[Openswan Users] Openswan not updating the routing table

Paul Wouters paul at nohats.ca
Thu Mar 8 14:08:59 EST 2012

On Thu, 8 Mar 2012, nemus at grayhatlabs.com wrote:

> I am not seeing the routes being update in the routing tables not sure why.

Because netkey does not use routing to grab packets for

> no for some reason I cannot connect to the 172.x.x.1 ip from the pfsense box.

again check NAT/firewalling on BOTH ends points.

> How does NETKEYS handle routing?

netkey does not use/need routing for encryption/decryption.

> "net-to-net":
> 172.x.x.0/24===x.x.1x.236<x.x.x.236>[+S=C]...x.x.x.50<x.x.x.50>[+S=C]===10.x.x.0/24;
> erouted; eroute owner: #2
> I see this in ipsec auo --status
> but I am not sure how the kernel knows about it and why doesn't show up in
> the routing table?

You need to see "IPsec SA Established". You can also check "ip xfrm state"

> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                             	[OK]
> Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey)
> Checking for IPsec support in kernel                        	[OK]
> SAref kernel support                                       	[N/A]
> NETKEY:  Testing XFRM related proc values                  	[OK]
> 	[OK]
> 	[OK]
> Checking that pluto is running                              	[OK]
> Pluto listening for IKE on udp 500                         	[OK]
> Pluto listening for NAT-T on udp 4500                      	[OK]
> Two or more interfaces found, checking IP forwarding        	[OK]
> Checking NAT and MASQUERADEing                              	[OK]
> Checking for 'ip' command                                   	[OK]
> Checking /bin/sh is not /bin/dash                           	[OK]
> Checking for 'iptables' command                             	[OK]
> Opportunistic Encryption Support                            	[DISABLED]

Ok, that looks good.

> iptables -L
> Chain INPUT (policy DROP)

Try resetting all firewall rules to accept to determine if the firewall is
blocking it.

> Chain FORWARD (policy DROP)
> target     prot opt source               destination

This might be your problem.


More information about the Users mailing list