[Openswan Users] Re: route problem

Paul Wouters paul at xelerance.com
Sat Mar 25 18:44:30 CET 2006


On Sat, 25 Mar 2006, utkarsh shah wrote:

> Cc: users at openswan.org, dev at openswan.org

Please stop CC:ing all your messages to both lists. If you think there is a bug please
use dev@, if you think it is a configuration issue, please use users at .

> i have reported it as bug but if i am wrong please guide me
>
> i am using Linux Openswan U2.4.4/K2.4.5rc4 (klips) version. and ip route version is : ip utility, iproute2-ss020116
>
> i have changed _updown and added IPROUTETABLE="vpnroute" so routes are added in it

Why do you need that?

> i tried to make a manual key connection. it successfully got established. when i disconnected, routes where there as u can see from following lines

Manual keying is strongly discouraged. Not only because people tend to
re-use their keying material indefinately, and thus compromising their
security, but also because there is no Perfect Forward Protection if a
key is stolen. And also because IKE offers a bunch of extras, some of
them neccessary such as when needing to break through a NAT device.

> [root at manage /root]# ipsec manual --down test_manual-1

I am not entirely sure if manual connections are supposed to have their custom
scripts called.

> one more thing once i created multiple connection between to openswan servers
> they had two rules and one route as destination were same. but when i disconnected one route was deleted so my second connection says it is connected but still packets were not transfered. i cheked ip routes & rules and i found such thing. ( its reproducibility is random but more frequent )

You cannot really have the same destination in two ipsec connections, unless they
are slightly different (eg 10.0.0.0/8 vs 10.0.0.0/24) in which case the longest
prefix one should be used.

You should not be using manual keying of 1des.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list