[Openswan Users] Routing Problem?

Peter McGill petermcgill at goco.net
Thu Jun 26 13:09:43 EDT 2008 

Bert,

> How does it know how to use the VPN connection for the
> remote subnet?  Is there supposed to be a network device
> for VPN (like ipsec0)? I'm clearly missing something, but
> cannot figure it out.
The traffic which is from leftsubnet to rightsubnet enters the
tunnel automatically, you cannot route it manually.
In your case traffic from 209.98.199.133 to 192.4.223.0/32.
You only have ipsec0 when using the klips kernel modules, you're
using the netkey kernel modules so your ipsec uses the internet
interface, eth0 in your case.

According to your logs the tunnel is not completed:
> Jun 26 11:11:32 ruglyweb1 pluto[9542]: "mgi" #4: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #3 {using isakmp#1
> msgid:dc18ab8c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
> Jun 26 11:11:32 ruglyweb1 pluto[9542]: "mgi" #1: ignoring 
> informational
> payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> Jun 26 11:11:32 ruglyweb1 pluto[9542]: "mgi" #1: received and ignored
> informational message
> Jun 26 11:12:42 ruglyweb1 pluto[9542]: "mgi" #4: max number of
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
> our first Quick Mode message: perhaps peer likes no proposal
Key error being NO_PROPOSAL_CHOSEN.

I suspect this is due to the following error in your ipsec.conf:
>         ike=3des-md5
>         esp=3des-md5
While these lines look ok, they are indented with spaces, and should
properly be indented with a single tab.

Thank you for the complete barf, makes it easier to diagnose.
If this doesn't fix your problem, try sending your ping test results
and the new log output to see if the error has changed.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Bert Olsson
> Sent: June 26, 2008 12:28 PM
> To: users at openswan.org
> Subject: [Openswan Users] Routing Problem?
> 
> I am trying to establish a VPN connection using openswan
> from an RHEL5 box.  The VPN connection seems to come up
> just fine, but when I look at ping packets going to the
> remote subnet, the packets are going over the default
> interface (i.e., they are not ESP packets over VPN).
> 
> How does it know how to use the VPN connection for the
> remote subnet?  Is there supposed to be a network device
> for VPN (like ipsec0)? I'm clearly missing something, but
> cannot figure it out.
> 
> Thanks for any help.
> 
> Bert Olsson
> 
> ipsec --barf output:

More information about the Users mailing list