[Openswan Users] Re: route problem

Paul Wouters paul at xelerance.com
Sat Mar 25 18:44:30 CET 2006

On Sat, 25 Mar 2006, utkarsh shah wrote:

> Cc: users at openswan.org, dev at openswan.org

Please stop CC:ing all your messages to both lists. If you think there is a bug please
use dev@, if you think it is a configuration issue, please use users at .

> i have reported it as bug but if i am wrong please guide me
> i am using Linux Openswan U2.4.4/K2.4.5rc4 (klips) version. and ip route version is : ip utility, iproute2-ss020116
> i have changed _updown and added IPROUTETABLE="vpnroute" so routes are added in it

Why do you need that?

> i tried to make a manual key connection. it successfully got established. when i disconnected, routes where there as u can see from following lines

Manual keying is strongly discouraged. Not only because people tend to
re-use their keying material indefinately, and thus compromising their
security, but also because there is no Perfect Forward Protection if a
key is stolen. And also because IKE offers a bunch of extras, some of
them neccessary such as when needing to break through a NAT device.

> [root at manage /root]# ipsec manual --down test_manual-1

I am not entirely sure if manual connections are supposed to have their custom
scripts called.

> one more thing once i created multiple connection between to openswan servers
> they had two rules and one route as destination were same. but when i disconnected one route was deleted so my second connection says it is connected but still packets were not transfered. i cheked ip routes & rules and i found such thing. ( its reproducibility is random but more frequent )

You cannot really have the same destination in two ipsec connections, unless they
are slightly different (eg vs in which case the longest
prefix one should be used.

You should not be using manual keying of 1des.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list