[Openswan Users] Identical installations with different 'eroute' status lines

Prashanth Ninan prashanthninan at gmail.com
Fri Feb 18 17:27:16 CET 2005 

Hi,

I have a funny problem. I have two identical systems with identical
versions of linux running on kernel 2.4.18. Both have Openswan
installed and the ipsec.conf files are identical except for the
interfaces line.

However, on system 1 (ip address: aa.bb.cc.dd), ipsec whack --status
shows 'prospective erouted', while on system 2 (ip address:
ww.xx.yy.zz), ipsec whack --status throws up an 'unrouted' status
line. Also, the routing tables seem to be very different. Where and
how can I change this behaviour?

Attached are the following (in this order):
/etc/ipsec.conf
ipsec whack --status [System 1]
ipsec whack --status [System 2]
route -n [System 1]
route -n [System 2]

Regards,
Prashanth Ninan

---------- (begin /etc/ipsec.conf) -----------

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth0:0"
        # on system 2, the interfaces line above reads like:
interfaces="ipsec0=eth1:0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none

# Add connections here.

conn %default
        keyingtries=0

conn net-to-net
        left=aa.bb.cc.dd
        leftsubnet=192.168.1.0/24
        leftnexthop=ga.te.wa.y1
        right=ww.xx.yy.zz
        rightsubnet=192.168.0.1/24
        rightnexthop=ga.te.wa.y2
        auto=start
        authby=rsasig
        leftid=@string1
        rightid=@string2
        leftrsasigkey=0sA ... 
        rightrsasigkey=0sA ...

---------- (end /etc/ipsec.conf) -----------

---------- (begin output of ipsec whack --status on system1) -----------

000 interface ipsec0/eth0:0 aa.bb.cc.dd
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=128,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000  
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000  
000 "net-to-net":
192.168.1.0/24===aa.bb.cc.dd[@string1]---ga.te.wa.y1...ga.te.wa.y2---ww.xx.yy.zz[@string2]===192.168.0.0/24;
prospective erouted; eroute owner: #0
000 "net-to-net":     srcip=unset; dstip=unset
000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0:0;
000 "net-to-net":   newest ISAKMP SA: #1; newest IPsec SA: #0; 
000 "net-to-net":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000  
000 #2: "net-to-net":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2675s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000  

----------- (end output of ipsec whack --status on system1) -----------


---------- (begin output of ipsec whack --status on system2) -----------

000 interface ipsec0/eth1:0 ww.xx.yy.zz
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=128,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000  
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000  
000 "net-to-net":
192.168.0.0/24===ww.xx.yy.zz[@string2]---ga.te.wa.y2...ga.te.wa.y1---aa.bb.cc.dd[@string1]===192.168.1.0/24;
unrouted; eroute owner: #0
000 "net-to-net":     srcip=unset; dstip=unset
000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth1:0;
000 "net-to-net":   newest ISAKMP SA: #1; newest IPsec SA: #0; 
000 "net-to-net":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000  
000 #2: "net-to-net":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 12s; lastdpd=-1s(seq in:0 out:0)
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2799s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000  

----------- (end output of ipsec whack --status on system2) -----------

----------- (begin output of route -n on system1) -----------

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
aa.bb.cc.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
aa.bb.cc.0     0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.0.0     ga.te.wa.y1     255.255.255.0   UG    0      0        0 ipsec0
0.0.0.0         ga.te.wa.y1     0.0.0.0         UG    0      0        0 eth0

----------- (end output of route -n on system1) -----------

----------- (begin output of route -n on system2) -----------

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
ww.xx.yy.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
ww.xx.yy.0     0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         ga.te.wa.y1     0.0.0.0         UG    0      0        0 eth1

----------- (end output of route -n on system2) -----------

More information about the Users mailing list