| From: Mike Thomas <mike_at_bedarra.com>
[It is a little more convenient if you use a mailer that doesn't fold
long lines from the log or configuration files. Folding long lines of
prose is good.]
| I believe a bug or incompatibility exists between FS and systems with
| Virtual IP's that are on a different net than the default gateway:
|
| The scenario:
|
| eth0: 198.64.129.55 Bcast:198.64.129.63 Mask:255.255.255.192
| eth0:1 198.64.133.69 Bcast:198.64.133.255 Mask:255.255.255.252
| eth0:1 198.64.133.70 Bcast:198.64.133.255 Mask:255.255.255.252
Pluto doesn't understand multiple IP addresses on one alias. Would it
cause any problems for you to change this to use eth0:2 for
198.64.133.70?
| I am attempting to run FS on eth0:1 (I cannot use eth0 as my provider does
| not guarantee the ip will not change), ipsec.conf contains:
|
| interfaces=ipsec0=eth0:1
| leftnexthop=198.64.129.1
|
| Routing table is:
|
| linux10670-be * 255.255.255.255 UH 0 0 0 eth1
| linux10670.dn.n * 255.255.255.255 UH 0 0 0 eth0
| 198.64.133.68 * 255.255.255.252 U 0 0 0 eth0
| 198.64.133.68 * 255.255.255.252 U 0 0 0 ipsec0
| 198.64.129.0 * 255.255.255.192 U 0 0 0 eth0
| 192.168.180.0 * 255.255.255.0 U 0 0 0 eth1
| 127.0.0.0 * 255.0.0.0 U 0 0 0 lo
| default 198.64.129.1 0.0.0.0 UG 0 0 0 eth0
| I get the following from FS when attempting this connection:
There may be important messages earlier in the log. A barf might be
helpful.
| Jun 11 12:30:32 linux10670 Pluto[20079]: "gateway" 209.226.111.157 #2:
| route-host output: SIOCADDRT: Network is unreachable
| Jun 11 12:30:32 linux10670 Pluto[20079]: "gateway" 209.226.111.157 #2:
| route-host output: /usr/local/lib/ipsec/_updown: `route add -net
| 209.226.111.157 netmask 255.255.255.255 dev ipsec0 gw 198.64.133.70' failed
| Jun 11 12:30:32 linux10670 Pluto[20079]: "gateway" 209.226.111.157 #2:
| route-host output: /usr/local/lib/ipsec/_updown: (incorrect or missing
| nexthop setting??)
This command failed:
route add -net 209.226.111.157 netmask 255.255.255.255 dev ipsec0 gw 198.64.133.70
It failed with:
SIOCADDRT: Network is unreachable
Do you think that this command should have worked?
If so, why did it not work?
If not, why did Pluto/_updown try to execute it? This is one I could
answer, but more information might help. I don't know enough about
what you are trying to do.
I noticed:
- ipsec0 is bound to eth0:1, both with address 198.64.133.69
(or maybe 198.64.133.70, but I don't think so)
- ipsec0/eth0:1 can be used for packets destined for 198.64.133.68/30
- 198.64.133.68/30 includes 198.64.133.68 - 198.64.133.71
- but: 198.64.133.70 is one of the addresses of eth0:1.
Does that make any sense when 198.64.133.70 is specified as nexthop?
| I also tried using the address of eth0:2 as the nexthop with the same
| problem. If I use the eth0 ip as left in ipsec.conf ipsec works, but the
| virtual IP's are no longer accessible. I approached the general list with
| this problem but could bit get a resolution. Your time/help is greatly
| appreciated.
Hugh Redelmeier
hugh_at_mimosa.com voice: +1 416 482-8253
Preserved raw data:
| Jun 11 12:30:32 linux10670 Pluto[20079]: | executing up-host: 2>&1
| PLUTO_VERSION='1.1'
| PLUTO_VERB='up-host'
| PLUTO_CONNECTION='gateway'
| PLUTO_NEXT_HOP='198.64.133.70'
| PLUTO_INTERFACE='ipsec0'
| PLUTO_ME='198.64.133.69'
| PLUTO_MY_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway'
| PLUTO_MY_CLIENT='198.64.133.69/32'
| PLUTO_MY_CLIENT_NET='198.64.133.69'
| PLUTO_MY_CLIENT_MASK='255.255.255.255'
| PLUTO_PEER='209.226.111.157'
| PLUTO_PEER_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Client'
| PLUTO_PEER_CLIENT='209.226.111.157/32'
| PLUTO_PEER_CLIENT_NET='209.226.111.157'
| PLUTO_PEER_CLIENT_MASK='255.255.255.255'
| ipsec _updown
|
| Jun 11 12:30:32 linux10670 Pluto[20079]: executing prepare-host:
| 2>&1
| PLUTO_VERSION='1.1'
| PLUTO_VERB='prepare-host'
| PLUTO_CONNECTION='gateway'
| PLUTO_NEXT_HOP='198.64.133.70'
| PLUTO_INTERFACE='ipsec0'
| PLUTO_ME='198.64.133.69'
| PLUTO_MY_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway'
| PLUTO_MY_CLIENT='198.64.133.69/32'
| PLUTO_MY_CLIENT_NET='198.64.133.69'
| PLUTO_MY_CLIENT_MASK='255.255.255.255'
| PLUTO_PEER='209.226.111.157'
| PLUTO_PEER_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Client'
| PLUTO_PEER_CLIENT='209.226.111.157/32'
| PLUTO_PEER_CLIENT_NET='209.226.111.157'
| PLUTO_PEER_CLIENT_MASK='255.255.255.255'
| ipsec _updown
| Jun 11 12:30:32 linux10670 Pluto[20079]: | executing route-host:
| 2>&1
| PLUTO_VERSION='1.1'
| PLUTO_VERB='route-host'
| PLUTO_CONNECTION='gateway'
| PLUTO_NEXT_HOP='198.64.133.70'
| PLUTO_INTERFACE='ipsec0'
| PLUTO_ME='198.64.133.69'
| PLUTO_MY_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway'
| PLUTO_MY_CLIENT='198.64.133.69/32'
| PLUTO_MY_CLIENT_NET='198.64.133.69'
| PLUTO_MY_CLIENT_MASK='255.255.255.255'
| PLUTO_PEER='209.226.111.157'
| PLUTO_PEER_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Client'
| PLUTO_PEER_CLIENT='209.226.111.157/32'
| PLUTO_PEER_CLIENT_NET='209.226.111.157'
| PLUTO_PEER_CLIENT_MASK='255.255.255.255'
| ipsec _updown
| here is the full ipsec.conf:
|
| config setup
| # THIS SETTING MUST BE CORRECT or almost nothing will work;
| # %defaultroute is okay for most simple cases.
| interfaces=ipsec0=eth0:1
| #interfaces=%defaultroute
| # Debug-logging controls: "none" for (almost) none, "all" for lots.
| klipsdebug=none
| plutodebug=all
| # Use auto= parameters in conn descriptions to control startup
| actions.
| plutoload=%search
| plutostart=%search
| # Close down old connection when new one using same ID shows up.
| uniqueids=yes
|
|
|
| # defaults for subsequent connection descriptions
| # (these defaults will soon go away)
| conn %default
| keyingtries=0
| disablearrivalcheck=no
| authby=rsasig
| left=198.64.133.69
| leftrsasigkey=%cert
| rightrsasigkey=%cert
| leftid="@C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway"
| leftnexthop=198.64.133.70
|
| conn gateway
| right=%any
| rightid="@C=CA, ST=Ontario, O=Bedarra, CN=FS Client"
| auto=add
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:13 CEST