[Openswan Users] Routing issue

Rick Romero rick at havokmon.com
Wed May 3 10:05:58 CEST 2006

I posted this to debian-openswan, but it seems kinda dead there now :/


I've successfully - sorta - setup openswan on Debian 3.1 to a Cisco IOS
something or other...

I've upgraded the kernel to 2.6.8-3, and installed openswan following
some (pretty good) documentation I found here:


But I'm having a problem with routing.

My config is as follows:
conn cisco100

It's not quite as straightforward as the examples, but I got the link
up, just not the route.  If I leave leftnexthop empty, The route does
not come up, and I see:

May  2 11:28:02 localhost pluto[9139]: "cisco100" #2: route-client
output: /usr/lib/ipsec/_updown: doroute `ip route add via dev eth0 ' failed (RTNETLINK answers: Network is

If I put my real default gateway as 'leftnexthop', the route DOES come
up, but packets seem to follow the standard route, not the eroute.  I'm
pinging from, so it should be matching the eroute,
yet 99% of the time it follows the 'standard' route.

Once I tried adding this manually:
ip route add via src
(based on another site I can't find atm)
and was able to ping from, but after bringing down
the tunnel, The 'old' default route was used again.

I have a 2nd 'tunnel' config for, which I setup after worked.  That also routed properly once with that manually
added route left in place, but never again since I brought the vpn
down :(

ipsec look just gives me:
vpn:/etc# ipsec look
vpn Tue May  2 12:35:21 CDT 2006
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
grep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface         UG        0 0          0
eth0 U         0 0          0

I grabbed the 'eroute' perl script so I can see my eroute, and that
seems fine:
vpn:/etc# eroute
 in     -> => tun928 at
out     -> => tun945 at
fwd     -> => tun938 at

Any insights would be appreciated - I can see the light at the end of
the tunnel, but I just can't get to it :P

Is it maybe because I only have 1 interface, and my 'client' is another
IP on the same subnet?  The company I'm connecting to is huge, and I
_must_ have sanctioned IPs for the vpn peer and the client.  Fortunately
I do have enough IPs that I could split the subnet for that box so the
packets actually traverse from one interface to another.  Would that do


More information about the Users mailing list