First off, if I were you I wouldn't post the entire ipsec.conf like you did.
I would restrict some of the information as being private. That said, I've
got some experience using IPSec, and with your permission I would like to
forward this onto a different mailing list to get some additional support.
In the meantime, could you narrow down which connection you are having a
problem with, or are getting you error when you initially start ipsec. I
have posted my working ipsec.conf (relevant parts) to the email below...
<snip> ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
authby=rsasig
## this is the connection between the office and the house
conn office
left=home.ip.add.ress
leftsubnet=192.168.3.0/24
leftnexthop=home.ip.add.ress # this is usually the same class B,
but with a .1 as a suffix
leftrsasigkey=<cut for convenience>
leftfirewall=yes
right=office.ip.add.ress
rightsubnet=192.168.1.0/24
rightnexthop=office.next.hop (in my case .161)
rightrsasigkey=<cut for convenience>
rightfirewall=yes
auto=add
</snip>
Although I'm not using quite the same configuration as you, you might verify
that you are doing it the best way. Another thing to consider, if you are
trying to build a secure gateway, is to first getting it working, adding
security with this is easier after the fact. I would suggest a simple
method of getting the tunnel established first. If you know the IP address
of the other boxes it is easier to start with, even though the other boxes
may be getting them via dhcp, you should be able to keep the IP long enough
for testing...
Hope this helps in some way, let me know about forwarding it on, and good
luck...
Joey
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Fredrik
Asplund
Sent: Tuesday, August 20, 2002 8:56 AM
To: [EMAIL PROTECTED]
Subject: [Ltsp-discuss] IPSEC tunnel says "no eroute: dropping"
Hello!
We are trying to set up a network with an IPSEC tunnel with FreeSwan.
When we try to start the tunnel we get an error message that says that
it "can not find an eroute: dropping".
What can we do about it?
Our ipsec.conf looks like this:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see
doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
keylife=1h
rekey=no
# for initiator only OE, uncomment and uncomment this
# after putting your key in your forward map
#[EMAIL PROTECTED]
# uncomment this next line to enable it
#auto=route
# sample VPN connection
conn coop
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.1.10
leftsubnet=192.168.2.0/24
leftrsasigkey=0sAQN3CuNN/2M486TS45qIZZCPtk89KG3vEnnVM0R0oocJjd+bwvF9cGqL
KIfssdN90
hquz+wNfdzBjPMJKWYIUj2SusBsERy7ykfn2CF3XPPkoJx/1Ukc16ZG+9OgjNn3Hj+2akIRW
RovGbAg39
kpMTxhE6fW7o6Vr8LLOh2aDh06MscjCSQVjRtsEsW4rTVsvtPcmndleQbq5psAkSjIAcgOLx
/g9pFcs7e
8A+LGOtyQm8yKOqX8v4J3CyFUFMFdI8skffXsJX8cP95W69h2Wmwh27+N2wpbBzkhXKo//Lr
fZlfoT1Ym
FAdMEKLwzmEWPdrlUW8YFKr5lXMUAa+AJNsxRZFhYfQxi7awlyQUgNEGDKYB
leftnexthop=192.168.1.20
#%defaultroute
#192.168.1.20
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.0.10
rightsubnet=192.168.3.0/24
rightrsasigkey=0sAQN6YrG3AVMhiKd5U0Yc4lZKF5Qrj9AikBY00m0dXHlZ4eZ5qkDnnIC
Tg8Y/5tyF
oRm01V9EKIj0d3JERT4aGh+jHcpT/OrorGGYnXPt4kCqORYnZcsU7tYufzQ3GXAby/CiOBkl
BlG1E1YiM
jK0Ili9yEj1OS2FFt88WIkSJgRJjRSxrRRrjwYb2HvANstj/UVJTD37AsElmUQGGgCz3HCYu
RettHKrQ7
hSUjEH/FM4UNe1yNHnX8KHaTNuuqcD7DDgzXmmR8pcWdtrM6HT7jeJJfSn/LK8MbVPDDAah/
bKTJz892s
D5LMbIiMFDf4JHhRUeF90a2QjTYxCrjV6XLch28OMXdNpWEbjDbmtRmd6atVL
rightnexthop=192.168.0.20
#%defaultroute
#192.168.0.20
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add
Best regards Fredrik and Maria.
Security: Restricted
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.openprojects.net
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.openprojects.net
