[Openswan Users] Error sending data out tunnel: No route to host

Hernan Freschi hjf at hjf.com.ar
Mon Jan 25 09:37:23 EST 2010 

Hello, I've been using openswan + l2tpns for a while now. Recently the
server was
rootkited so I had to make a clean install. I copied the configuration
files and all, and after that I've been getting the errors at the end
of this message.

Sometimes it fixes itself after several minutes, sometimes it won't. I
try killing l2tpns but it refuses to die, unless I do it with a signal
9. Restarting it solves the problem (during this time I can't even
access the l2tpns CLI).

I've also noticed that restarting openswan also fixes the problem. Now I'm
starting to suspect that openswan is to blame.
Here's debian's auth.log while the server is failing

Jan 25 11:25:34 acceso pluto[10976]: packet from 10.5.1.74:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 25 11:25:34 acceso pluto[10976]: packet from 10.5.1.74:500: ignoring
Vendor ID payload [FRAGMENTATION]
Jan 25 11:25:34 acceso pluto[10976]: packet from 10.5.1.74:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Jan 25 11:25:34 acceso pluto[10976]: packet from 10.5.1.74:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
responding to Main Mode from unknown peer 10.5.1.74
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
STATE_MAIN_R1: sent MR1, expecting MI2
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no
 NAT detected
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
STATE_MAIN_R2: sent MR2, expecting MI3
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116: Main
mode peer ID is ID_IPV4_ADDR: '10.5.1.74'
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116: I
did not send a certificate because I do not have one.
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2116:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRES
HARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2117:
responding to Quick Mode {msgid:35e9f288}
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2117:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2117:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2117:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[136] 10.5.1.74 #2117:
STATE_QUICK_R2: IPsec SA established {ESP=>0xc47b9ec2 <0x8913fef
3 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[132] 10.5.1.246 #2106:
received Delete SA(0x07024e97) payload: deleting IPSEC State #2
107
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[132] 10.5.1.246 #2106:
received and ignored informational message
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[132] 10.5.1.246 #2106:
received Delete SA payload: deleting ISAKMP State #2106
Jan 25 11:25:34 acceso pluto[10976]: "zpreshared"[132] 10.5.1.246: deleting
connection "zpreshared" instance with peer 10.5.1.246 {isakm
p=#0/ipsec=#0}
Jan 25 11:25:34 acceso pluto[10976]: packet from 10.5.1.246:500: received
and ignored informational message
Jan 25 11:25:37 acceso pluto[10976]: "zpreshared"[51] 10.5.1.186 #2108:
received Delete SA(0xe1abd805) payload: deleting IPSEC State #21
09
Jan 25 11:25:37 acceso pluto[10976]: "zpreshared"[51] 10.5.1.186 #2108:
received and ignored informational message
Jan 25 11:25:37 acceso pluto[10976]: "zpreshared"[51] 10.5.1.186 #2108:
received Delete SA payload: deleting ISAKMP State #2108
Jan 25 11:25:37 acceso pluto[10976]: packet from 10.5.1.186:500: received
and ignored informational message


Any suggestions? Here's l2tpns logfile at the moment it's failing:

2010-01-19 17:13:15 00/00 Sending v5 heartbeat #91343, change #594
with 0 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size
3388)
2010-01-19 17:13:15 00/00 Sending v5 heartbeat #91344, change #594
with 0 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size
3388)
2010-01-19 17:13:16 00/00 Sending v5 heartbeat #91345, change #594
with 0 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size
3389)
2010-01-19 17:13:16 03/03 Kill session 3 (xxxxxxxxx): Expired
2010-01-19 17:13:16 00/00 Reached multi_read_count (10); processed 10
udp, 10 tun and 0 cluster packets
2010-01-19 18:06:56 00/00 Sending v5 heartbeat #91346, change #595
with 1 changes (18 x-sess, 18 x-tunnels, 18 highsess, 18 hightun, size
3323)
2010-01-19 18:06:56 06/00 Sending HELLO message
2010-01-19 18:06:56 07/00 Sending HELLO message
2010-01-19 18:06:56 08/00 Sending HELLO message
2010-01-19 18:06:56 09/00 Sending HELLO message
2010-01-19 18:06:56 10/00 Sending HELLO message
2010-01-19 18:06:56 11/00 Sending HELLO message
2010-01-19 18:06:56 12/00 Sending HELLO message
2010-01-19 18:06:56 13/00 Sending HELLO message
2010-01-19 18:06:56 14/00 Sending HELLO message
2010-01-19 18:06:56 15/00 Sending HELLO message
2010-01-19 18:06:56 16/00 Error sending data out tunnel: No route to
host (udpfd=9, buf=0xa0bcfe6, len=20, dest=10.5.2.26)
2010-01-19 18:06:56 16/00 Sending HELLO message
2010-01-19 18:06:56 17/00 Sending HELLO message
2010-01-19 18:06:56 18/00 Sending HELLO message
2010-01-19 18:06:56 01/00 Sending HELLO message
2010-01-19 18:06:56 02/00 Sending HELLO message
2010-01-19 18:06:56 03/00 Kill tunnel 3: Expired
2010-01-19 18:06:56 04/00 Error sending data out tunnel: No route to
host (udpfd=9, buf=0xa0ba43e, len=20, dest=10.5.1.26)
2010-01-19 18:06:56 04/00 Sending HELLO message
2010-01-19 18:06:56 05/00 Sending HELLO message
2010-01-19 18:06:56 10/04 Shutting down session 4: No response to LCP
ECHO requests.
2010-01-19 18:06:56 10/04 Allocated radius 112
2010-01-19 18:06:56 05/05 Shutting down session 5: No response to LCP
ECHO requests.
2010-01-19 18:06:56 05/05 Allocated radius 113
2010-01-19 18:06:56 06/06 Shutting down session 6: No response to LCP
ECHO requests.
2010-01-19 18:06:56 06/06 Allocated radius 114
2010-01-19 18:06:56 07/07 Shutting down session 7: No response to LCP
ECHO requests.
2010-01-19 18:06:56 07/07 Allocated radius 115
2010-01-19 18:06:56 04/08 Shutting down session 8: No response to LCP
ECHO requests.
2010-01-19 18:06:56 04/08 Allocated radius 116
2010-01-19 18:06:56 11/09 Shutting down session 9: No response to LCP
ECHO requests.

ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth3"
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        #       plutodebug="all"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


conn zpreshared
        authby=secret
        pfs=no
        left=10.1.1.10
        leftprotoport=17/0
        right=%any
        rightprotoport=17/1701
        auto=add
        keyingtries=3


conn cliente-internet
        leftsubnet=0.0.0.0/0
        also=cliente

conn cliente
        left=10.5.255.254
        leftcert=server.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        keyingtries=1
        compress=yes


conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore




Thanks,
Hernan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100125/07a61b38/attachment.html

More information about the Users mailing list