It would appear to be associated with the way Flow Comms set up their ADSL routing for clients. It seems most peculiar to my mind. Apparently you need two IP addresses to the ADSL interface, one private (from 172.16.0.0/12), and the other public.
>From what I can see I think the routing is getting a "SIOCADDRT Network is unreachable" error as a result of their peculiar routing policies. I am going to have to hack the IPSec _updown script to do some logging and find out what gives. On Wed, 3 Apr 2002, Jean-Francois Dive wrote: > On Tue, Apr 02, 2002 at 01:37:31PM +1000, Howard Lowndes wrote: > That's a big mistery, only the freeswan folks could explains what this > stack is doing sometimes... > > didn't you forgot to add left/right|nexthop on one of the side ? > > JeF > > > > I am trying to set up an IPSec tunnel between two sites. > > > > One site puts the route into the routing table OK, but the other side > > won't. > > > > Running "ipsec auto --status" and "route -n" for the good side give the > > detail below. > > > > Note that for the good side, the line containing the word "policy" shows > > the interface as ppp0 erouted, but that the otherone shows eth1 unrouted. > > The eth1 is correct, but I just cannot work out how to get the routing > > table set up. > > > > # ipsec auto --status > > 000 interface ipsec0/ppp0 144.137.43.76 > > 000 > > 000 "WD_WN": > > 192.168.43.0/24===144.137.43.76[@atelwn.atel.com.au]---172.31.22.24... > > 000 "WD_WN": ...202.129.91.245[@atelwd.atel.com.au]===192.168.42.0/24 > > 000 "WD_WN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; > > rekey_fuzz: 100%; keyingtries: 0 > > 000 "WD_WN": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: > > ppp0; erouted > > 000 "WD_WN": newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2 > > 000 > > 000 #2: "WD_WN" STATE_QUICK_I2 (sent QI2, IPsec SA established); > > EVENT_SA_REPLACE in 28043s; newest IPSEC; eroute owner > > 000 #2: "WD_WN" [EMAIL PROTECTED] [EMAIL PROTECTED] > > [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > 000 #1: "WD_WN" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in > > 2601s; newest ISAKMP > > > > > > # route -n > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use > > Iface > > 172.31.22.24 0.0.0.0 255.255.255.255 UH 0 0 0 > > ppp0 > > 172.31.22.24 0.0.0.0 255.255.255.255 UH 0 0 0 > > ipsec0 > > 203.17.235.125 0.0.0.0 255.255.255.255 UH 0 0 0 > > ppp1 > > 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 > > eth1 > > 192.168.42.0 172.31.22.24 255.255.255.0 UG 0 0 0 > > ipsec0 > > 192.168.43.0 0.0.0.0 255.255.255.0 U 0 0 0 > > eth0 > > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > > 0.0.0.0 172.31.22.24 0.0.0.0 UG 0 0 0 > > ppp0 > > > > > > > > but for the bad side the details are: > > > > # ipsec auto --status > > 000 interface ipsec0/eth1 202.129.91.245 > > 000 > > 000 "WD_WN" instance: > > 192.168.42.0/24===202.129.91.245[@atelwd.atel.com.au]---172.24.158.129... > > 000 "WD_WN" instance: > > ...144.137.43.76[@atelwn.atel.com.au]===192.168.43.0/24 > > 000 "WD_WN" instance: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: > > 540s; rekey_fuzz: 100%; keyingtries: 1 > > 000 "WD_WN" instance: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; > > interface: eth1; unrouted > > 000 "WD_WN" instance: newest ISAKMP SA: #1; newest IPsec SA: #0; eroute > > owner: #0 > > 000 "WD_WN": > > 192.168.42.0/24===202.129.91.245[@atelwd.atel.com.au]---172.24.158.129... > > 000 "WD_WN": ...%any[@atelwn.atel.com.au]===192.168.43.0/24 > > 000 "WD_WN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; > > rekey_fuzz: 100%; keyingtries: 1 > > 000 "WD_WN": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: > > eth1; unrouted > > 000 "WD_WN": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 > > 000 > > 000 #2: "WD_WN":144.137.43.76 STATE_QUICK_R1 (sent QR1, inbound IPsec SA > > installed, expecting QI2); EVENT_RETRANSMIT in 16s > > 000 #1: "WD_WN":144.137.43.76 STATE_MAIN_R3 (sent MR3, ISAKMP SA > > established); EVENT_SA_REPLACE in 3316s; newest ISAKMP > > > > > > # route -n > > Kernel IP routing table > > Destination Gateway Genmask Flags Metric Ref Use > > Iface > > 202.129.91.246 0.0.0.0 255.255.255.255 UH 0 0 0 > > eth0 > > 172.24.158.129 0.0.0.0 255.255.255.255 UH 0 0 0 > > eth1 > > 139.130.60.65 0.0.0.0 255.255.255.255 UH 0 0 0 > > ppp0 > > 203.44.224.112 0.0.0.0 255.255.255.252 U 0 0 0 > > eth0 > > 202.129.91.244 0.0.0.0 255.255.255.252 U 0 0 0 > > eth1 > > 202.129.91.244 0.0.0.0 255.255.255.252 U 0 0 0 > > ipsec0 > > 192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 > > eth0 > > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > > 0.0.0.0 172.24.158.129 0.0.0.0 UG 0 0 0 > > eth1 > > > > > > -- > > Howard. > > LANNet Computing Associates - Your Linux people > > Contact detail at http://www.lannetlinux.com > > "I believe that forgiving them [terrorists] is God's function. > > Our job is simply to arrange the meeting." > > - General "Storm'n" Norman Schwartzkopf > > > > -- > > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ > > More Info: http://lists.slug.org.au/listinfo/slug > > > > -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "I believe that forgiving them [terrorists] is God's function. Our job is simply to arrange the meeting." - General "Storm'n" Norman Schwartzkopf -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
