[Openswan Users] uproute in _updown script
Marco Berizzi
pupilla at hotmail.com
Mon Feb 20 10:16:22 CET 2006
Tuomo Soini wrote:
>It's a bug which should be fixed in 2.4.5rc5.
I did a diff between rc4 and rc5: there is only one different file
(except docs files):
diff -r openswan-2.4.5rc4/programs/_confread/_confread.in
openswan-2.4.5rc5/programs/_confread/_confread.in
15c15
< # RCSID $Id: _confread.in,v 1.81.2.1 2006/01/13 15:18:10 ken Exp $
---
># RCSID $Id: _confread.in,v 1.81.2.2 2006/02/01 16:07:41 paul Exp $
137,138c137,138
< akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
< akey = akey " dpddelay dpdtimeout dpdaction"
---
> akey = " keyexchange auth pfs pfsgroup keylife rekey rekeymargin"
> akey = akey " rekeyfuzz dpddelay dpdtimeout dpdaction"
>This bug will only show up
>if you use left=%defaultroute and you don't set leftnexthop=%defaultroute.
This is my ipsec.conf section:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
# Close down old connection when new one using same ID shows up.
uniqueids=yes
#fragicmp=no
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=1
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftsubnet=172.22.1.0/24
leftid=fsw-rm at XXX
conn venezia
left=1.1.1.1
right=2.2.2.2
rightsourceip=172.22.1.254
leftnexthop=1.1.1.254
rightnexthop=2.2.2.254
leftsubnet=172.16.0.0/23
rightsubnet=172.22.1.0/24
leftid=fsw-ve at XXX
rightid=fsw-rm at XXX
rightcert=fswcert-roma.pem
auto=start
pfs=yes
compress=yes
keyingtries=0
>Problem is that when you have left=%defaultroute, nexthop parameter is
>added to route delete command and so actual added route and deleted
>route won't match so ip route del can't find route to delete. And this
>error should be visible in your logs.
>
>Reason for this is that nexthop defaults to %direct but there was magic
>in scripts when left=%defaultroute that when routes are deleted,
>leftnexthop was set to default gw and not %direct. This magic should not
>be there on 2.4.5rc5.
More information about the Users
mailing list