[Openswan Users] routing problem

Gunnar Weikamp gw at csw-com.de
Sat Sep 25 10:00:55 CEST 2004

Hi all.

I am currently working on a openswan connection between the office
network and my dial-up network at home.

Whatever I do pluto does not setup the routing the way it should.
After reading thousands of docs and howtos I am at the point where
I really need a little help. Perhaps you can point me to the problem.

On both sides I have a debian-stable (with some testing/unstable parts)
with debian-kernel 2.4.26. Klips is compiles and used. Openswan is at 
hydra:~# dpkg -l | grep openswan
ii  openswan       2.1.3-1        IPSEC utilities for Openswan
ii  openswan-modul 2.1.3-1        IPSEC kernel modules source for Openswan
on both ends.

Authentication works with x509 and PSK. For the sake of simplicity I
am testing with PSK only. This works on both sides:
Sep 24 11:04:20 io pluto[4137]: "roadwarrior"[1] 80.x.y.1 #3: IPsec SA established {ESP=>0x6f34a028 <0x2625bddd}
Sep 24 11:00:32 hydra pluto[3795]: "roadwarrior" #3: sent QI2, IPsec SA established {ESP=>0x2625bddd <0x6f34a028}

The problem is that pluto cannot setup routes properly.
The network is like this

     | - - -
  eth3        eth2              eth1           eth 0
             ipsec0                              |
                                             The Internet
                                           on DLink 664
                                           IPsec thru is
                                          OK for IKE (500)
                                          and ESP 50 datagrams.
               eth0                             eth1
                |                              ipsec0
            Home Network

When swan comes up I get this routes:
0        ->        => tun0x1003 at 80.x.y.1
0   ->  => tun0x1004 at 80.x.y.1
0        ->        => tun0x1002 at
0  ->   => tun0x1004 at
AFAIK this looks ok.

The problem is in the Office logs I get:
/usr/lib/ipsec/_updown: doroute `ip route add 80.x.y.1/32 via 80.x.y.1 dev ipsec0 ' failed (RTNETLINK answers: Network is unreachable)

tcpdump -i ipsec0 when i want to ping the other end from each side:
tcpdump: listening on ipsec0
@home & office.
traceroute shows me that on both sides packets are sent to the routers
instead of using that ipsec-route.

hydra:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan 2.1.3 (klips)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing                                          [N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
@home & office. RSA can be ignored as it s only for IKE/authent, I think.
OE is excluded by conf and fails here, but that does not matter, I also think.

On request I could do an ipsec barf, but I did not see any hints there, so
I skip this here to avoid growing this mail...

The basic .conf are (thanks, Nate Carlson, Jean-Francois Nadeau, SwanWiki
and millions others who wrote HowTos) are this:

version 2

config setup

conn %default

conn roadwarrior-net

conn roadwarrior

include /etc/ipsec.d/examples/no_oe.conf

version 2

config setup

conn %default

conn roadwarrior-net

conn roadwarrior

include /etc/ipsec.d/examples/no_oe.conf

I played with virtual private, left/right nexthop which do not
change anything. nat-traversal is not required, as the 80.x.y.1
gets directly mapped to the swan-IP in the private net.

iptables -L -n is empty for all chains on both sides so there are
no problems with firewalling.

The only problem is that the routing does not work, packets do
not use the tunnel.

Most propably I only have a small problem in setup/understanding
but I do no find it. Thx. for your ideas and sorry for a mail that big.

Regards & thx for reading
Gunnar.Weikamp at csw-com.de | Fon:+49/(0)711 - 4799 - 393 | IT Services
http://www.csw-com.de     | Fax:+49/(0)711 - 4799 - 595 | & Solutions

More information about the Users mailing list