[Openswan Users] [Openswan dev] book example yields - No route to host...not authenticated using

Bruce S. Skinner Bruce.Skinner at norsteadfarm.ca
Fri Dec 15 09:54:33 EST 2006 

Hello Paul,

Fixed.

I was a while getting back to this and your suggestion about setting
leftnexthop was getting close to the issue.  The issue really was a
bad value for leftnexthop, but the reason it was wrong was because I
was using the same ipsec.conf on both sides and relying on default
values for routing info.  My perspective on left and right was global,
which works fine just as long as you have hard numbers, but breaks when
you use magic values like %defaultroute which assume (of necessity)
that LEFT IS LOCAL and RIGHT IS REMOTE.

regards :-)
BruceS

Paul Wouters <paul at xelerance.com> writes:

> On Sun, 26 Nov 2006, Bruce S. Skinner wrote:
>
>> >>   pluto[4529]: "sample" #1: ERROR: asynchronous network error report
>> >>   on eth0 (sport=500) for message to 10.1.1.11 port 500, complainant
>> >>   172.31.1.200: No route to host [errno 113, origin ICMP type 3 code 1
>> >>   (not authenticated)]
>> >>
>> >> Is this an authentication issue or a routing issue?
>> >
>> > A router in the midde, 172.31.1.200, cannot reach 10.1.1.11.
>>
>> It doesn't appear to be that simple, as the router in the middle is a
>> single machine with two interfaces one at 172.31.1.1 and 10.1.1.1.  It
>> routes both ways before I start openswan as indicated in the
>> traceroute/ping examples below.  It appears that routing breaks only
>> after openswan is started...
>
> that should not happen. Are you sure you are not firewalling udp port 500?
>
>> 	left=10.1.1.11
>> 	right=172.31.1.200
>> 	type=tunnel
>> 	# RSA 2048 bits   gw   Sun Nov 26 11:45:54 2006
>> 	leftrsasigkey=0sAQOLN9ThgpqFfu+hpcpy/BDCJj82oakzQ/X87KKAT1Ba+jj1DyUN4oTBd1WrNgaqMS4XOZeCZCFjDrO4LYgLTL0lBXKkz/+nmtVJadLlWesVUVNLPBZ+GQMrv8i4a257Ut6G4PAI0fInXP3T5SAEJ8k0S/ix5KVzxpGo5noZ5QKW/C04F2xVGyUqah98Q1wdQBIIE/9N8nkU5CL4GfEBTw0RVuLIVwsP0UXNvIYqhxzfXLkiotYBcoKKwOKCjr8BEIrpsGPRQDeHFGOrLlXRq11MeCCHnumJEze9J6WpqQ2vk+QbohZZae1v+/Y858FVii9H2A/8h9eieEA8Y1TadHvV
>> 	# RSA 2048 bits   gw   Sun Nov 26 11:57:40 2006
>> 	rightrsasigkey=0sAQN4diBgDiCl2HcJ74M3Ggnp9BjA2KtxKNJiAmpLNn+jjr/Y9xv5JIXS2mdrWmEwbqYm0PzRpJIOJ6raXc+s86LRf7fC3EE+HsG8Gp9T11AyLdiSwwXFnrCPLwi7VP6C2oM6d3I3X3N0uC7vlNsbTZZiqfWw9iHVlh/DmpHPgvjyf9jc0fFRhWHWE8/lZTTP7fGLr+l7ve8L6we3x1EaRuIz+nPc32l21ZnfSQci3QY5I8e8WWLgjovIAlpcnnvEyyMJEoJKRumjdnTJFZ6uXR+S3m9zgaCt5dsQyDqs3ACNlHwqPqiyYkarstbReJx9KI5jgyB+EmkNq1aDAeJJDp8P
>> 	auto=start
>
> What happens if you add leftnexthop=172.31.1.200 ?
>
>> # RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
>
> You just published your secret key. You should destroy it and create a new
> one now.
>
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:bruce.skinner at norsteadfarm.ca>

More information about the Users mailing list