24 dev eth1 scope link
192.168.200.0/24 via 200.176.142.1 dev ipsec0
200.176.142.0/24 dev eth0 proto kernel scope link src 200.176.142.38
200.176.142.0/24 dev ipsec0 proto kernel scope link src 200.176.142.38
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 200.176.142.1 dev eth0
default via 192.168.201.254 dev eth1
ip route from RIGHT: (VPN established)
200.180.6.254 dev ppp0 proto kernel scope link src 200.180.4.245
200.180.6.254 dev ipsec0 proto kernel scope link src 200.180.4.245
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.150
192.168.201.0/24 via 200.180.6.254 dev ipsec0
192.168.200.0/24 dev eth1 scope link
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default dev ppp0 scope link
LOGS: secure/messages
I cannot found any instance for 'drop' or 'error' in /etc/secure
/etc/messages : %defaultroute requested but not known
(i dont use %defaultroute at /etc/ipsec.conf)
ipsec_auto: fatal error in "packetdefault": %defaultroute requested but
not known
20:35:05 brainless kernel: klips_debug:pfkey_destroy_socket:
pfkey_remove_socket called.
20:35:05 brainless kernel: klips_debug:pfkey_destroy_socket:
sk(0pdff1f200)->(&0pdff1f244)receive_queue.{next=0pdff1f244,prev=0pdff
20:35:05 brainless kernel: klips_debug:pfkey_destroy_socket: destroyed.
20:35:05 brainless kernel: klips_debug:pfkey_list_remove_socket:
removing sock=0pd14afb00
20:35:05 brainless ipsec__plutorun: ipsec_auto: fatal error in "block":
%defaultroute requested but not known
20:35:05 brainless kernel: klips_debug:pfkey_list_remove_socket:
removing sock=0pd14afb00
20:35:05 brainless last message repeated 4 times
20:35:05 brainless ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known
20:35:05 brainless kernel: klips_debug:pfkey_list_remove_socket:
removing sock=0pd14afb00
20:35:05 brainless last message repeated 6 times
20:35:05 brainless kernel: klips_debug:pfkey_release: succeeded.
20:38:59 brainless kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
20:38:59 brainless kernel: klips_debug:rj_match: ** try to match a
leaf, t=0pddeea980
20:38:59 brainless kernel: klips_debug:rj_match: *** start searching up
the tree, t=0pddeea980
20:38:59 brainless kernel: klips_debug:rj_match: **** t=0pddeea998
20:39:00 brainless kernel: klips_debug:rj_match: **** t=0pdfc3e5c0
20:39:00 brainless kernel: klips_debug:rj_match: ***** cp2=0pdff3d698
cp3=0pc1669170
20:39:00 brainless kernel: klips_debug:rj_match: ***** not found.
ipsec look from LEFT box :
brainless.rumonorte.com Wed Sep 15 20:53:26 EDT 2004
192.168.201.0/24 -> 192.168.200.0/24 => tun0x1004 at 200.180.4.245
esp0x354cdeae at 200.180.4.245 (27)
ipsec0->eth0 mtu=16260(1443)->1500
esp0x354cdead at 200.180.4.245 ESP_3DES_HMAC_MD5: dir=out
src=200.176.142.38 iv_bits=64bits iv=0xc27422bb35d9eacf ooowin=64 seq=3
alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(456,0,0)addtime(1070,0,0)usetime(986,0,0)packets(3,0,0)
idle=983 refcount=4 ref=76 reftable=0 refentry=76
esp0x354cdeae at 200.180.4.245 ESP_3DES_HMAC_MD5: dir=out
src=200.176.142.38 iv_bits=64bits iv=0xa4d90543308c8413 ooowin=64 seq=27
alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(4032,0,0)addtime(937,0,0)usetime(866,0,0)packets(27,0,0)
idle=23 refcount=4 ref=86 reftable=0 refentry=86
esp0x4c43865a at 200.176.142.38 ESP_3DES_HMAC_MD5: dir=in
src=200.180.4.245 iv_bits=64bits iv=0xc04a14c4b1e04282 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1081,0,0) refcount=4
