[Openswan Users] Routing issue

Rick Romero rick at havokmon.com
Wed May 3 10:05:58 CEST 2006 

I posted this to debian-openswan, but it seems kinda dead there now :/


Hi!

I've successfully - sorta - setup openswan on Debian 3.1 to a Cisco IOS
something or other...

I've upgraded the kernel to 2.6.8-3, and installed openswan following
some (pretty good) documentation I found here:

http://book.itzero.com/read/cisco/0510/Cisco.Press.Network.Administrators.Survival.Guide.Sep.2005.eBook-DDU_html/1587052113/ch10lev1sec2.html

But I'm having a problem with routing.

My config is as follows:
conn cisco100
        type=tunnel
        left=1.1.2.70
        #leftnexthop=1.1.2.78
        #leftnexthop=2.2.234.140
        leftsubnet=1.1.2.65/32
        right=3.3.234.140
        rightid=4.4.1.10
        rightsubnet=5.5.240.100/32
        authby=secret
        auto=add
        #auto=start
        esp=aes256-sha1-1024
        ike=aes256-sha1-1024
        pfs=no
        keylife=3600


It's not quite as straightforward as the examples, but I got the link
up, just not the route.  If I leave leftnexthop empty, The route does
not come up, and I see:

May  2 11:28:02 localhost pluto[9139]: "cisco100" #2: route-client
output: /usr/lib/ipsec/_updown: doroute `ip route add 5.5.240.100/32 via
2.2.234.140 dev eth0 ' failed (RTNETLINK answers: Network is
unreachable)

If I put my real default gateway as 'leftnexthop', the route DOES come
up, but packets seem to follow the standard route, not the eroute.  I'm
pinging 5.5.240.100 from 1.1.2.65, so it should be matching the eroute,
yet 99% of the time it follows the 'standard' route.

Once I tried adding this manually:
ip route add 5.5.240.0/24 via 1.1.2.78 src 1.1.2.70
(based on another site I can't find atm)
and was able to ping 5.5.240.100 from 1.1.2.65, but after bringing down
the tunnel, The 'old' default route was used again.

I have a 2nd 'tunnel' config for 5.5.240.91, which I setup after
5.5.240.100 worked.  That also routed properly once with that manually
added route left in place, but never again since I brought the vpn
down :(

ipsec look just gives me:
vpn:/etc# ipsec look
vpn Tue May  2 12:35:21 CDT 2006
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
grep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
0.0.0.0         1.1.2.78     0.0.0.0         UG        0 0          0
eth0
1.1.2.64     0.0.0.0         255.255.255.240 U         0 0          0
eth0

I grabbed the 'eroute' perl script so I can see my eroute, and that
seems fine:
vpn:/etc# eroute
 in 1.1.2.65/32     -> 5.5.240.100/32 => tun928 at 3.3.234.140
out 1.1.2.65/32     -> 5.5.240.100/32 => tun945 at 3.3.234.140
fwd 1.1.2.65/32     -> 5.5.240.100/32 => tun938 at 3.3.234.140


Any insights would be appreciated - I can see the light at the end of
the tunnel, but I just can't get to it :P

Is it maybe because I only have 1 interface, and my 'client' is another
IP on the same subnet?  The company I'm connecting to is huge, and I
_must_ have sanctioned IPs for the vpn peer and the client.  Fortunately
I do have enough IPs that I could split the subnet for that box so the
packets actually traverse from one interface to another.  Would that do
it?


Rick

More information about the Users mailing list