IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Re: [Bugs] FS 1.97 and Virtual IP's

From: D. Hugh Redelmeier (hugh_at_mimosa.com)
Date: Wed Jun 12 2002 - 00:15:15 CEST

| From: Mike Thomas <mike_at_bedarra.com>

| Sorry, I mixed up the barfs. The one above with .70 was a last gasp
| attempt
| to get things working using 169.70. The attached barf uses a leftnexthop
| equal to the default gateway listed in the routing table (198.64.129.1)
|
| I have attached a barf with all parameters as they should be(apologies, its
| already been a long week). As far as the new barf goes, I believe the
| commands that are failing should work, but my knowledge of the route
| command(routing in general) is very limited.

I'm not a routing expert either. And neither is Pluto :-)

My point was that Pluto is just trying a normal routing command.
I told you how to approach that failure.

Since you gave me a barf, I'll glance at it.

- includes X.509 patch

Interfaces, according to Pluto:

Jun 11 16:49:26 linux10670 Pluto[23369]: listening for IKE messages
Jun 11 16:49:26 linux10670 Pluto[23369]: | found lo with address 127.0.0.1
Jun 11 16:49:26 linux10670 Pluto[23369]: | found eth0 with address 198.64.129.55
Jun 11 16:49:26 linux10670 Pluto[23369]: | found eth0:2 with address 198.64.133.70
Jun 11 16:49:26 linux10670 Pluto[23369]: | found eth0:1 with address 198.64.133.69
Jun 11 16:49:26 linux10670 Pluto[23369]: | found eth1 with address 192.168.180.115
Jun 11 16:49:26 linux10670 Pluto[23369]: | found ipsec0 with address 198.64.133.69
Jun 11 16:49:26 linux10670 Pluto[23369]: | IP interface eth1 192.168.180.115 has no matching ipsec* interface -- ignored
Jun 11 16:49:26 linux10670 Pluto[23369]: adding interface ipsec0/eth0:1 198.64.133.69
Jun 11 16:49:26 linux10670 Pluto[23369]: | IP interface eth0:2 198.64.133.70 has no matching ipsec* interface -- ignored
Jun 11 16:49:26 linux10670 Pluto[23369]: | IP interface eth0 198.64.129.55 has no matching ipsec* interface -- ignored
Jun 11 16:49:26 linux10670 Pluto[23369]: | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
Jun 11 16:49:26 linux10670 Pluto[23369]: | could not open /proc/net/if_inet6

So the only interface Pluto is going to listen on is
ipsec0/eth0:1 198.64.133.69. I think that is what you intend.

Jun 11 16:54:05 linux10670 Pluto[23369]: "gateway" 216.209.122.80 #1: sent MR3, ISAKMP SA established
Good.

Jun 11 16:54:05 linux10670 Pluto[23369]: "gateway" 216.209.122.80 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Hmm.

Jun 11 16:54:06 linux10670 Pluto[23369]: | executing up-host: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-host' PLUTO_CONNECTION='gateway' PLUTO_NEXT_HOP='198.64.129.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='198.64.133.69' PLUTO_MY_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway' PLUTO_MY_CLIENT='198.64.133.69/32' PLUTO_MY_CLIENT_NET='198.64.133.69' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_PEER='216.209.122.80' PLUTO_PEER_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Client' PLUTO_PEER_CLIENT='216.209.122.80/32' PLUTO_PEER_CLIENT_NET='216.209.122.80' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Jun 11 16:54:06 linux10670 Pluto[23369]: | executing prepare-host: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host' PLUTO_CONNECTION='gateway' PLUTO_NEXT_HOP='198.64.129.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='198.64.133.69' PLUTO_MY_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway' PLUTO_MY_CLIENT='198.64.133.69/32' PLUTO_MY_CLIENT_NET='198.64.133.69' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_PEER='216.209.122.80' PLUTO_PEER_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Client' PLUTO_PEER_CLIENT='216.209.122.80/32' PLUTO_PEER_CLIENT_NET='216.209.122.80' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Jun 11 16:54:06 linux10670 Pluto[23369]: | executing route-host: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-host' PLUTO_CONNECTION='gateway' PLUTO_NEXT_HOP='198.64.129.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='198.64.133.69' PLUTO_MY_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Gateway' PLUTO_MY_CLIENT='198.64.133.69/32' PLUTO_MY_CLIENT_NET='198.64.133.69' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_PEER='216.209.122.80' PLUTO_PEER_ID='C=CA, ST=Ontario, O=Bedarra, CN=FS Client' PLUTO_PEER_CLIENT='216.209.122.80/32' PLUTO_PEER_CLIENT_NET='216.209.122.80' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Jun 11 16:54:07 linux10670 Pluto[23369]: "gateway" 216.209.122.80 #2: route-host output: SIOCADDRT: Network is unreachable
Jun 11 16:54:07 linux10670 Pluto[23369]: "gateway" 216.209.122.80 #2: route-host output: /usr/local/lib/ipsec/_updown: `route add -net 216.209.122.80 netmask 255.255.255.255 dev ipsec0 gw 198.64.129.1' failed
Jun 11 16:54:07 linux10670 Pluto[23369]: "gateway" 216.209.122.80 #2: route-host output: /usr/local/lib/ipsec/_updown: (incorrect or missing nexthop setting??)
Jun 11 16:54:07 linux10670 Pluto[23369]: "gateway" 216.209.122.80 #2: route-host command exited with status 7

The route command that failed:
        route add -net 216.209.122.80 netmask 255.255.255.255 dev ipsec0 gw 198.64.129.1

Relevant extract from the routing table:
198.64.133.68 0.0.0.0 255.255.255.252 U 40 0 0 ipsec0

You cannot get to 216.209.122.80 through ipsec0 according to this
routing table. You can only get to 198.64.133.68-198.64.133.71

You've got to design another structure. At this point, this isn't a
FreeS/WAN problem. But FreeS/WAN does constrain solutions.

Perhaps we could help if you told us what you want to achieve.

Is 198.64.129.1 happy to accept packets with source addresses in
198.64.133.68-198.64.133.71?

Are 198.64.133.68-198.64.133.71 routed from the wild world into your
network?

Hugh Redelmeier
hugh_at_mimosa.com voice: +1 416 482-8253

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:14 CEST