Re: [Swan] LibreSwan with NetworkManger

Sat, 16 Aug 2014 18:12:31 -0700 

On Sat, 9 Aug 2014, Gareth Williams wrote:


conn <server FQDN>
   authby=secret
   pfs=no
   auto=add
   rekey=no
   aggrmode=yes
   left=<server IP>
   rightaddresspool=10.7.0.5-10.7.0.10
   right=%any
   rightnexthop=%defaultroute


Can you try leaving out rightnexthop. Older libreswan versions did not
always handle that right.


   modecfgdns1=8.8.8.8
   ike=3des-sha1,aes-sha1,aes
   phase2alg=3des-sha1,aes-sha1,aes


If using aggressive mode, only specify one ike and one phase2alg.


When I attempt to connect, I get what I believe is a good set of logs on the 
server up to:



Aug 09 22:10:28 <server FQDN> pluto[28989]: "<server FQDN>"[4] <Roadwarrior 
public IP> #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, 
expecting QI2


at which point, it hangs.


Looks like the last packet response to that got lost.


STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x39542f44 
<0x92d97947 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none 
XAUTHuser=gareth}
Aug 09 22:10:31 localhost.localdomain pluto[4386]: "nm-conn1" #2: ERROR: 
asynchronous network error report on wlp8s0 (sport=500) for message to 
<server IP> port 500, complainant 192.168.0.6: No route to host [errno 113, 
origin ICMP type 3 code 1 (not authenticated)]


It tried to send it and failed?


Which even with my meagre skills, can see is a routing problem.


A constant ping on the LibreSwan server fails as soon as I attempt to connect 
and restarts as soon as the connection fails.


If I display my roadwarrior's routing table when this is happening, I get:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref Use Iface
default         192.168.0.1     0.0.0.0         UG    1024 0        0 wlp8s0
<Server FQDN>  0.0.0.0         255.255.255.255 UH    0 0        0 wlp8s0
192.168.0.0     0.0.0.0         255.255.255.0   U     0 0        0 wlp8s0


The <Server FQDN> entry wasn't there before I tried to connect and disappears 
as soon as Network Manager gives up on the connection.



My question is - what configuration option puts this extra line in the 
roadwarrior's routing table?  And how do I get rid of it?


I don't know but it does look like the updown script is doing that?

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to