[Openswan Users] "cannot install eroute" after remote IP change

Paul Wouters paul at xelerance.com
Wed Feb 9 22:23:51 EST 2011 

On Tue, 8 Feb 2011, Michael Smith wrote:

> I'm using Openswan 2.6.31, Linux 2.6.35.10, and NETKEY. One of my remote
> sites is behind NAT and the public IP changes every couple of hours (!).

Obviously not a scenario recommended for running ipsec on.....

> There are several IPsec SAs for the peer. After one or two IP changes,
> one or more of the IPsec SAs keeps failing to negotiate with a message
> like the following:
>
> Feb  7 16:45:42 vpngw pluto[10130]: "bldg-site111-laptops"[2] 5.6.7.8
> #25879: cannot install eroute -- it is in use for
> "bldg-site111-laptops"[1] 5.6.7.8 #0

Your connection should not be instantiating if this is a static tunnel.

Are you running scripts to bring up the tunnel?

> conn bldg-site111-laptops
>     rightsubnet=192.168.111.0/24
>     also=bldg-site-common
>     also=bldg-common-laptops
>     auto=add
>
> conn bldg-site111-support
>     rightsubnet=192.168.111.0/24
>     also=bldg-site-common
>     also=bldg-common-support
>     auto=add
>
> conn bldg-site112-laptops
>     rightsubnet=192.168.112.0/24
>     also=bldg-site-common
>     also=bldg-common-laptops
>     auto=add
>
> conn bldg-site112-support
>     rightsubnet=192.168.112.0/24
>     also=bldg-site-common
>     also=bldg-common-support
>     auto=add
>
> conn bldg-site49_32-phones
>     rightsubnet=192.168.49.32/29
>     also=bldg-site-common
>     also=bldg-common-phones
>     auto=add
>
> <some other tunnels not shown>
>
> conn bldg-site-common
>     right=%any
>     rightid=@remote-vpngw
>     rekey=no

I guess the right=%any causes the instantiation. But it should replace
instead of add the connections. You did not specify uniqueids=false
in config setup right?

> conn bldg-common-laptops
>     leftsubnet=10.1.2.0/24
>     left=44.44.44.44
>     leftid=@vpngw.cbnco.com
>     leftcert=/etc/x509cert.der
>
> conn bldg-common-support
>     leftsubnet=10.1.1.0/24
>     left=44.44.44.44
>     leftid=@vpngw.cbnco.com
>     leftcert=/etc/x509cert.der

Your different conns have the same ID. This might be confusing things.
I would try to specify unique leftids (on both sides!) for each tunnel.

Paul

More information about the Users mailing list