[Openswan Users] Missing route for an established IPSEC connection.

John Rouillard rouilj-swan at renesys.com
Thu Feb 23 15:17:28 CET 2006


  [ I sent this to Mr. Wouters directly rather than to the list.
    Entirely my fault. Resending it to the list this time. Mr. Wouters
    I am sorry for the duplicate email.]

Hello Mr. Wouters:

Thanks for your reply. I have a few questions however.

On Thu, Feb 23, 2006 at 06:11:22PM +0100, Paul Wouters wrote:
> On Wed, 22 Feb 2006, John Rouillard wrote:
> >    dee (linux Fedora Core 2) kernel rev - 2.6.10-1.771_FC2
> >      running openswan-2.1.2-14.rhfc2.at
> >    black (linux Fedora Core 3) kernel rev - 2.6.9-1.667
> >      running openswan-2.1.5-2
> 
> > 000 192.168.1.97/32:0 -17-> 192.168.8.233/32:0 => %hold 0 %acquire-netlink
> > 000 192.168.1.97/32:0 -17-> 192.168.8.233/32:0 => %hold 0 %acquire-netlink
> > 000 192.168.1.97/32:0 -17-> 192.168.8.233/32:0 => %hold 0 %acquire-netlink
> > 000 192.168.1.97/32:0 -17-> 192.168.8.233/32:0 => %hold 0 %acquire-netlink
> > 000 192.168.1.97/32:0 -17-> 192.168.8.233/32:0 => %hold 0 %acquire-netlink
> 
> This was a bug in NETKEY. 

>From my googling it looks like NETKEY is just the name for the native
2.6 kernel ipsec implementation. Is this correct?  Is it indicated by
the presence of the esp4 and ah4 modules rather then the ipsec module?
If so then both systems are NETKEY kernels.

These systems had been running for months without problem until Monday
evening.  Also its weird that I am seeing this for only one of the 4
ipsec tunnels. Do you have any details on this bug?

Would rebooting one or both endpoints clear the problem? Maybe
shifting to an earlier kernel? Black only has a 2.6.9 kernel available
but I can downgrade dee to a tested 2.6.8 or 2.6.5 kernel.

Also just to verify this is a symptom that is consistent with the
failure to pass traffic across the link? If these messages go away so
should the link problem?

> Either upgrade the netkey based kernel, or upgrade openswan to 2.4.x
> which has a workaround for this.

I will look into this, but I would prefer to minimize the changes
needed to these production systems, especially since they are remote
systems.

> >    connect: Resource temporarily unavailable
> 
> That usually means OE is not disabled. Are you sure the include file is
> actually present on your system?

Ok, good to know. That was a prior failure mode and I haven't seen it
since I added the file to disable OE and restarted ipsec.

Thanks for your help.

-- 
				-- rouilj

John Rouillard
System Administrator
Renesys Corporation
603-643-9300 x 111


More information about the Users mailing list