[Openswan Users]
Identical installations with different 'eroute' status lines
Prashanth Ninan
prashanthninan at gmail.com
Fri Feb 18 17:27:16 CET 2005
Hi,
I have a funny problem. I have two identical systems with identical
versions of linux running on kernel 2.4.18. Both have Openswan
installed and the ipsec.conf files are identical except for the
interfaces line.
However, on system 1 (ip address: aa.bb.cc.dd), ipsec whack --status
shows 'prospective erouted', while on system 2 (ip address:
ww.xx.yy.zz), ipsec whack --status throws up an 'unrouted' status
line. Also, the routing tables seem to be very different. Where and
how can I change this behaviour?
Attached are the following (in this order):
/etc/ipsec.conf
ipsec whack --status [System 1]
ipsec whack --status [System 2]
route -n [System 1]
route -n [System 2]
Regards,
Prashanth Ninan
---------- (begin /etc/ipsec.conf) -----------
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth0:0"
# on system 2, the interfaces line above reads like:
interfaces="ipsec0=eth1:0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Add connections here.
conn %default
keyingtries=0
conn net-to-net
left=aa.bb.cc.dd
leftsubnet=192.168.1.0/24
leftnexthop=ga.te.wa.y1
right=ww.xx.yy.zz
rightsubnet=192.168.0.1/24
rightnexthop=ga.te.wa.y2
auto=start
authby=rsasig
leftid=@string1
rightid=@string2
leftrsasigkey=0sA ...
rightrsasigkey=0sA ...
---------- (end /etc/ipsec.conf) -----------
---------- (begin output of ipsec whack --status on system1) -----------
000 interface ipsec0/eth0:0 aa.bb.cc.dd
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=128,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net":
192.168.1.0/24===aa.bb.cc.dd[@string1]---ga.te.wa.y1...ga.te.wa.y2---ww.xx.yy.zz[@string2]===192.168.0.0/24;
prospective erouted; eroute owner: #0
000 "net-to-net": srcip=unset; dstip=unset
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0:0;
000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "net-to-net":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2675s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
----------- (end output of ipsec whack --status on system1) -----------
---------- (begin output of ipsec whack --status on system2) -----------
000 interface ipsec0/eth1:0 ww.xx.yy.zz
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=128,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net":
192.168.0.0/24===ww.xx.yy.zz[@string2]---ga.te.wa.y2...ga.te.wa.y1---aa.bb.cc.dd[@string1]===192.168.1.0/24;
unrouted; eroute owner: #0
000 "net-to-net": srcip=unset; dstip=unset
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth1:0;
000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "net-to-net":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 12s; lastdpd=-1s(seq in:0 out:0)
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2799s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
----------- (end output of ipsec whack --status on system2) -----------
----------- (begin output of route -n on system1) -----------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
aa.bb.cc.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
aa.bb.cc.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.0.0 ga.te.wa.y1 255.255.255.0 UG 0 0 0 ipsec0
0.0.0.0 ga.te.wa.y1 0.0.0.0 UG 0 0 0 eth0
----------- (end output of route -n on system1) -----------
----------- (begin output of route -n on system2) -----------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
ww.xx.yy.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
ww.xx.yy.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 ga.te.wa.y1 0.0.0.0 UG 0 0 0 eth1
----------- (end output of route -n on system2) -----------
More information about the Users
mailing list