[Openswan Users] Cannot install eroute -- it is in use for

Bob Miller bob at computerisms.ca
Mon Oct 6 17:47:06 EDT 2014 

https://lists.openswan.org/pipermail/users/2014-July/023037.html
-- 
Computerisms
Bob Miller	
867-334-7117 / 867-633-3760
http://computerisms.ca


On Sun, 2014-10-05 at 16:10 +0200, Dominic Wiersma wrote:
> Hi all,
> 
>  
> 
> I am having issues when I want to connect two of my Windows 7 clients
> which are behind the same public IP (NAT) to an OpenSwan VPN server.
> 
> Only one may connect, successfully, the others who follow cannot
> connect.
> 
> The logging displays the following: cannot install eroute -- it is in
> use for "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx #2
> 
>  
> 
> Below is my config and logging. 
> 
> So the problem is very clear, but the root-cause is not, at least not
> to me.
> 
> I have searched the internet for days and days, and I noticed that
> more people have the same issue, however, I never found a solution or
> some clear documentation for what is causing this.
> 
> I have pasted the relevant config files (i.m.o.) but if someone needs
> more info I will be more than happy to supply this info.
> 
> Which parameters are responsible for allowing multiple VPN connections
> from the same IP?
> 
> I am really hoping someone can help me with this one.
> 
>  
> 
> ipsec.conf:
> 
> config setup
> 
>         dumpdir=/var/run/pluto/
> 
>         #in what directory should things started by setup (notably the
> Pluto daemon) be allowed to dump core?
> 
>         nat_traversal=yes
> 
>         #whether to accept/offer to support NAT (NAPT, also known as
> "IP Masqurade")workaround for IPsec
> 
>         virtual_private=%v4:10.0.0.0/8
> 
>         #contains the networks that are allowed as subnet= for the
> remote client. In other words, the address ranges that may live behind
> a NAT router through which a client connects.
> 
>         protostack=netkey
> 
>         #decide which protocol stack is going to be used.
> 
>         force_keepalive=yes
> 
>         keep_alive=60
> 
>         # Send a keep-alive packet every 60 seconds.
> 
>  
> 
> conn L2TP-PSK-noNAT
> 
>         authby=secret
> 
>         #shared secret. Use rsasig for certificates.
> 
>         pfs=no
> 
>         #Disable pfs
> 
>         auto=add
> 
>         #the ipsec tunnel should be started and routes created when
> the ipsec daemon itself starts.
> 
>         keyingtries=3
> 
>         #Only negotiate a conn. 3 times.
> 
>         ikelifetime=8h
> 
>         keylife=1h
> 
>         ike=aes256-sha1,aes128-sha1,3des-sha1
> 
>         phase2alg=aes256-sha1,aes128-sha1,3des-sha1
> 
>         #
> https://lists.openswan.org/pipermail/users/2014-April/022947.html
> 
>         type=transport # also tried this in tunnel mode, doesn't
> change anything
> 
>         #because we use l2tp as tunnel protocol
> 
>         left=141.138.xxx.xxx
> 
>         #fill in server IP above
> 
>         leftprotoport=17/%any
> 
>         right=%any
> 
>         rightprotoport=17/%any
> 
>         #dpddelay=10
> 
>         # Dead Peer Dectection (RFC 3706) keepalives delay
> 
>         #dpdtimeout=20
> 
>         # length of time (in seconds) we will idle without hearing
> either an R_U_THERE poll from our peer, or an R_U_THERE_ACK reply.
> 
>         #dpdaction=clear
> 
>         # When a DPD enabled peer is declared dead, what action should
> be taken. clear means the eroute and SA with both be cleared.
> 
>         #aggrmode=yes
> 
>         ikev2=propose
> 
>  
> 
> Logging:
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: enabling possible NAT-traversal with method RFC 3947
> (NAT-Traversal)
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: responding to Main Mode from unknown peer 62.45.xxx.xxx
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: STATE_MAIN_R1: sent MR1, expecting MI2
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port
> 3: peer behind NAT
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: STATE_MAIN_R2: sent MR2, expecting MI3
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.105'
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[2] 62.45.xxx.xxx
> #3: switched from "L2TP-PSK-noNAT" to "L2TP-PSK-noNAT"
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #3: new NAT mapping for #3, was 62.45.xxx.xxx:3, now
> 62.45.xxx.xxx:1071
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
> cipher=aes_256 integ=sha group=MODP2048}
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #3: the peer proposed: 141.138.xxx.xxx/32:17/0 ->
> 192.168.0.105/32:17/0
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #3: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #4: responding to Quick Mode proposal {msgid:01000000}
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #4:     us: 141.xxx.xxx.37<141.xxx.xxx.37>:17/%any
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #4:   them: 62.45.xxx.xxx[192.168.0.105]:17/1701
> 
> Oct 05 15:49:04 vpn1 pluto[13486]: "L2TP-PSK-noNAT"[3] 62.45.xxx.xxx
> #4: cannot install eroute -- it is in use for "L2TP-PSK-noNAT"[2]
> 62.45.xxx.xxx #2
> 
>  
> 
> Thanks in advance!
> 
>  
> 
> Best regards,
> 
>  
> 
> Dominic
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list