[Openswan Users] Virtual interfaces

Paul Wouters paul at xelerance.com
Tue Jul 19 16:47:10 CEST 2005

On Tue, 19 Jul 2005, Lionel Cottin wrote:

> I'm currently having issues with OpenSWAN on RHEL3 using RH IPSEC stack.

RHEL3 is the worst for linux ipsec. If possible move the VPN services to a 
seperate box, eg a Fedora Core 4 machine. Or perhaps a RHEL4 machine, though
I have no experience with RHEL4.

> I run 2 servers configured as 1 HA cluster using hearbeat (active/passive).
> Openswan is configured to bind on eth0:0 which the virtual managed by heartbeat.

If using the RHEL3 kernel's NETKEY backport, you cannot bind to seperate interfaces
like with KLIPS. The interfaces= lines is ignored.

> Both the virtual and the underlying physical interfaces are on the same subnet.
> Each "IPSEC Client" has 2 connections defined: one in tunnel and the other one
> in transport mode.

> This setup worked like charm using RH7.3 based VPN routers and super freeswan
> 1.99 . However and since I migrated them to RHEL3/Openswan2.3.1 a few day ago,
> IPSEC is often "not" crashing but in a really bad state; I have to manually
> restart some connection very often.

So you migrated from KLIPS to NETKEY. Which is the real reason for your problem.

>> From what I've seen till now, it seems that the error comes from pluto not being
> able to properly handle virtual IPs like eth0:0.
> When starting IPSEC connections I get error messages like:
> "XXXX": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete
> x.x.x.x/32 via x.x.x.x dev eth0:0 ' failed (Cannot find device "eth0:0")

When using NETKEY, it shouldn't do any route adding/deleting. A work around for
this bug is to set a leftnexthop= pointing to the default gateway.

> And when manualy restarting the connections I get:
> # ipsec auto --down XX
> 003 "XX" #22: ERROR: netlink response for Del SA esp.xxxxxxxx at local_IP included
> errno 3: No such process
> where local_IP is the virtual IP

This is because the addition failed on the route addition. So deletion failed as well.

Could you let me know if this fixes your problem? Please do not cut away too much
content, so I can still see what you confirmed.


"With Data mining, we can search specifically for clues"

--- The AIVD (The Dutch NSA) on the necessity of ISP's data retension

More information about the Users mailing list