[Openswan Users] Openswan not updating the routing table
Paul Wouters
paul at nohats.ca
Thu Mar 8 14:08:59 EST 2012
On Thu, 8 Mar 2012, nemus at grayhatlabs.com wrote:
> I am not seeing the routes being update in the routing tables not sure why.
Because netkey does not use routing to grab packets for
encryption/decryption.
> no for some reason I cannot connect to the 172.x.x.1 ip from the pfsense box.
again check NAT/firewalling on BOTH ends points.
> How does NETKEYS handle routing?
netkey does not use/need routing for encryption/decryption.
> "net-to-net":
> 172.x.x.0/24===x.x.1x.236<x.x.x.236>[+S=C]...x.x.x.50<x.x.x.50>[+S=C]===10.x.x.0/24;
> erouted; eroute owner: #2
> I see this in ipsec auo --status
>
> but I am not sure how the kernel knows about it and why doesn't show up in
> the routing table?
You need to see "IPsec SA Established". You can also check "ip xfrm state"
> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey)
> Checking for IPsec support in kernel [OK]
> SAref kernel support [N/A]
> NETKEY: Testing XFRM related proc values [OK]
> [OK]
> [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing [OK]
> Checking for 'ip' command [OK]
> Checking /bin/sh is not /bin/dash [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
Ok, that looks good.
> iptables -L
> Chain INPUT (policy DROP)
Try resetting all firewall rules to accept to determine if the firewall is
blocking it.
> Chain FORWARD (policy DROP)
> target prot opt source destination
This might be your problem.
Paul
More information about the Users
mailing list