[Openswan Users] Openswan not updating the routing table

Paul Wouters paul at nohats.ca
Wed Mar 7 23:07:40 EST 2012

On Wed, 7 Mar 2012, nemus at grayhatlabs.com wrote:

> I am trying to get openswan to connect to a pfsense box.
> The pfsense box connects and says everything is good.
> I can ping 172.x.x.1 from pfsense its self.

> so I don't know how to do the route so everything will work.

You should never need to do manual routing, unless your client machines
need to send packets to a machine that is not their default gateway. On
the ipsec gateway itself you should never need to do any manual routing.

> also I read some where on linux forums that netkey does not do tunnel mode
> is this true?

That is not true. NETKEY works fine.

> conn net-to-net
>        type=tunnel
>        authby = secret
>        left = x.x.x.236
>        leftsubnet = 172.x.x.0/24
>        right= x.x.x.50
>        rightsubnet= 10.x.x.0/24
>        esp = 3des-md5
>        keyexchange = ike
>        pfs = no

> 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 27753s; newest IPSEC; eroute owner; isakmp#1; idle;
> import:admin initiate
> 000 #2: "net-to-net" esp.4f845fa at x.x.x.50 esp.bc46ab15 at x.x.x.x
> tun.0 at x.x.x.x tun.0 at z.x.x.236 ref=0 refhim=4294901761
> 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2312s; newest ISAKMP; lastdpd=1s(seq in:0 out:0);
> idle; import:admin initiate

Seems up. What does "ipsec verify" say ?

Check firewall/nat/forwarding


More information about the Users mailing list