ref=71 reftable=0 refentry=71
esp0x4c43865b at 200.176.142.38 ESP_3DES_HMAC_MD5: dir=in
src=200.180.4.245 iv_bits=64bits iv=0x63620144bc18448d ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(941,0,0) refcount=4
ref=81 reftable=0 refentry=81
tun0x1001 at 200.176.142.38 IPIP: dir=in src=200.180.4.245
policy=192.168.200.0/24->192.168.201.0/24 flags=0x8<>
life(c,s,h)=addtime(1082,0,0) refcount=4 ref=70 reftable=0 refentry=70
tun0x1002 at 200.180.4.245 IPIP: dir=out src=200.176.142.38
life(c,s,h)=bytes(348,0,0)addtime(1071,0,0)usetime(986,0,0)packets(3,0,0)
idle=983 refcount=4 ref=75 reftable=0 refentry=75
tun0x1003 at 200.176.142.38 IPIP: dir=in src=200.180.4.245
policy=192.168.200.0/24->192.168.201.0/24 flags=0x8<>
life(c,s,h)=addtime(941,0,0) refcount=4 ref=80 reftable=0 refentry=80
tun0x1004 at 200.180.4.245 IPIP: dir=out src=200.176.142.38
life(c,s,h)=bytes(3078,0,0)addtime(938,0,0)usetime(866,0,0)packets(27,0,0)
idle=23 refcount=4 ref=85 reftable=0 refentry=85
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 200.176.142.1 0.0.0.0 UG 0 0 0
eth0
192.168.200.0 200.176.142.1 255.255.255.0 UG 0 0 0
ipsec0
200.176.142.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
200.176.142.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
ipsec look from RIGHT box :
192.168.200.0/24 -> 192.168.201.0/24 => tun0x1018 at 200.176.142.38
esp0x4c43865b at 200.176.142.38 (0)
ipsec0->ppp0 mtu=16260(1492)->1492
esp0x354cdead at 200.180.4.245 ESP_3DES_HMAC_MD5: dir=in
src=200.176.142.38 iv_bits=64bits iv=0xdfcb31332bb29d22 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1143,0,0) refcount=4
ref=1996 reftable=0 refentry=1996
esp0x354cdeae at 200.180.4.245 ESP_3DES_HMAC_MD5: dir=in
src=200.176.142.38 iv_bits=64bits iv=0x887a87a57f89ef60 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1011,0,0) refcount=4
ref=2006 reftable=0 refentry=2006
esp0x4c43865a at 200.176.142.38 ESP_3DES_HMAC_MD5: dir=out
src=200.180.4.245 iv_bits=64bits iv=0x483c95bf699a46a7 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1140,0,0) refcount=4
ref=2001 reftable=0 refentry=2001
esp0x4c43865b at 200.176.142.38 ESP_3DES_HMAC_MD5: dir=out
src=200.180.4.245 iv_bits=64bits iv=0xba8add73dc796124 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1000,0,0) refcount=4
ref=2011 reftable=0 refentry=2011
tun0x1015 at 200.180.4.245 IPIP: dir=in src=200.176.142.38
policy=192.168.201.0/24->192.168.200.0/24 flags=0x8<>
life(c,s,h)=addtime(1144,0,0) refcount=4 ref=1995 reftable=0 refentry=1995
tun0x1016 at 200.176.142.38 IPIP: dir=out src=200.180.4.245
life(c,s,h)=addtime(1141,0,0) refcount=4 ref=2000 reftable=0 refentry=2000
tun0x1017 at 200.180.4.245 IPIP: dir=in src=200.176.142.38
policy=192.168.201.0/24->192.168.200.0/24 flags=0x8<>
life(c,s,h)=addtime(1012,0,0) refcount=4 ref=2005 reftable=0 refentry=2005
tun0x1018 at 200.176.142.38 IPIP: dir=out src=200.180.4.245
life(c,s,h)=addtime(1001,0,0) refcount=4 ref=2010 reftable=0 refentry=2010
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0
ppp0
192.168.201.0 200.180.6.254 255.255.255.0 UG 0 0 0
ipsec0
200.180.6.254 0.0.0.0 255.255.255.255 UH 0 0 0
ipsec0
200.180.6.254 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0
Im filtering MASQUERADE for ipsec subnets at both sides and setting
rp_filter to 0.
What can i do at this point?
Best regards, Juliano.
More information about the Users
mailing list