[Openswan Users] More info - routing problem

Antony Gelberg antony at wayforth.co.uk
Thu Sep 15 22:55:42 CEST 2005 

Paul Wouters wrote:
> On Thu, 15 Sep 2005, Antony Gelberg wrote:
> 
>> Sep 15 16:38:24 robert pluto[3595]: "roadwarrior"[2] 82.68.107.174 #2:
>> route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
>> 192.168.0.190/32 via 82.68.107.174 dev ipsec0 ' failed (RTNETLINK
>> answers: Network is unreachable)
> 
> 
>> conn roadwarrior
>>        left=82.69.161.254
>>        leftsubnet=192.168.168.0/24
>>        leftcert=/etc/ipsec.d/certs/robert.wayforth.co.uk_cert.pem
>>        right=%any
>>        rightcert=/etc/ipsec.d/private/robert.wayforth.co.uk_key.pem
>>        rightsubnetwithin=0.0.0.0/0
>>        auto=add
>>        pfs=yes
> 
> 
>> I won't post a barf at this stage, as I feel that this may well be
>> enough for someone to guide me, but please let me know if you need the
>> full barf.
> 
> 
> Is 82.68.107.174 you default gateway? you can try adding a leftnexthop=
> for that.
> If you have a weird default route over ppp that does something like
> 'route add 0.0.0.0/0 dev ppp0' then you might need to manually add a 
> host route for your default gateway, eg route add -host 82.68.107.174 
> dev ppp0

No, 82.68.107.174 is the public gateway to the NAT'd roadwarrior.  The 
default gateway for the office LAN is 82.69.161.254, which is "left" in 
the config file.  As this IP is also the address of the default route 
interface on the gateway, I also tried left=%defaultroute.  This was 
even worse - the SA was never established.

Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, 
but already using method 0
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500: 
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500: 
initial Main Mode message received on 82.69.161.254:500 but no 
connection has been authorized

Sorry if I'm being thick but I am at a real loss.  I have read the docs, 
I think I know how it should all work, but can't quite get there.  What 
is really frustrating is that we deployed this for a customer back in 
the freeswan days, and it worked well.

Antony

More information about the Users mailing list