Re: [SLUG] Why is my IPSec tunnel not being routed

Jean-Francois Dive Tue, 02 Apr 2002 13:37:18 -0800

On Tue, Apr 02, 2002 at 01:37:31PM +1000, Howard Lowndes wrote:
That's a big mistery, only the freeswan folks could explains what this
stack is doing sometimes...


didn't you forgot to add left/right|nexthop on one of the side ?

JeF


> I am trying to set up an IPSec tunnel between two sites.
> 
> One site puts the route into the routing table OK, but the other side
> won't.
> 
> Running "ipsec auto --status" and "route -n" for the good side give the
> detail below.
> 
> Note that for the good side, the line containing the word "policy" shows
> the interface as ppp0 erouted, but that the otherone shows eth1 unrouted.
> The eth1 is correct, but I just cannot work out how to get the routing
> table set up.
> 
> # ipsec auto --status
> 000 interface ipsec0/ppp0 144.137.43.76
> 000
> 000 "WD_WN":
> 192.168.43.0/24===144.137.43.76[@atelwn.atel.com.au]---172.31.22.24...
> 000 "WD_WN": ...202.129.91.245[@atelwd.atel.com.au]===192.168.42.0/24
> 000 "WD_WN":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "WD_WN":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
> ppp0; erouted
> 000 "WD_WN":   newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2
> 000
> 000 #2: "WD_WN" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 28043s; newest IPSEC; eroute owner
> 000 #2: "WD_WN" [EMAIL PROTECTED] [EMAIL PROTECTED]
> [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> 000 #1: "WD_WN" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
> 2601s; newest ISAKMP
> 
> 
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 172.31.22.24    0.0.0.0         255.255.255.255 UH    0      0        0
> ppp0
> 172.31.22.24    0.0.0.0         255.255.255.255 UH    0      0        0
> ipsec0
> 203.17.235.125  0.0.0.0         255.255.255.255 UH    0      0        0
> ppp1
> 10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0
> eth1
> 192.168.42.0    172.31.22.24    255.255.255.0   UG    0      0        0
> ipsec0
> 192.168.43.0    0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         172.31.22.24    0.0.0.0         UG    0      0        0
> ppp0
> 
> 
> 
> but for the bad side the details are:
> 
> # ipsec auto --status
> 000 interface ipsec0/eth1 202.129.91.245
> 000
> 000 "WD_WN" instance:
> 192.168.42.0/24===202.129.91.245[@atelwd.atel.com.au]---172.24.158.129...
> 000 "WD_WN" instance:
> ...144.137.43.76[@atelwn.atel.com.au]===192.168.43.0/24
> 000 "WD_WN" instance:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 1
> 000 "WD_WN" instance:   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
> interface: eth1; unrouted
> 000 "WD_WN" instance:   newest ISAKMP SA: #1; newest IPsec SA: #0; eroute
> owner: #0
> 000 "WD_WN":
> 192.168.42.0/24===202.129.91.245[@atelwd.atel.com.au]---172.24.158.129...
> 000 "WD_WN": ...%any[@atelwn.atel.com.au]===192.168.43.0/24
> 000 "WD_WN":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 1
> 000 "WD_WN":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface:
> eth1; unrouted
> 000 "WD_WN":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
> 000
> 000 #2: "WD_WN":144.137.43.76 STATE_QUICK_R1 (sent QR1, inbound IPsec SA
> installed, expecting QI2); EVENT_RETRANSMIT in 16s
> 000 #1: "WD_WN":144.137.43.76 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 3316s; newest ISAKMP
> 
> 
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 202.129.91.246  0.0.0.0         255.255.255.255 UH    0      0        0
> eth0
> 172.24.158.129  0.0.0.0         255.255.255.255 UH    0      0        0
> eth1
> 139.130.60.65   0.0.0.0         255.255.255.255 UH    0      0        0
> ppp0
> 203.44.224.112  0.0.0.0         255.255.255.252 U     0      0        0
> eth0
> 202.129.91.244  0.0.0.0         255.255.255.252 U     0      0        0
> eth1
> 202.129.91.244  0.0.0.0         255.255.255.252 U     0      0        0
> ipsec0
> 192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0
> eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
> 0.0.0.0         172.24.158.129  0.0.0.0         UG    0      0        0
> eth1
> 
> 
> -- 
> Howard.
> LANNet Computing Associates - Your Linux people
> Contact detail at http://www.lannetlinux.com
>  "I believe that forgiving them [terrorists] is God's function.
>  Our job is simply to arrange the meeting."
>    - General "Storm'n" Norman Schwartzkopf
> 
> -- 
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://lists.slug.org.au/listinfo/slug
> 

-- 
-> Jean-Francois Dive
--> [EMAIL PROTECTED]
-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Re: [SLUG] Why is my IPSec tunnel not being routed

Reply via email to