[Openswan Users] Re: route problem
paul at xelerance.com
Sat Mar 25 18:44:30 CET 2006
On Sat, 25 Mar 2006, utkarsh shah wrote:
> Cc: users at openswan.org, dev at openswan.org
Please stop CC:ing all your messages to both lists. If you think there is a bug please
use dev@, if you think it is a configuration issue, please use users at .
> i have reported it as bug but if i am wrong please guide me
> i am using Linux Openswan U2.4.4/K2.4.5rc4 (klips) version. and ip route version is : ip utility, iproute2-ss020116
> i have changed _updown and added IPROUTETABLE="vpnroute" so routes are added in it
Why do you need that?
> i tried to make a manual key connection. it successfully got established. when i disconnected, routes where there as u can see from following lines
Manual keying is strongly discouraged. Not only because people tend to
re-use their keying material indefinately, and thus compromising their
security, but also because there is no Perfect Forward Protection if a
key is stolen. And also because IKE offers a bunch of extras, some of
them neccessary such as when needing to break through a NAT device.
> [root at manage /root]# ipsec manual --down test_manual-1
I am not entirely sure if manual connections are supposed to have their custom
> one more thing once i created multiple connection between to openswan servers
> they had two rules and one route as destination were same. but when i disconnected one route was deleted so my second connection says it is connected but still packets were not transfered. i cheked ip routes & rules and i found such thing. ( its reproducibility is random but more frequent )
You cannot really have the same destination in two ipsec connections, unless they
are slightly different (eg 10.0.0.0/8 vs 10.0.0.0/24) in which case the longest
prefix one should be used.
You should not be using manual keying of 1des.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users