[Openswan Users] RTNETLINK answers: Network is unreachable (long)

Andy Gay andy at andynet.net
Thu Jul 27 11:18:23 CEST 2006 

On Thu, 2006-07-27 at 16:00 +0200, Marek Antoniak wrote: 
> Hello everyone,
> I'm a total ipsec newbie and I would be glad if someone could help me 
> with following problem: when I try to connect to remote side I get such 
> a message:
> 002 "net-to-net" #2: route-client output: /usr/lib/ipsec/_updown: 
> doroute `ip route add 192.168.200.0/24 via 10.75.0.9 dev eth1 ' failed 
> (RTNETLINK answers: Network is unreachable)
> 
> My configuration files (with public IP addresses changed for obvious 
> reason):
> /etc/ipsec.conf:
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> config setup
>     klipsdebug=none
>     plutodebug=none
> 
> conn net-to-net
>     type=tunnel
>     left=1.2.3.4 # Local vitals
>     leftsubnet=10.75.0.0/8
>     leftnexthop=10.75.0.9
Your problem is here. You can probably just remove this line. Or set it
to the address of the next hop router from 1.2.3.4 to 4.3.2.1, which is
probably your default gateway address.

>     right=4.3.2.1 # Remote vitals
>     rightsubnet=192.168.200.0/24
>     rightnexthop=192.168.249.4
Also not needed, but shouldn't cause any problem.

>     authby=secret
>     esp=3des-sha1-96
>     ike=3des-sha1
>     keyexchange=ike
>     keylife=60m
>     compress=no
>     auto=add
> 
> include /etc/ipsec.d/examples/no_oe.conf
> 
> /etc/ipsec.secrets:
> 4.3.2.1 1.2.3.4: PSK "my password is 100% correct"
> 
> 
> The result from 'ipsec auto --verbose --up net-to-net':
> 002 "net-to-net" #1: initiating Main Mode
> 104 "net-to-net" #1: STATE_MAIN_I1: initiate
> 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
> 002 "net-to-net" #1: transition from state STATE_MAIN_I1 to state 
> STATE_MAIN_I2
> 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 002 "net-to-net" #1: I did not send a certificate because I do not have one.
> 002 "net-to-net" #1: transition from state STATE_MAIN_I2 to state 
> STATE_MAIN_I3
> 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "net-to-net" #1: Main mode peer ID is ID_IPV4_ADDR: '4.3.2.1'
> 002 "net-to-net" #1: transition from state STATE_MAIN_I3 to state 
> STATE_MAIN_I4
> 004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
> 002 "net-to-net" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP 
> {using isakmp#1}
> 117 "net-to-net" #2: STATE_QUICK_I1: initiate
> 002 "net-to-net" #2: route-client output: /usr/lib/ipsec/_updown: 
> doroute `ip route add 192.168.200.0/24 via 10.75.0.9 dev eth1 ' failed 
> (RTNETLINK answers: Network is unreachable)
> 002 "net-to-net" #2: transition from state STATE_QUICK_I1 to state 
> STATE_QUICK_I2
> 004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x3a090321 <0x220fcf14 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> I can attach 'ipsec barf' result if anyone needs it.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list