[Openswan Users] Requesting help, no route to host

Robert gmane8756 at yahoo.com
Wed Jun 18 10:47:43 EDT 2008 

Hello World,

This is my first attempt at using either IPsec and Openswan.

As I see my problem, the default route is not being found.   A message in 
/var/log/secure states “No route to host”.  Although pinging gets 
through.

Now for details of what I am trying to do.  A computer named “eng” 
hopefully will be able to connect to a Netgear fvs124g router.  In 
between are these two end points are a ZyWall router and the Internet.
     
<eng>  <ZyWall 5 UTM Router>  <Internet> <Netgear fvs124g router>

eng is running Fedora 8.  Yum lists openswan as openswan.x86_64  2.4.9-
2.fc8  installed.

Very limited influence and access is available on the ZyWall.  It 
management is outsourced.

The Netgear fvs124g is under my control.  It it becomes a problem, there 
is a Fedora box behind it that    could be an endpoint.  The Netgear 
could also be replaced.

It is interesting that the Netgear router can be pinged from eng.  

Some details, including /var/log/secure and /var/log/messages, are below.

Any help in the form of thought or suggestions would be appreciated.

Have a good day,
Robert 

 ----------------------------------------------- 
[root at eng ~]# ipsec --version

Linux Openswan U2.4.9/K(no kernel code presently loaded)
See `ipsec --copyright' for copyright information.

 -------------------------------------- 
[root at eng ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.25.4-10.fc8 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets)     [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                
[DISABLED]

Sometimes the “Two or more interfaces found, ...” fails and sometimes 
passes.  There is only a single NIC, integrated in motherboard.
 ----------------------------------- 
/etc/ipsec.d/wlw.conf

conn wlw-office-annex
	auto=start
	#
	left=192.168.50.174
	leftcert=eng.pem
	leftid="xxxxxxxxxx"
	#
	rightid = "yyyyyyyyyyyyyyyy"
	right = xxxxxxxx.dyndns.org
	rightnexthop = 192.168.50.254

 ------------------------------------------------ 
tail -f /var/log/messages

kernel: NET: Registered protocol family 15
ipsec_setup: NETKEY on eth0 192.168.50.174/255.255.255.0 broadcast 
192.168.50.255
ipsec_setup: ...Openswan IPsec started
ipsec__plutorun: 027 bad left --id: unknown OID in ID_DER_ASN1_DN 
(ignored)
ipsec__plutorun: ...could not add conn "wlw-office-annex"
ipsec__plutorun: 104 "wlw-office-annex" #1: STATE_MAIN_I1: initiate
ipsec__plutorun: ...could not start conn "wlw-office-annex"

 ------------------------------------------------ 
tail -f /var/log/secure

ipsec__plutorun: Starting Pluto subsystem...
pluto[24031]: Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID 
PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)
pluto[24031]: Setting NAT-Traversal port-4500 floating to on
pluto[24031]:    port floating activation criteria nat_t=1/port_fload=1
pluto[24031]:   including NAT-Traversal patch (Version 0.6c)
pluto[24031]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=
0)
pluto[24031]: starting up 1 cryptographic helpers
pluto[24031]: started helper pid=24034 (fd:6)
pluto[24031]: Using NETKEY IPsec interface code on 2.6.25.4-10.fc8
pluto[24031]: Changing to directory '/etc/ipsec.d/cacerts'
pluto[24031]:   loaded CA cert file 'ca.pem' (1350 bytes)
pluto[24031]: Changing to directory '/etc/ipsec.d/aacerts'
pluto[24031]: Changing to directory '/etc/ipsec.d/ocspcerts'
pluto[24031]: Changing to directory '/etc/ipsec.d/crls'
pluto[24031]:   Warning: empty directory
pluto[24031]: bad left --id: unknown OID in ID_DER_ASN1_DN (ignored)
pluto[24031]:   loaded host cert file '/etc/ipsec.d/certs/eng.pem' (3934 
bytes)
pluto[24031]: added connection description "wlw-office-annex"
pluto[24031]: listening for IKE messages
pluto[24031]: adding interface eth0/eth0 192.168.50.174:500
pluto[24031]: adding interface eth0/eth0 192.168.50.174:4500
pluto[24031]: adding interface lo/lo 127.0.0.1:500
pluto[24031]: adding interface lo/lo 127.0.0.1:4500
pluto[24031]: adding interface lo/lo ::1:500
pluto[24031]: loading secrets from "/etc/ipsec.secrets"
pluto[24031]: loading secrets from "/etc/ipsec.d/hostkey.secrets"
pluto[24031]: "wlw-office-annex" #1: initiating Main Mode
pluto[24031]: "wlw-office-annex" #1: ERROR: asynchronous network error 
report on eth0 (sport=500) for message to 76.211.66.174 port 500, 
complainant 192.168.50.174: No route to host [errno 113, origin ICMP type 
3 code 1 (not authenticated)]
 =========================================

More information about the Users mailing list