[Openswan Users] uproute in _updown script

Marco Berizzi pupilla at hotmail.com
Mon Feb 20 10:16:22 CET 2006 

Tuomo Soini wrote:

>It's a bug which should be fixed in 2.4.5rc5.

I did a diff between rc4 and rc5: there is only one different file
(except docs files):

diff -r openswan-2.4.5rc4/programs/_confread/_confread.in 
openswan-2.4.5rc5/programs/_confread/_confread.in
15c15
< # RCSID $Id: _confread.in,v 1.81.2.1 2006/01/13 15:18:10 ken Exp $
---
># RCSID $Id: _confread.in,v 1.81.2.2 2006/02/01 16:07:41 paul Exp $
137,138c137,138
<       akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
<         akey = akey " dpddelay dpdtimeout dpdaction"
---
>       akey = " keyexchange auth pfs pfsgroup keylife rekey rekeymargin"
>         akey = akey " rekeyfuzz dpddelay dpdtimeout dpdaction"


>This bug will only show up
>if you use left=%defaultroute and you don't set leftnexthop=%defaultroute.

This is my ipsec.conf section:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup 
actions.
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes
        #fragicmp=no

# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
        keyingtries=1
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftsubnet=172.22.1.0/24
        leftid=fsw-rm at XXX

conn venezia
        left=1.1.1.1
        right=2.2.2.2
        rightsourceip=172.22.1.254
        leftnexthop=1.1.1.254
        rightnexthop=2.2.2.254
        leftsubnet=172.16.0.0/23
        rightsubnet=172.22.1.0/24
        leftid=fsw-ve at XXX
        rightid=fsw-rm at XXX
        rightcert=fswcert-roma.pem
        auto=start
        pfs=yes
        compress=yes
        keyingtries=0

>Problem is that when you have left=%defaultroute, nexthop parameter is
>added to route delete command and so actual added route and deleted
>route won't match so ip route del can't find route to delete. And this
>error should be visible in your logs.
>
>Reason for this is that nexthop defaults to %direct but there was magic
>in scripts when left=%defaultroute that when routes are deleted,
>leftnexthop was set to default gw and not %direct. This magic should not
>be there on 2.4.5rc5.

More information about the Users mailing list