[Openswan Users] initiate on demand different between 2.6.24 and 2.6.25+

[Salih Goenuellue]

Hi,

Tuomo Soini wrote:

> I'm quite sure latest git version should work. According my testing
> it's fixed on latest git version.
> 


with auto=route ?

If the connection is initiated from the local network, I am only seeing 
this:

pluto[27069]: | *received kernel message 
 

pluto[27069]: | netlink_get: XFRM_MSG_ACQUIRE message 
 

pluto[27069]: | add bare shunt 0x8d11770 192.168.211.10/32:51500 -6-> 
192.168.215.10/32:22 => %hold 0    %acquire-netlink 

pluto[27069]: | find_connection: looking for policy for connection: 
192.168.211.10:6/51500 -> 192.168.215.10:6/22 
           pluto[27069]: | find_connection: conn "net-net" has 
compatible peers: 192.168.211.0/24 -> 192.168.215.0/24 [pri: 12632072] 

pluto[27069]: | find_connection: comparing best "net-net" 
[pri:12632072]{0x8d0f760} (child none) to "net-net" 
[pri:12632072]{0x8d0f760} (child none)
pluto[27069]: | find_connection: concluding with "net-net" 
[pri:12632072]{0x8d0f760} kind=CK_PERMANENT 
                    pluto[27069]: | delete bare shunt 0x8d11770 
192.168.211.10/32:51500 -6-> 192.168.215.10/32:22 => %hold 0 
%acquire-netlink
pluto[27069]: | * processed 0 messages from cryptographic helpers 
 

pluto[27069]: | next event EVENT_PENDING_DDNS in 47 seconds 
 

pluto[27069]: | next event EVENT_PENDING_DDNS in 47 seconds


ipsec auto --status says:

000 "net-net": 
192.168.211.0/24===192.168.210.2<192.168.210.2>[+S=C]...192.168.214.2<192.168.214.2>[+S=C]===192.168.215.0/24; 
prospective erouted; eroute owner: #0


ip -s xfrm state is empty


and ip -s xfrm pol is giving this:


src 192.168.211.0/24 dst 192.168.215.0/24 uid 0
         dir out action allow index 1329 priority 2344 ptype main share 
any flag  (0x00000000)
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 0(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2010-04-29 10:48:48 use 2010-04-29 10:49:46
         tmpl src 0.0.0.0 dst 0.0.0.0
                 proto esp spi 0x00000000(0) reqid 0(0x00000000) mode 
transport
                 level required share any
                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff




ipsec --version

Linux Openswan U2.6.master-201017.git-g48c709ae-dirty/K2.6.32-3-686 (netkey)


If a node behind the peer starts the connection then it works though, 
auto=start starts the tunnel ok too.

Thanks,

    -salih


-- 
salih goenuellue
security engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich
t +41 44 455 74 00
f +41 44 455 74 01
sag at open.ch

http://www.open.ch