[Openswan Users] More info - routing problem
Antony Gelberg
antony at wayforth.co.uk
Thu Sep 15 22:55:42 CEST 2005
Paul Wouters wrote:
> On Thu, 15 Sep 2005, Antony Gelberg wrote:
>
>> Sep 15 16:38:24 robert pluto[3595]: "roadwarrior"[2] 82.68.107.174 #2:
>> route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
>> 192.168.0.190/32 via 82.68.107.174 dev ipsec0 ' failed (RTNETLINK
>> answers: Network is unreachable)
>
>
>> conn roadwarrior
>> left=82.69.161.254
>> leftsubnet=192.168.168.0/24
>> leftcert=/etc/ipsec.d/certs/robert.wayforth.co.uk_cert.pem
>> right=%any
>> rightcert=/etc/ipsec.d/private/robert.wayforth.co.uk_key.pem
>> rightsubnetwithin=0.0.0.0/0
>> auto=add
>> pfs=yes
>
>
>> I won't post a barf at this stage, as I feel that this may well be
>> enough for someone to guide me, but please let me know if you need the
>> full barf.
>
>
> Is 82.68.107.174 you default gateway? you can try adding a leftnexthop=
> for that.
> If you have a weird default route over ppp that does something like
> 'route add 0.0.0.0/0 dev ppp0' then you might need to manually add a
> host route for your default gateway, eg route add -host 82.68.107.174
> dev ppp0
No, 82.68.107.174 is the public gateway to the NAT'd roadwarrior. The
default gateway for the office LAN is 82.69.161.254, which is "left" in
the config file. As this IP is also the address of the default route
interface on the gateway, I also tried left=%defaultroute. This was
even worse - the SA was never established.
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500:
ignoring Vendor ID payload [FRAGMENTATION]
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 0
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500:
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Sep 15 21:49:29 robert pluto[18242]: packet from 82.68.107.174:500:
initial Main Mode message received on 82.69.161.254:500 but no
connection has been authorized
Sorry if I'm being thick but I am at a real loss. I have read the docs,
I think I know how it should all work, but can't quite get there. What
is really frustrating is that we deployed this for a customer back in
the freeswan days, and it worked well.
Antony
More information about the Users
mailing list