[Openswan Users] routing problem 2.6.x kernel

Andreas Vogt a_vogt at gaia.de
Fri Feb 18 13:00:41 CET 2005


Hi,

I was used to have tunnel between two systems, running 2.4.x linux
kernels. (Linux FreeS/WAN U1.99/K2.04  -- Linux FreeS/WAN 2.05)

Now I got a new server, running SuSE9.2, Kernel 2.6.8-something special with
openswan 2.2.0 rel 8. (Before you ask: yes I tried a vanilla kernel 2.6.10
as well)
I configured as mcuh as possible the same way as I already did on 2.4.x
kernels (ipsec.secrets, ipsec.conf), disabling opportunistic encryption
(as I never used that before). As far as I understand, Native IPSEC
implementation in 2.6.x kernels doesn't show me interfaces ipsec0.

So I started ipsec on both sides getting

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.2.0/K2.6.8-24.11-default (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing                                          [N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'curl' command for CRL fetching                            [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: resi2                          
[MISSING]
   Does the machine have at least one non-private address?              [OK]
   Looking for TXT in reverse dns zone: 109.213.239.213.in-addr.arpa.  
[MISSING]


#ipsec setup --start
yields
ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.8-24.11-default...
                                                                     done
and
# ipsec setup --status
IPsec running pluto pid 7716, no SADB entries                        done


and on the 2.4.x machine, I get ipsec0 interface, routing and so on.

But I can't ping between networks or machines, connection doesn't work.
Starting traceroute, the trace goes out the old standard gateway path, not
directly the tunneled way.
As I don't have interface ipsec0 and can't see any different routing
(route -n), how can I urge the packets to go the ipsec way?
Where can I find out, what's going on and why the tunnel doesn't work?

Inspecting debuggin log i get (for example) on the 2.6.x machine:

Feb 18 13:51:54 resi2 pluto[8132]: | route owner of
"gaianetz.gaia.de-hetznernetz2.gaia.de" unrouted: NULL
Feb 18 13:51:54 resi2 pluto[8132]: | install_inbound_ipsec_sa() checking
if we can route
Feb 18 13:51:54 resi2 pluto[8132]: | route owner of
"gaianetz.gaia.de-hetznernetz2.gaia.de" unrouted: NULL; eroute owner: NULL
Feb 18 13:51:54 resi2 pluto[8132]: | could_route called for
gaianetz.gaia.de-hetznernetz2.gaia.de (kind=CK_PERMANENT)
Feb 18 13:51:54 resi2 pluto[8132]: "gaianetz.gaia.de-hetznernetz2.gaia.de"
#3: ERROR: netlink response for Add SA comp.acd7 at 213.239.213.109 included
errno 22: Invalid argument
Feb 18 13:51:54 resi2 pluto[8132]: | state transition function for
STATE_QUICK_R0 had internal error

As I said - same configuration already works between two 2.4.x machines.

What kind of information should I add to solve this problem?
Anybody who can help me?

thx
Anders




-- 



More information about the Users mailing list