[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] Re: route problem
From: Paul Wouters <paul () xelerance ! com>
Date: 2006-03-25 17:44:30
Message-ID: Pine.LNX.4.63.0603251830150.18432 () tla ! xelerance ! com
[Download RAW message or body]
On Sat, 25 Mar 2006, utkarsh shah wrote:
> Cc: users@openswan.org, dev@openswan.org
Please stop CC:ing all your messages to both lists. If you think there is a bug \
please use dev@, if you think it is a configuration issue, please use users@.
> i have reported it as bug but if i am wrong please guide me
>
> i am using Linux Openswan U2.4.4/K2.4.5rc4 (klips) version. and ip route version is \
> : ip utility, iproute2-ss020116
> i have changed _updown and added IPROUTETABLE="vpnroute" so routes are added in it
Why do you need that?
> i tried to make a manual key connection. it successfully got established. when i \
> disconnected, routes where there as u can see from following lines
Manual keying is strongly discouraged. Not only because people tend to
re-use their keying material indefinately, and thus compromising their
security, but also because there is no Perfect Forward Protection if a
key is stolen. And also because IKE offers a bunch of extras, some of
them neccessary such as when needing to break through a NAT device.
> [root@manage /root]# ipsec manual --down test_manual-1
I am not entirely sure if manual connections are supposed to have their custom
scripts called.
> one more thing once i created multiple connection between to openswan servers
> they had two rules and one route as destination were same. but when i disconnected \
> one route was deleted so my second connection says it is connected but still \
> packets were not transfered. i cheked ip routes & rules and i found such thing. ( \
> its reproducibility is random but more frequent )
You cannot really have the same destination in two ipsec connections, unless they
are slightly different (eg 10.0.0.0/8 vs 10.0.0.0/24) in which case the longest
prefix one should be used.
You should not be using manual keying of 1des.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic