[Openswan Users] wrong eroutes with auto=route in version 2.4.7

Paul Wouters paul at xelerance.com
Fri Nov 24 15:04:20 EST 2006


On Fri, 24 Nov 2006, Matthias Haas wrote:

> I am currently facing a problem with subnet-subnet connection, that are
> create with auto=route at the responders side. Remote side is a dynamic
> IP.
> The subnet-subnet connection is created with two 24bit subnets. In case
> there is no valid sa, as the remote site is down there is already a eroute
> installed for these two networks in trap state. So far everything is ok.
> But as soon as a connection should be established from the responders
> network to the remote net an there is no valid connection established a
> new eroute arises that has two singlehost subnets installed that reflect
> the sender and recipient of this connection. Then this connection is set
> to hold state as there is a packet that should be sent out.
> The problem that comes up to this is that there will never be a sa even if
> the remote side connects that can handle this eroute. Therefore
> connections that apply to this invalid eroute will never be able to
> communicate despite there is a valid sa then, that fullfills the need of
> the complete two subnets.
> As soon as I apply auto=add to these connections at the reponders site
> everything works fine.
>
> Is this a bug or a feature?

You should use auto=start or auto=add. Why are you using auto=route ?

Paul

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list