[Openswan Users] Net2Net Problem with eroutes
Paul Wouters
paul at xelerance.com
Wed Dec 12 10:05:46 EST 2007
On Wed, 12 Dec 2007, Shyam Prasad wrote:
> my ipsec eroute in GW1:
> 0 192.168.1.0/24 -> 192.168.10.0/24 =>
> tun0x1005 at 172.16.15.140:1
>
> now keeping the ping going in LAN1,i terminate the
> connection at GW2 using "ipsec whack --terminate
> --name admin"
>
> in my GW1 the ipsec eroute is modified to
> 0 192.168.1.2/32 -> 192.168.10.2/32 => %pass
> 10 192.168.1.2/32 -> 192.168.10.2/32 => %hold:1
>
> now when i initiate the tunnel again the tunnel is
> established and an erroute is added as follows
> 0 192.168.1.0/24 -> 192.168.10.0/24 =>
> tun0x1005 at 172.16.15.140:1
> 0 192.168.1.2/32 -> 192.168.10.2/32 => %pass
> 10 192.168.1.2/32 -> 192.168.10.2/32 => %hold:1
>
> still the ping packets are going through the %hold
> route and im not able to ping LAN2
Why do you have two eroutes to the same source/destinations?
> ipsec.conf file in GW1 and GW2
> conn admin
> leftid=@adminho
> left=172.16.15.44
> leftsubnet=192.168.1.0/24
> leftprotoport=1/0
What did you mean to do here? Only allow ICMP?
I think your manual whack'ing might have resulted in
multiple eroutes. Try running things just via the
config file and using ipsec auto --replace/--up
Paul
More information about the Users
mailing list