[strongSwan] strongswan to cisco link comes up but no route established

Bruce Ferrell bferrell at baywinds.org
Sat Sep 7 16:45:11 CEST 2013


On 09/06/2013 12:51 PM, Andre Valentin wrote:
> Hi Bruce,
>
> just don't care at the moment. I would create a manual route entry for
> the network if it does not work, just to check if everythink else work
> You can also add the routes automatically in the up/down scripts.
>
> Are you sure you didn't miss anything when you copied the line? It
> seems, that the network part is missing. Perhaps you should post your
> conn entry and strongswan.conf
>
> André
>
> Am 06.09.2013 18:53, schrieb Bruce Ferrell:
>> André
>>
>> That is present.
>>
>>
>>
>> On 09/06/2013 04:19 AM, Andre Valentin wrote:
>>> Hi Bruce,
>>>
>>> do you have advanced routing enabled in your kernel? Perhaps that's missing.
>>> .config of kernel: CONFIG_IP_ADVANCED_ROUTER=y
>>>
>>>
>>> André
>>>
>>> Am 06.09.2013 00:40, schrieb Bruce Ferrell:
>>>> I get this message when attempting a restart:
>>>>
>>>>       src 192.0.2.46 table 220' failed (RTNETLINK answers: No such process)
>>>>
>>>> Can anyone suggest what I may need to look at?
>>>>

After digging really hard, I found that while I thought the link was up, there is a PFS issue in my configuration.

Under openswan, PFS is a simple PFS=yes.  Under Strongswan, I found it's less explicitly done with the setting for esp (esp=3des-sha1-modp1024 vs esp=3des-sha1 with pfs=yes)

I'm still seeing an issue where ipsec status shows the link down and unrouted after a time at my end, but the distant end says the link is up.

More as I have it




More information about the Users mailing list