[Openswan Users] "cannot install eroute" occurs for Mac OSX users behind same NAT (v2.6.33)

Thu May 19 11:09:00 EDT 2011

> I'm using OpenSwan v.2.6.33 and xl2tpd v1.2.8 on Ubuntu 10.10 with 2.6.35-28-generic kernel. Both OpenSwan and Xl2tpd were built from source. Xelerence only links the latest release (v1.2.8).
>
> The previous package I was using was from Ubuntu package manager 1.2.6+dfsg-1 which (I think) was upgraded when I did the `make install` after making the 1.2.8 source. I also tried a complete removal of the Ubuntu package and make install from 1.2.8 source but it didn't create any of the required folders or made an appropriate link in /etc/init.d/ from which to stop/start/restart things for testing. If you think that this could be my issue, I'd really appreciate a little help getting the 1.2.8 source to hook into Ubuntu cleanly other than my previous method of upgrading an existing package from source.
>
> Other than that I'm using pretty much exactly the same configs you are (w dpd). The only difference is that I have a passthrough connection in addition to the l2tp-psk-nat/noNat connections, and options.xl2tpd has "noipx" in it. Niether of which will probably be the solution I'm looking for.
>
> It's good to know that you have a working platform for this problem, though. I have high hopes that this issue can be resolved!

Xelerance maintains a PPA for xl2tpd from which you should be able to 
install xl2tpd 1.2.8:

https://launchpad.net/~xelerance/+archive/xl2tpd/

I never upgraded my system simply because I had a working package 
already (and why mess with success?).

It's seems possible that this is a result of a difference between 2.6.32 
and 2.6.35. Just for yucks, can you share your config files (scrubbed of 
any IP addresses you don't want to share)?

Just for reference, here's a relevant snippet from my logs corresponding 
to the point where you get the "cannot install eroute" message. Based on 
this, maybe check the "virtual_private" list to make sure it includes 
the client NAT IPs and excludes the server-side NAT ranges?

May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: 
Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: 
the peer proposed: LEFT_PUBLIC_IP/32:17/1701 -> RIGHT_PUBLIC_IP/32:17/0
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: 
peer proposal was reject in a virtual connection policy because:
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-NAT"[3] RIGHT_PUBLIC_IP #3: 
   a private network virtual IP was required, but the proposed IP did 
not match our list (virtual_private=)
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-noNAT"[2] RIGHT_PUBLIC_IP 
#4: responding to Quick Mode proposal {msgid:e294a4cd}
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-noNAT"[2] RIGHT_PUBLIC_IP 
#4:     us: LEFT_PUBLIC_IP<LEFT_PUBLIC_IP>[+S=C]:17/1701
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-noNAT"[2] RIGHT_PUBLIC_IP 
#4:   them: RIGHT_PUBLIC_IP[192.168.30.37,+S=C]:17/64318
May 18 14:50:12 isc pluto[28838]: "L2TP-PSK-noNAT"[2] RIGHT_PUBLIC_IP 
#4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

-- 
Brian Mastenbrook
brian at mastenbrook.net
http://brian.mastenbrook.net/