[Openswan Users] GRE over Openswan-2.4.6 with protoport option (problem).

Sergei LITVINENKO slitvinenko at voliacable.com
Sun Aug 6 11:40:38 EDT 2006 

Hello,
Own tunnel is blocked till extra tunnel is not deleted manyally... Is it 
possible to work arround(avoid) it?

[root at homedesk log]# ipsec eroute
0          172.31.101.4/30    -> 172.31.101.16/30   => 
tun0x100a at 195.xxx.xx.50:47
*174        172.31.101.5/32    -> 172.31.101.17/32   => %hold:47*

root# ipsec eroute --del --eraf inet --src 172.31.101.5/32 --dst 
172.31.101.17/32 --transport-proto 47
root# ipsec eroute
2          172.31.101.4/30    -> 172.31.101.16/30   => 
tun0x100a at 195.xxx.xx.xx:47

------------------------------------------------------------------------

Kernel: 2.6.17.7 (vanilla). No openswan patchs is used.
openswan-2.4.6: KLIPS is used.
GRE tunnel is started before ipsec.

  conn %default
        leftrsasigkey=%none
        rightrsasigkey=%none
        type=tunnel
        # ----------------
        compress=yes
        auth=esp
        esp=3des
        # ----------------
        authby=secret
        keyexchange=ike
        disablearrivalcheck=yes
        ikelifetime=3600
        keylife=3600
        pfs=no

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn mail101016gu
        #-----------------------------
        compress=yes
        #-----------------------------
        left=195.xxx.xx.50
        leftnexthop=195.xxx.xx.49
        leftsubnet=172.31.101.16/30
        leftprotoport=47
        #-----------------------------
        right=82.xxx.xxx.136
        rightnexthop=82.xxx.xxx.129
        rightsubnet=172.31.101.4/30
        rightprotoport=47
        #-----------------------------
        auto=start

There is tunnel GRE over ipsec:

[root at homedesk log]# ifconfig gre101016
gre101016 Link encap:UNSPEC  HWaddr 
AC-1F-65-05-05-08-38-9C-00-00-00-00-00-00-00-00
          inet addr:172.16.101.18  P-t-P:172.16.101.18  Mask:255.255.255.248
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1392  Metric:1
...

[root at homedesk log]# ip addr show gre101016
8: gre101016 at NONE: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1392 qdisc 
noqueue
    link/gre 172.31.101.5 peer 172.31.101.17
    inet 172.16.101.18/29 brd 172.16.101.23 scope global gre101016


/var/log/security:
-------------------
Aug  6 14:51:28 homedesk pluto[7297]: | pending review: connection 
"mail101016gu" checked
Aug  6 14:51:28 homedesk pluto[7297]: | next event EVENT_SHUNT_SCAN in 1 
seconds
Aug  6 14:51:29 homedesk pluto[7297]: |
Aug  6 14:51:29 homedesk pluto[7297]: | *time to handle event
Aug  6 14:51:29 homedesk pluto[7297]: | handling event EVENT_SHUNT_SCAN
Aug  6 14:51:29 homedesk pluto[7297]: | event after this is 
EVENT_PENDING_PHASE2 in 119 seconds
Aug  6 14:51:29 homedesk pluto[7297]: | inserting event 
EVENT_SHUNT_SCAN, timeout in 120 seconds
Aug  6 14:51:29 homedesk pluto[7297]: | scanning for shunt eroutes
Aug  6 14:51:29 homedesk pluto[7297]: | add orphaned shunt 
172.31.101.5/32:0 -> 172.31.101.17/32:0 => %hold:47
Aug  6 14:51:29 homedesk pluto[7297]: | next event EVENT_PENDING_PHASE2 
in 119 seconds
Aug  6 14:51:29 homedesk pluto[7297]: | add bare shunt 0x80f4e10 
172.31.101.5/32:0 -47-> 172.31.101.17/32:0 => %hold 0  %hold found-pfkey
Aug  6 14:51:29 homedesk pluto[7297]: | initiate on demand from 
172.31.101.5:0 to 172.31.101.17:0 proto=0 state: fos_start because: acquire
Aug  6 14:51:29 homedesk pluto[7297]: | find_connection: looking for 
policy for connection: 172.31.101.5:0/0 -> 172.31.101.17:0/0
Aug  6 14:51:29 homedesk pluto[7297]: | find_connection: concluding with 
empty
Aug  6 14:51:29 homedesk pluto[7297]: Can not opportunistically initiate 
for 172.31.101.5 to 172.31.101.17: no routed template covers this pair
Aug  6 14:51:29 homedesk pluto[7297]: | no explicit failure shunt for 
172.31.101.5 to 172.31.101.17; installing %pass
Aug  6 14:51:29 homedesk pluto[7297]: | no routed template covers this 
pair eroute 172.31.101.5/32:0 --0-> 172.31.101.17/32:0 => int.0 at 0.0.0.0 
(raw_eroute)
...
Aug  6 14:51:30 homedesk pluto[7297]: | finish_pfkey_msg: SADB_X_DELFLOW 
message 14 for flow int.0 at 0.0.0.0
Aug  6 14:51:30 homedesk pluto[7297]: |   02 0f 00 0b  0e 00 00 00  0e 
00 00 00  81 1c 00 00
Aug  6 14:51:30 homedesk pluto[7297]: |   03 00 15 00  00 00 00 00  02 
00 00 00  ac 1f 65 05
Aug  6 14:51:30 homedesk pluto[7297]: |   00 00 00 00  00 00 00 00  03 
00 16 00  00 00 00 00
Aug  6 14:51:30 homedesk pluto[7297]: |   02 00 00 00  ac 1f 65 11  00 
00 00 00  00 00 00 00
Aug  6 14:51:30 homedesk pluto[7297]: |   03 00 17 00  00 00 00 00  02 
00 00 00  ff ff ff ff
Aug  6 14:51:30 homedesk pluto[7297]: |   4c 6e ee bf  49 6d ee bf  03 
00 18 00  00 00 00 00
Aug  6 14:51:30 homedesk pluto[7297]: |   02 00 00 00  ff ff ff ff  31 
37 00 00  01 31 37 32
Aug  6 14:51:30 homedesk pluto[7297]: ERROR: pfkey write() of 
SADB_X_DELFLOW message 14 for flow int.0 at 0.0.0.0 failed. Errno 14: Bad 
address
...



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060806/9eaa2c72/attachment.htm

More information about the Users mailing list