[Swan] dev lo route error
Philippe Vouters
philippe.vouters at laposte.net
Fri Jan 4 19:27:43 EET 2013
In the case of the connections described at the already mentioned URL,
here is what # ipsec addconn --verbose --autoall tells:
[philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
--verbose --autoall
opening file: /etc/ipsec.conf
debugging mode enabled
including file '/etc/ipsec.d/*.conf'(/etc/ipsec.d/*.conf) from line
/etc/ipsec.conf:26
Loading default conn
starter: case KH_NOTSET: empty
starter: case KH_NOTSET: empty
Loading conn roadwarrior-l2tp-updatedwin
while loading conn 'roadwarrior-l2tp-updatedwin' also including
'roadwarrior'
starter: case KH_DEFAULTROUTE: empty
Loading conn roadwarrior-l2tp
while loading conn 'roadwarrior-l2tp' also including 'roadwarrior'
starter: case KH_DEFAULTROUTE: empty
Loading conn macintosh-l2tp
while loading conn 'macintosh-l2tp' also including 'roadwarrior'
starter: case KH_DEFAULTROUTE: empty
Loading conn roadwarrior
starter: case KH_DEFAULTROUTE: empty
loading all conns according to their auto= settings
Pass #1: Loading auto=add and auto=route connections
roadwarrior-l2tp-updatedwin
parse_src = 1, parse_gateway = 0, has_dst = 0
dst via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
002 "roadwarrior-l2tp-updatedwin": deleting connection
002 added connection description "roadwarrior-l2tp-updatedwin"
roadwarrior-l2tp
parse_src = 1, parse_gateway = 0, has_dst = 0
dst via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
002 "roadwarrior-l2tp": deleting connection
002 added connection description "roadwarrior-l2tp"
macintosh-l2tp
parse_src = 1, parse_gateway = 0, has_dst = 0
dst via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
002 "macintosh-l2tp": deleting connection
002 added connection description "macintosh-l2tp"
roadwarrior
parse_src = 1, parse_gateway = 0, has_dst = 0
dst via 192.168.1.1 dev eth0 src
dst 169.254.0.0 via dev eth0 src
dst 192.168.1.0 via dev eth0 src 192.168.1.2
set addr: 192.168.1.2
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.0 via dev lo src 127.0.0.1
dst 127.0.0.1 via dev lo src 127.0.0.1
dst 127.255.255.255 via dev lo src 127.0.0.1
dst 192.168.1.0 via dev eth0 src 192.168.1.2
dst 192.168.1.2 via dev eth0 src 192.168.1.2
dst 192.168.1.255 via dev eth0 src 192.168.1.2
002 "roadwarrior": deleting connection
002 added connection description "roadwarrior"
Pass #2: Loading auto=start connections
[philippe at victor libreswan-3.0]$
In this hope this can help you troubleshooting Libreswan and pinpointing
the root cause of /dev/lo problem you are seeing.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 04/01/2013 18:13, Nick Howitt a écrit :
> In Oguz' Yilmaz's case he appears to have a right specified
> (right=RIGHT_EXT_IP) and a leftnexthop (leftnexthop=LEFT_EXT_GW) rathr
> than right=%any and no leftnexthop. :(
>
> We have hit some minor odd issues - ipsec auto --status does not give
> any info on phase2alg unless it is specified. It may also fail if it
> is specified with the hash function e.g. aes256-sha1 but I need to
> test further and my time for testing is very limited. But this should
> all be for another thread......
>
> Nick
>
> On 04/01/2013 16:17, Paul Wouters wrote:
>>
>> On Fri, 4 Jan 2013, Nick Howitt wrote:
>>
>>> A few of us are trying to develop a front end for this/Openswan in
>>> ClearOS, and one person has tried LibreSwan and he got the same
>>> thing. If you look in Oguz Yilmaz's log you will see:
>>
>> Neat! Keep us in the loop?
>>
>>> Jan 2 10:18:28 2013 pluto[18211]: \"myvpn/0x2\" #2: route-client
>>> output: /usr/libexec/ipsec/_updown.netkey: doroute `ip route replace
>>> 192.168.2.0/24 via 10.46.1.5 dev lo src 10.46.1.5\' failed (RTNETLINK
>>> answers: No such process)
>>>
>>> The tester's comment is "The only bad news is that the
>>> /usr/libexec/ipsec/_updown.netkey appears to have been modified,
>>> such that the
>>> local route from the gateway fails as it attempts to use the 'lo'
>>> interface rather than the default route... still investigating why
>>> this differs between packages"
>>
>> You'll see the new code in programs/addconn/addconn.c that is
>> responsible for that.
>>
>> When no leftnexthop= is specified, we try to determine it based on the
>> routing table. In openswan it was always based on the defaultroute, eg
>> the default gateway.
>>
>> There seems to be an issue with this code in some circumstances. I
>> believe this might be because if you ask the kernel for the gateway
>> of "0.0.0.0" (right=%any) it might give you 127.0.0.1 with dev lo...
>>
>> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list