[Openswan Users] "cannot install eroute" after remote IP change

Michael Smith msmith at cbnco.com
Tue Mar 1 21:25:42 EST 2011

On Tue, 1 Mar 2011, Paul Wouters wrote:

> On Mon, 28 Feb 2011, Michael Smith wrote:
> > I'm still having this "cannot install eroute" problem with Openswan
> > 2.6.33.
> did you also upgrade xl2tpd to 1.2.8? There was a "reconnect workaround" for
> bad (apple) clients added.

Hi Paul,

This is a plain subnet-to-subnet tunnel with NETKEY and no L2TP.

> > Feb 27 15:14:51 vpngw pluto[26638]: "bldg-othersite-phones"[6]
> > #649: cannot install route -- it is in use for "bldg-othersite-phones"[5]
> > #473
> So instance number 6 cannot install the ipsec policies because the exact 
> same policies are already installed - by instance number 5. Both 
> instances of the same machine, or two different clients behind the same 
> NAT router. In the latter case you need SAref tracking, which requires 
> mast0 which requires the SAref kernel patches.

There is only one gateway at the other end. Its IP address changes every 
few hours, but what's odd is in this case instance [5] and [6] both had 
the same (new) IP.

I dug through the git history of could_route() in pluto/kernel.c. In 
Openswan 2.4.x, the block around the check that leads to "cannot install 
route" used to be surrounded by #ifdef KLIPS. The #ifdef was removed as 
part of a merge of the CVS tree into Git:

commit 7836dfce24a7d46a5a6a153dad47e2aabf6362d6
Author: Michael Richardson <mcr at herring.sandelman.ca>
Date:   Wed Nov 2 14:01:00 2005 -0500

        openswan HEAD as of 20051102

I've #ifdef'd out the "return FALSE" for now and replaced it with a log 
message and a "return route_easy" in the NETKEY case. I'll see what 
explodes with the check removed.


More information about the Users mailing list