[Openswan Users] Routing issue

Rick Romero rick at havokmon.com
Wed May 3 10:56:23 CEST 2006

On Wed, 2006-05-03 at 16:29 +0200, Paul Wouters wrote:
> On Wed, 3 May 2006, Rick Romero wrote:
> > I've successfully - sorta - setup openswan on Debian 3.1 to a Cisco IOS
> > something or other...
> >
> > I've upgraded the kernel to 2.6.8-3, and installed openswan following
> > some (pretty good) documentation I found here:
> that kernel is too old to use netkey, which you are using.

I was hoping the -3 in Debian fixed the NETKEY issues :(

Hmm looks like there's a newer kernel though - I must have done
something wrong last I looked (I'm new to Debian).  I'll upgrade the
kernel now.

> > May  2 11:28:02 localhost pluto[9139]: "cisco100" #2: route-client
> > output: /usr/lib/ipsec/_updown: doroute `ip route add via
> > dev eth0 ' failed (RTNETLINK answers: Network is
> > unreachable)
> It should not do any routing since you are using netkey. what version of
> openswan is this?

2.2.0 :(

Bah.  I was trying to stick with what Debian packages are available.   
I did a barf, it's at www.havokmon.com/stuff/vpn.txt if that helps any.

> > Is it maybe because I only have 1 interface, and my 'client' is another
> > IP on the same subnet?
> Yes, with netkey, you are now probably seeing icmp redirects. disable
> all send/receive redirects in /proc. openswan 2.4.5 warns you about
> this when using 'ipsec verify'

ROFL.  Oh I screwed up.  When I added a route to my client through the
vpn, I put the default gateway in there instead :/.
Oh, wait, the redirect changed the route on my client - now I don't feel
so dumb.  I did turn off redirect though :/ -  Did I do that right? 
(Yes eth0 is my interface) 
vpn:/proc# echo 0 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
vpn:/proc# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
vpn:/proc# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

I'll add that to sysctl.conf too.

It seems to be working now that the tunnel is up, now I understand why
it worked once, but not again.  I'll at least upgrade the kernel
anyways.   Will that also allow the vpn to come up if the tunnel is down
and I try to ping through it?   The other side is pretty adamant about
bringing the tunnel down when there's no traffic, and having traffic
initiate the tunnel.


> Paul

More information about the Users mailing list