[Openswan Users] "cannot install eroute" after remote IP change
GregScott at Infrasupport.com
Fri Feb 18 04:53:04 EST 2011
For what it's worth, I had some customers behind DHCP NAT gateways doing
VPNs. I settled on OpenVPN for those instead of IPSEC and it's worked
out very well. The challenge is, I can't access the NATed box unless
the OpenVPN tunnel is alive, but it's the same challenge with IPSEC.
And only the remote site can initiate a connection, so this adds some
complexity to troubleshooting outages - but no different than IPSEC.
The advantage is, you don't care about the remote site public IP Address
because the remote site connects based on an identity and not an IP
Address. The other advantage is, you can test it from anywhere. You
can put it together in a test lab, test everything, then deploy it and
it will run the same at the production site as in your test lab. And
all it needs is UDP port 1194 going out, so it's firewall friendly.
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Wednesday, February 09, 2011 9:24 PM
To: Michael Smith
Subject: Re: [Openswan Users] "cannot install eroute" after remote IP
On Tue, 8 Feb 2011, Michael Smith wrote:
> I'm using Openswan 2.6.31, Linux 184.108.40.206, and NETKEY. One of my
> sites is behind NAT and the public IP changes every couple of hours
Obviously not a scenario recommended for running ipsec on.....
> There are several IPsec SAs for the peer. After one or two IP changes,
> one or more of the IPsec SAs keeps failing to negotiate with a message
> like the following:
> Feb 7 16:45:42 vpngw pluto: "bldg-site111-laptops" 220.127.116.11
> #25879: cannot install eroute -- it is in use for
> "bldg-site111-laptops" 18.104.22.168 #0
Your connection should not be instantiating if this is a static tunnel.
Are you running scripts to bring up the tunnel?
> conn bldg-site111-laptops
> conn bldg-site111-support
> conn bldg-site112-laptops
> conn bldg-site112-support
> conn bldg-site49_32-phones
> <some other tunnels not shown>
> conn bldg-site-common
I guess the right=%any causes the instantiation. But it should replace
instead of add the connections. You did not specify uniqueids=false
in config setup right?
> conn bldg-common-laptops
> conn bldg-common-support
Your different conns have the same ID. This might be confusing things.
I would try to specify unique leftids (on both sides!) for each tunnel.
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:
More information about the Users