[Swan] dev lo route error

Philippe Vouters philippe.vouters at laposte.net
Fri Jan 4 19:27:43 EET 2013


In the case of the connections described at the already mentioned URL, 
here is what # ipsec addconn --verbose --autoall tells:

[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn 
--verbose --autoall
opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from line 
/etc/ipsec.conf:26
Loading default conn
starter: case KH_NOTSET: empty
starter: case KH_NOTSET: empty
Loading conn roadwarrior-l2tp-updatedwin
         while loading conn 'roadwarrior-l2tp-updatedwin' also including 
'roadwarrior'
starter: case KH_DEFAULTROUTE: empty
Loading conn roadwarrior-l2tp
         while loading conn 'roadwarrior-l2tp' also including 'roadwarrior'
starter: case KH_DEFAULTROUTE: empty
Loading conn macintosh-l2tp
         while loading conn 'macintosh-l2tp' also including 'roadwarrior'
starter: case KH_DEFAULTROUTE: empty
Loading conn roadwarrior
starter: case KH_DEFAULTROUTE: empty
loading all conns according to their auto= settings
   Pass #1: Loading auto=add and auto=route connections
  roadwarrior-l2tp-updatedwin
parse_src = 1, parse_gateway = 0, has_dst = 0
dst  via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via  dev eth0 src
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.1 via  dev lo src 127.0.0.1
dst 127.255.255.255 via  dev lo src 127.0.0.1
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
dst 192.168.1.2 via  dev eth0 src 192.168.1.2
dst 192.168.1.255 via  dev eth0 src 192.168.1.2
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
  roadwarrior-l2tp
parse_src = 1, parse_gateway = 0, has_dst = 0
dst  via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via  dev eth0 src
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.1 via  dev lo src 127.0.0.1
dst 127.255.255.255 via  dev lo src 127.0.0.1
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
dst 192.168.1.2 via  dev eth0 src 192.168.1.2
dst 192.168.1.255 via  dev eth0 src 192.168.1.2
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
  macintosh-l2tp
parse_src = 1, parse_gateway = 0, has_dst = 0
dst  via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via  dev eth0 src
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.1 via  dev lo src 127.0.0.1
dst 127.255.255.255 via  dev lo src 127.0.0.1
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
dst 192.168.1.2 via  dev eth0 src 192.168.1.2
dst 192.168.1.255 via  dev eth0 src 192.168.1.2
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
  roadwarrior
parse_src = 1, parse_gateway = 0, has_dst = 0
dst  via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via  dev eth0 src
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.0 via  dev lo src 127.0.0.1
dst 127.0.0.1 via  dev lo src 127.0.0.1
dst 127.255.255.255 via  dev lo src 127.0.0.1
dst 192.168.1.0 via  dev eth0 src 192.168.1.2
dst 192.168.1.2 via  dev eth0 src 192.168.1.2
dst 192.168.1.255 via  dev eth0 src 192.168.1.2
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
   Pass #2: Loading auto=start connections

[philippe at victor libreswan-3.0]$

In this hope this can help you troubleshooting Libreswan and pinpointing 
the root cause of /dev/lo problem you are seeing.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 04/01/2013 18:13, Nick Howitt a écrit :
> In Oguz' Yilmaz's case he appears to have a right specified 
> (right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) rathr 
> than right=%any and no leftnexthop. :(
>
> We have hit some minor odd issues - ipsec auto --status does not give 
> any info on phase2alg unless it is specified. It may also fail if it 
> is specified with the hash function e.g. aes256-sha1 but I need to 
> test further and my time for testing is very limited. But this should 
> all be for another thread......
>
> Nick
>
> On 04/01/2013 16:17, Paul Wouters wrote:
>>
>> On Fri, 4 Jan 2013, Nick Howitt wrote:
>>
>>> A few of us are trying to develop a front end for this/Openswan in 
>>> ClearOS, and one person has tried LibreSwan and he got the same
>>> thing. If you look in Oguz Yilmaz's log you will see:
>>
>> Neat! Keep us in the loop?
>>
>>> Jan  2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: route-client
>>> output: /usr/libexec/ipsec/_updown.netkey: doroute `ip route replace
>>> 192.168.2.0/24 via 10.46.1.5 dev lo  src 10.46.1.5\' failed (RTNETLINK
>>> answers: No such process)
>>>
>>> The tester's comment is "The only bad news is that the 
>>> /usr/libexec/ipsec/_updown.netkey appears to have been modified, 
>>> such that the
>>> local route from the gateway fails as it attempts to use the 'lo' 
>>> interface rather than the default route... still investigating why
>>> this differs between packages"
>>
>> You'll see the new code in programs/addconn/addconn.c that is
>> responsible for that.
>>
>> When no leftnexthop= is specified, we try to determine it based on the
>> routing table. In openswan it was always based on the defaultroute, eg
>> the default gateway.
>>
>> There seems to be an issue with this code in some circumstances. I
>> believe this might be because if you ask the kernel for the gateway
>> of "0.0.0.0" (right=%any) it might give you 127.0.0.1 with dev lo...
>>
>> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>



More information about the Swan mailing list