[Users] Re: Routing problems continue, but improvement with 1.98b

From: Mike Goldman (whig_at_3dresearch.com)
Date: Wed Aug 21 2002 - 12:28:49 CEST

• Next message: Mogens Valentin: "Re: [Users] IPsec SA established??"
• Previous message: l_amit_at_netvision.net.il: "*****SPAM***** [Users] Configuration question"
• In reply to: Mike Goldman: "[Users] Routing problems continue, but improvement with 1.98b"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I can confirm that full connectivity is re-established by executing the
following on the right side immediately after the ipsec tunnel is created:

route del -net 0.0.0.0 netmask 128.0.0.0
route del -net 128.0.0.0 netmask 128.0.0.0

Thus my extruded subnet is now working perfectly, but I'm still curious
to know why this is necessary and where it might have been documented.

Mike Goldman wrote:

> Hrm...
>
> I laboriously upgraded both left and right sides to 1.98b (I was
> previously using the Debianized 1.95 package) and tried again.
>
> Same problem, but with a partially improved result. I now have a
> functioning tunnel! However, the routing on the right side still has
> two default routes listed as shown before, with same weird 128.0.0.0
> masks. The right side *is* reachable inbound on its ipsec0 interface,
> but not at all externally on its eth0 interface. And the right side
> still has no idea how to initiate outbound connections with anyone.
>
> I am not trying to use any sort of Opportunistic Encryption. Only an
> extruded subnet configuration is being activated.
>
> With the same extruded configuration as shown before, I perform an
> 'ipsec auto --add extruded' on both sides, and now as soon as I do an
> 'ipsec auto --up extruded' on the left side, I lose connectivity with
> the right side until I establish a new connection to the extruded
> address.
>
> Incidentally, I still confirm the many-interfaces bug at startup with
> 1.98b as documented wrt 1.95.
>
> At any rate, my current thinking is to rejigger the routes manually
> after bringing up the ipsec connection, however this seems like it
> shouldn't have to be necessary.
>
> Paul Wouters wrote:
>
>> On Fri, 16 Aug 2002 whig_at_3dresearch.com wrote:
>>
>>> default e.f.g.r 128.0.0.0 UG 0 0 0 ipsec0
>>> 128.0.0.0 e.f.g.r 128.0.0.0 UG 0 0 0 ipsec0
>>> default e.f.g.r 0.0.0.0 UG 0 0 0 eth0
>>>
>>> This causes the right side to be unable to route anywhere in
>>> particular,
>>> and it loses external connectivity completely.
>>>
>> Are you running 1.97 or earlier? I believe 1.98 fixed a problen where
>> Opportunistic Encryption routes (the 128/1 and 0/1 routes) were
>> created when OE wasn't used. Or you might still have the me-to-anyone
>> route enabled in ipsec.conf.
>>
>> Using OE and other main modes (eg extrusion) doesn't work correctly yet.
>>
>> Paul
>>
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Mogens Valentin: "Re: [Users] IPsec SA established??"
• Previous message: l_amit_at_netvision.net.il: "*****SPAM***** [Users] Configuration question"
• In reply to: Mike Goldman: "[Users] Routing problems continue, but improvement with 1.98b"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 21 2002 - 17:20:28 CEST