[Openswan Users] "cannot install eroute" after remote IP change
msmith at cbnco.com
Tue Mar 1 21:25:42 EST 2011
On Tue, 1 Mar 2011, Paul Wouters wrote:
> On Mon, 28 Feb 2011, Michael Smith wrote:
> > I'm still having this "cannot install eroute" problem with Openswan
> > 2.6.33.
> did you also upgrade xl2tpd to 1.2.8? There was a "reconnect workaround" for
> bad (apple) clients added.
This is a plain subnet-to-subnet tunnel with NETKEY and no L2TP.
> > Feb 27 15:14:51 vpngw pluto: "bldg-othersite-phones" 22.214.171.124
> > #649: cannot install route -- it is in use for "bldg-othersite-phones"
> > 126.96.36.199 #473
> So instance number 6 cannot install the ipsec policies because the exact
> same policies are already installed - by instance number 5. Both
> instances of the same machine, or two different clients behind the same
> NAT router. In the latter case you need SAref tracking, which requires
> mast0 which requires the SAref kernel patches.
There is only one gateway at the other end. Its IP address changes every
few hours, but what's odd is in this case instance  and  both had
the same (new) IP.
I dug through the git history of could_route() in pluto/kernel.c. In
Openswan 2.4.x, the block around the check that leads to "cannot install
route" used to be surrounded by #ifdef KLIPS. The #ifdef was removed as
part of a merge of the CVS tree into Git:
Author: Michael Richardson <mcr at herring.sandelman.ca>
Date: Wed Nov 2 14:01:00 2005 -0500
openswan HEAD as of 20051102
I've #ifdef'd out the "return FALSE" for now and replaced it with a log
message and a "return route_easy" in the NETKEY case. I'll see what
explodes with the check removed.
More information about the Users