[Openswan Users] Routing problem

Ludovic ludovic.mailinglist at gmail.com
Thu Feb 8 12:13:18 EST 2007 

I don't have try with failureshunt=passthrough but it seems to work
now. I have modified the updown script and delete the route in the
"route-host" part of the script.

route-host:*|route-client:*)
    # connection to me or my cient subnet being routed
    /sbin/route del -net 192.168.7.0 netmask 255.255.255.0 dev ipsec0
    /sbin/route add -net 192.168.7.0 netmask 255.255.255.0 dev ipsec0
    uproute
    /sbin/route del -net 192.168.7.0 netmask 255.255.255.0 dev ipsec0
    ;;

I just have delete and added again the route at the beginning since it
can't add routeto the client if the 192.168.7.0 route is not added.

I have to do more tests to be sure it works well. I will test the
failureshunt=passthrough option if you want. And what did you mean by
"stock updown script" ?

2007/2/8, Paul Wouters <paul at xelerance.com>:
> On Thu, 8 Feb 2007, Ludovic wrote:
>
> Did you try adding failureshunt=passthrough and using the stock updown script?
>
> Paul
>
> > Date: Thu, 8 Feb 2007 12:00:22 +0100
> > From: Ludovic <ludovic.mailinglist at gmail.com>
> > Cc: Tuomo Soini <tis at foobar.fi>, users at openswan.org
> > To: Paul Wouters <paul at xelerance.com>
> > Subject: Re: [Openswan Users] Routing problem
> >
> > Sorry to send again a mail but i always have problem.
> >
> > I'am currently trying to modify updown script in order to delete wrong
> > route to 192.168.7.0/24 but it doesn't work.
> >
> > If i delete the route, it can't add route through ipsec to the peer
> > subnet (in this case 192.168.2.0/24) since 192.168.7.1 is not
> > reachable via ipsec0.
> >
> > I just have added :
> >
> > /sbin/route del -net 192.168.7.0 netmask 255.255.255.0 dev ipsec0
> >
> > Since it does not work, i think it is more complicated. Can you help
> > me to modify the updown script? What should i add to the script ?
> > Perhaps the delete command should depend on the PLUTO_VERB value ? I
> > think it should but i'm not sure and i have difficulties to understand
> > what the script is doing.
> >
> > Thanks a lot for your help.
> >
> > 2007/2/7, Ludovic <ludovic.mailinglist at gmail.com>:
> > > "activated" means effectively that tunnel is added in configuration
> > > file and vpn is up (or try to be up).
> > >
> > > To answer your question about unencrypted packet, I want to reach
> > > 192.168.5.0/24 subnet with encrypted packet. My problem is that i
> > > can't connect to the graphical interface of my router in front of my
> > > ipsec gateway since packet are encrypted. I just want packet to
> > > destination 192.168.7.0/24 not to be encrypted since they don't have
> > > to go through the tunnel. I want them to go through eth2 device and
> > > not ispec0.
> > >
> > > > > I just have a  new problem. VPN is loaded, trafic goes through vpn and
> > > > > i can't access router interface. Trafic to 192.168.7.1 goes through
> > > > > ipsec0 interface.
> > > > >
> > > > > Here is routing table:
> > > > >
> > > > > 192.168.7.0   0.0.0.0         255.255.255.0 eth2
> > > > > 192.168.7.0   0.0.0.0         255.255.255.0 ipsec0
> > > >
> > > > This route into ipsec0 is bogus. I am hunting down this bug myself too.
> > > > Is this on a system with busybox, and its version of the "ip" command?
> > >
> > > No, i don't use busybox (it is used for the ipcop install but not for
> > > the system itself) and i use iproute2 version 2.4.7-now-ss010824.
> > > Should i upgrade iproute2 to a new version? I hope i don't have to do
> > > that.
> > >
> > > > I'm running into this myself on openwrt. What is a workaround for me
> > > > is to do:
> > > >
> > > >         route del 192.168.7.0 dev ipsec0
> > > >         route add 192.168.7.1 dev eth2
> > > >
> > > > I think this is a bug in the _updown script.
> > >
> > > Effectively, i have already tried the "route del 192.168.7.0 dev
> > > ipsec0" and it works. I have also try a "route add 192.168.7.1 dev
> > > eth2" without running "route del 192.168.7.0 dev ipsec0" and it works.
> > >
> > > So, if i am right, i can always delete the route 192.168.7.0 dev
> > > ipsec0 ? This route is not needed by ipsec to load tunnel ? If i can,
> > > i just have top add a command to delete the route in my C program
> > > which run ipsec.
> > >
> > > Thanks a lot for your help.
> > >
> >
>
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list