[Openswan Users] Openswan-2.6.22: while loading 'test': bad addr rightnexthop=%direct [illegal (non-DNS-name) character in name]

Evan Doiron edoiron at cbnco.com
Fri Aug 21 15:21:17 EDT 2009 

Evan Doiron wrote:
> Paul Wouters wrote:
>   
>> On Mon, 17 Aug 2009, Evan Doiron wrote:
>>     
>>>      switch                     soekris
>>>    192.168.2.0/24 ===== 172.20.22.66 ------- 172.20.22.60 -------
>>> 172.20.22.64 ==== 192.168.1.0/24
>>>
>>>    conn test
>>>            # Left
>>>            left=172.20.22.66
>>>            leftsubnet=192.168.2.0/24
>>>            leftid="/O=Test Test SC/OU=test/CN=net5501"
>>>            leftca=%same
>>>            # Right
>>>            right=172.20.22.64
>>>            rightsubnet=192.168.1.0/24
>>>            rightnexthop=%direct
>>>            rightid="/O=Test Test SC/OU=test/CN=aqs8322"
>>>            rightcert=auto-cert.pem
>>>            auto=start
>>>       
>> try: rightnextop=172.20.22.66
>>> STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Aug 17 13:51:39 aqs8322 pluto[732]: "test" #2: STATE_QUICK_I2: sent QI2,
>>> IPsec SA established tunnel mode {ESP=>0x170dc92f <0x445beb06
>>> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>>>       
>> the tunnel came up
>>
>> So I think you need to check firewall rules, forwarding, etc.
>>
>> Paul
>>     
Hi Paul,

I am running the openswan instances on two soekrises with no firewalls
running, and forwarding enabled.

I am upgrading from OpenSwan 2.4.x to 2.6.22, has the support for %direct gone? Perhaps I am mistaken but basically what I'm expecting is that a route should come up to the peer's client when the tunnel has been established.


Initial Configuration (Attempted using %direct and specifying rightnexthop=(172.20.22.66),
 and leftnexthop= (172.20.22.64)

192.168.2.0/24 == 172.20.22.66 <==> 172.20.22.64 == 192.168.1.0/24

New Configuration (Added A router to see if it would make a difference)

  Client Subnet     OpenSwan		      ROUTER		                 OpenSwan     Client Subnet
 192.168.2.0/24 == 192.168.4.2 <=> | 192.168.4.1 at eth0 & 192.168.5.1 at eth1 | <=> 192.168.5.2 == 192.168.1.0/24


new configuration (on right machine):


   conn test
           # Left
           left=192.168.4.2
           leftsubnet=192.168.2.0/24
           leftid="/O=Test Test SC/OU=test/CN=net5501"
           leftca=%same
           # Right
           right=192.168.5.2
           rightsubnet=192.168.1.0/24
           rightnexthop=192.168.5.1
           rightid="/O=Test Test SC/OU=test/CN=aqs8322"
           rightcert=auto-cert.pem
           auto=start

The tunnel is only able to be established if i set a default route to the "ROUTER", which from my understanding openswan should bring up a route to nexthop should it not? If i set the default routes explicitly the tunnel is established and I can ping from client-to-client. Is there something I am missing if i wish the routes to come up? Thanks,

-Evan

-- 
Evan Doiron
Software Developer
Canadian Bank Note Company Limited
edoiron at cbnco.com
Office (613)722-3422 ext. 2406

More information about the Users mailing list