[Openswan Users] Net2Net Problem with eroutes

Shyam Prasad shyam at rocsys.com
Thu Dec 13 01:13:47 EST 2007 

Thanks for your reply paul
Yes i want to allow only icmp traffic,the eroutes got
added automatically after i stopped ipsec on GW2.All
this time the ping from LAN1 was up to reach LAN2 via
GW1. this is causing the eroutes to be added.if no
ping is there then the eroutes are not getting added.

this is what i exactly did:
[LAN1]-------[GW1]--------[GW2]-------[LAN2]

GW1 & GW2 ipsec.conf:
conn admin
    leftid=@adminho
    left=172.16.15.44
    leftsubnet=192.168.1.0/24
    leftprotoport=1/0
    rightid=@adminbo
    right=172.16.15.140
    rightsubnet=192.168.10.0/24
    rightprotoport=1/0
    keyingtries=100
    auto=start
    authby=secret
    pfs=no

i followed these steps:
in GW1:
service ipsec start
...IPSEC established
ipsec eroute in GW1
4 192.168.1.0/24 -> 192.168.10.0/24 =>
tun0x1001 at 172.16.15.140:1

now keeping the ping up from LAN1... in GW2 i run
"service ipsec stop".

after a while the eroutes were added automatically,all
this time the the ping from LAN1 was still up.
1  192.168.1.0/24 -> 192.168.10.0/24  => %trap:1
0  192.168.1.2/32 -> 192.168.10.2/32  => %pass
29 192.168.1.2/32 -> 192.168.10.2/32  => %hold:1


when i start the ipsec again in GW2 using "service
ipsec start"
in GW1 the eroute is added as
0   192.168.1.0/24 -> 192.168.10.0/24  =>
tun0x1003 at 172.16.15.140:1
0   192.168.1.2/32 -> 192.168.10.2/32  => %pass
101 192.168.1.2/32 -> 192.168.10.2/32  => %hold:1

still the ping packets are going through only %hold
policy,i did not these eroutes manually

Regards,
Shyam.
--- Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 12 Dec 2007, Shyam Prasad wrote:
> 
> > my ipsec eroute in GW1:
> > 0  192.168.1.0/24  -> 192.168.10.0/24  =>
> > tun0x1005 at 172.16.15.140:1
> >
> > now keeping the ping going in LAN1,i terminate the
> > connection at GW2 using "ipsec whack --terminate
> > --name admin"
> >
> > in my GW1 the ipsec eroute is modified to
> > 0   192.168.1.2/32  -> 192.168.10.2/32  => %pass
> > 10  192.168.1.2/32 -> 192.168.10.2/32  => %hold:1
> >
> > now when i initiate the tunnel again the tunnel is
> > established and an erroute is added as follows
> > 0  192.168.1.0/24 -> 192.168.10.0/24 =>
> > tun0x1005 at 172.16.15.140:1
> > 0  192.168.1.2/32 -> 192.168.10.2/32    => %pass
> > 10 192.168.1.2/32 -> 192.168.10.2/32    => %hold:1
> >
> > still the ping packets are going through the %hold
> > route and im not able to ping LAN2
> 
> Why do you have two eroutes to the same
> source/destinations?
> 
> > ipsec.conf file in GW1 and GW2
> > conn admin
> >     leftid=@adminho
> >     left=172.16.15.44
> >     leftsubnet=192.168.1.0/24
> >     leftprotoport=1/0
> 
> What did you mean to do here? Only allow ICMP?
> 
> I think your manual whack'ing might have resulted in
> multiple eroutes. Try running things just via the
> config file and using ipsec auto --replace/--up
> 
> Paul
>

More information about the Users mailing list