[Openswan Users] RTNETLINK answers: Network is unreachable (long)

Marek Antoniak marek.antoniak at ostc-pl.com
Thu Jul 27 17:00:30 CEST 2006 

Hello everyone,
I'm a total ipsec newbie and I would be glad if someone could help me 
with following problem: when I try to connect to remote side I get such 
a message:
002 "net-to-net" #2: route-client output: /usr/lib/ipsec/_updown: 
doroute `ip route add 192.168.200.0/24 via 10.75.0.9 dev eth1 ' failed 
(RTNETLINK answers: Network is unreachable)

My configuration files (with public IP addresses changed for obvious 
reason):
/etc/ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification

config setup
    klipsdebug=none
    plutodebug=none

conn net-to-net
    type=tunnel
    left=1.2.3.4 # Local vitals
    leftsubnet=10.75.0.0/8
    leftnexthop=10.75.0.9
    right=4.3.2.1 # Remote vitals
    rightsubnet=192.168.200.0/24
    rightnexthop=192.168.249.4
    authby=secret
    esp=3des-sha1-96
    ike=3des-sha1
    keyexchange=ike
    keylife=60m
    compress=no
    auto=add

include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.secrets:
4.3.2.1 1.2.3.4: PSK "my password is 100% correct"


The result from 'ipsec auto --verbose --up net-to-net':
002 "net-to-net" #1: initiating Main Mode
104 "net-to-net" #1: STATE_MAIN_I1: initiate
003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
002 "net-to-net" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "net-to-net" #1: I did not send a certificate because I do not have one.
002 "net-to-net" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "net-to-net" #1: Main mode peer ID is ID_IPV4_ADDR: '4.3.2.1'
002 "net-to-net" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
002 "net-to-net" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP 
{using isakmp#1}
117 "net-to-net" #2: STATE_QUICK_I1: initiate
002 "net-to-net" #2: route-client output: /usr/lib/ipsec/_updown: 
doroute `ip route add 192.168.200.0/24 via 10.75.0.9 dev eth1 ' failed 
(RTNETLINK answers: Network is unreachable)
002 "net-to-net" #2: transition from state STATE_QUICK_I1 to state 
STATE_QUICK_I2
004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0x3a090321 <0x220fcf14 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

I can attach 'ipsec barf' result if anyone needs it.

More information about the Users mailing list