[strongSwan] strongswan to cisco link comes up but no route established
bferrell at baywinds.org
Sat Sep 7 16:45:11 CEST 2013
On 09/06/2013 12:51 PM, Andre Valentin wrote:
> Hi Bruce,
> just don't care at the moment. I would create a manual route entry for
> the network if it does not work, just to check if everythink else work
> You can also add the routes automatically in the up/down scripts.
> Are you sure you didn't miss anything when you copied the line? It
> seems, that the network part is missing. Perhaps you should post your
> conn entry and strongswan.conf
> Am 06.09.2013 18:53, schrieb Bruce Ferrell:
>> That is present.
>> On 09/06/2013 04:19 AM, Andre Valentin wrote:
>>> Hi Bruce,
>>> do you have advanced routing enabled in your kernel? Perhaps that's missing.
>>> .config of kernel: CONFIG_IP_ADVANCED_ROUTER=y
>>> Am 06.09.2013 00:40, schrieb Bruce Ferrell:
>>>> I get this message when attempting a restart:
>>>> src 192.0.2.46 table 220' failed (RTNETLINK answers: No such process)
>>>> Can anyone suggest what I may need to look at?
After digging really hard, I found that while I thought the link was up, there is a PFS issue in my configuration.
Under openswan, PFS is a simple PFS=yes. Under Strongswan, I found it's less explicitly done with the setting for esp (esp=3des-sha1-modp1024 vs esp=3des-sha1 with pfs=yes)
I'm still seeing an issue where ipsec status shows the link down and unrouted after a time at my end, but the distant end says the link is up.
More as I have it
More information about the Users