[Openswan Users] netlink XFRM_MSG_NEWPOLICY response for flow

Paul Wouters paul at xelerance.com
Tue Nov 14 12:09:27 EST 2006


On Tue, 14 Nov 2006, Marco Berizzi wrote:

> > Can you do another ipsec setup restart after your tunnel is up to
> > see if it happens again? If so, it looks like your kernel does not
> > get cleared upon stopping. So if it happens, can you do ipsec
> > setup stop and then an ip xfrm state list and ip xfrm policy list
> > to confirm that?

I was hoping you would do after you brought the tunnels up:

ipsec setup stop
ip xfrm state list
ip xfrm policy list

> Nov  6 21:33:46 Pleiadi pluto[1070]: "genova" #9: initiating Main Mode
> Nov  6 21:33:49 Pleiadi pluto[1070]: "sico" #7: ERROR: asynchronous
> network error report on eth0 (sport=500) for message to sico port 500,
> complainant pleiadi: No route to host [errno 113, origin ICMP type 3
> code 1 (not authenticated)]
> Nov  6 21:33:49 Pleiadi pluto[1070]: "firenze" #8: ERROR: asynchronous
> network error report on eth0 (sport=500) for message to firenze port
> 500, complainant pleiadi: No route to host [errno 113, origin ICMP type
> 3 code 1 (not authenticated)]
> Nov  6 21:33:49 Pleiadi pluto[1070]: "genova" #9: ERROR: asynchronous
> network error report on eth0 (sport=500) for message to genova port 500,
> complainant pleiadi: No route to host [errno 113, origin ICMP type 3
> code 1 (not authenticated)]

It seems you cannot initiate.

> Nov  6 21:33:51 Pleiadi pluto[1070]: packet from sico:500: ignoring
> unknown Vendor ID payload [4f456e4d43757f784f704063]
> Nov  6 21:33:51 Pleiadi pluto[1070]: packet from sico:500: received
> Vendor ID payload [Dead Peer Detection]
> Nov  6 21:33:51 Pleiadi pluto[1070]: "sico" #10: responding to Main Mode

but you can respond.

What happens if you add a leftnexthop=yourgatewayip ?
We have a fix around for that in 2.4.7 (released today if all goes well)

Paul



More information about the Users mailing list