On Sat, 9 Aug 2014, Gareth Williams wrote:
conn <server FQDN>
authby=secret
pfs=no
auto=add
rekey=no
aggrmode=yes
left=<server IP>
rightaddresspool=10.7.0.5-10.7.0.10
right=%any
rightnexthop=%defaultroute
Can you try leaving out rightnexthop. Older libreswan versions did not
always handle that right.
modecfgdns1=8.8.8.8
ike=3des-sha1,aes-sha1,aes
phase2alg=3des-sha1,aes-sha1,aes
If using aggressive mode, only specify one ike and one phase2alg.
When I attempt to connect, I get what I believe is a good set of logs on the
server up to:
Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] <Roadwarrior
public IP> #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
at which point, it hangs.
Looks like the last packet response to that got lost.
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x39542f44
<0x92d97947 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none
XAUTHuser=gareth}
Aug 09 22:10:31 localhost.localdomain pluto[4386]: "nm-conn1" #2: ERROR:
asynchronous network error report on wlp8s0 (sport=500) for message to
<server IP> port 500, complainant 192.168.0.6: No route to host [errno 113,
origin ICMP type 3 code 1 (not authenticated)]
It tried to send it and failed?
Which even with my meagre skills, can see is a routing problem.
A constant ping on the LibreSwan server fails as soon as I attempt to connect
and restarts as soon as the connection fails.
If I display my roadwarrior's routing table when this is happening, I get:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 1024 0 0 wlp8s0
<Server FQDN> 0.0.0.0 255.255.255.255 UH 0 0 0 wlp8s0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp8s0
The <Server FQDN> entry wasn't there before I tried to connect and disappears
as soon as Network Manager gives up on the connection.
My question is - what configuration option puts this extra line in the
roadwarrior's routing table? And how do I get rid of it?
I don't know but it does look like the updown script is doing that?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan