[Openswan Users] OpenSWAN don't add route

linux linux at tuxalafenetre.net
Fri Jun 4 09:35:09 EDT 2010


Hi list, 

I create a IPSec tunnel between a Sonicwall Appliance 3060 and a Linux
CentOS distro. The IPSec tunnel is up, but I can't see IP routes.

ipsec auto --status

000 "sonicwall":
192.168.1.57/32===192.168.1.2<192.168.1.2>[+S=C]---192.168.1.1...93.94.161.194<93.94.161.194>[+S=C]===172.18.1.192/32;
erouted; eroute owner: #4                                                 
                                                                          
                          
000 "sonicwall":     myip=unset; hisip=unset;                             
                                                                          
     
000 "sonicwall":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 1                                           
     
000 "sonicwall":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD;
prio: 32,32; interface: eth1;                                              
     
000 "sonicwall":   newest ISAKMP SA: #3; newest IPsec SA: #4;             
                                                                          
     
000 "sonicwall":   IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)_000-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict                      
000 "sonicwall":   IKE algorithms found: 
AES_CBC(7)_128-SHA1(2)_160-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)                                     
000 "sonicwall":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024        
                                                                          
     
000 "sonicwall":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000;
flags=-strict                                                              
             
000 "sonicwall":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160         
                                                                          
     
000 "sonicwall":   ESP algorithm newest: AES_128-HMAC_SHA1;
pfsgroup=<Phase1>                                                          
                    
000                                                                       
                                                                          
     
000 #1: "sonicwall":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_EXPIRE in 3s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate              
000 #4: "sonicwall":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2304s; newest IPSEC; eroute owner; isakmp#3; idle;
import:admin initiate                                                      
                                                                          
                
000 #4: "sonicwall" esp.2bb33347 at 93.94.161.194 esp.499366bc at 192.168.1.2
tun.0 at 93.94.161.194 tun.0 at 192.168.1.2 ref=0 refhim=4294901761              
        
000 #3: "sonicwall":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2313s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate                                                
                                                                          
                          
000

ip route list

192.168.246.0/24 dev vmnet1  proto kernel  scope link  src 192.168.246.1  
                                                                          
     
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2        
                                                                          
     
172.16.172.0/24 dev vmnet8  proto kernel  scope link  src 172.16.172.1    
                                                                          
     
169.254.0.0/16 dev eth1  scope link                                       
                                                                          
     
default via 192.168.1.1 dev eth1

Here is my sonicwall.conf file :

conn sonicwall                                                            
                                                                          
     
        type=tunnel                                                       
                                                                          
     
        auto=start                                                        
                                                                          
     
        auth=esp                                                          
                                                                          
     
        pfs=yes                                                           
                                                                          
     
        authby=secret                                                     
                                                                          
     
        keyingtries=1                                                     
                                                                          
     
        left=192.168.1.2                                                  
                                                                          
     
        leftnexthop=%defaultroute                                         
                                                                          
     
        leftsubnet=192.168.1.57/32                                        
                                                                          
     
        leftid=192.168.1.2                                                
                                                                          
     
        right=93.94.161.194                                               
                                                                          
     
        rightsubnet=172.18.1.192/32                                       
                                                                          
     
        rightid=93.94.161.194                                             
                                                                          
     
        aggrmode=no                                                       
                                                                          
     
        esp=aes128-sha1                                                   
                                                                          
     
        ike=aes128-sha1                                                   
                                                                          
     
        keylife=1h                                                        
                                                                          
     
        ikelifetime=1h                                                    
                                                                          
     
keyexchange=ike


Thanks a lot 

Kevin


More information about the Users mailing list