This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"missing nexthop" Problem in Version 3.031

Hi

The problem with " missings nexthop "gives still in the new version 3.031.  Somewhat unfortunate, I thought already it would now function.

Here the log file of IPSEC:

000 interface ipsec0/eth1 217.xxx.xxx.xxx
000
000 "Grevenmacher_1": 192.168.10.0/24===217.xxx.xxx.xxx...217.xxx.xxx.xxx---194.xxx.xxx.xxx===192.168.0.0/24
000 "Grevenmacher_1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Grevenmacher_1":   policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1; unrouted
000 "Grevenmacher_1":   newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0
000
000 #15: "Grevenmacher_1" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 28s
000 #1: "Grevenmacher_1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1607s; newest ISAKMP

:: No VPN routing information is available ::

Mar  6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK to replace #3
Mar  6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: route-client output: SIOCADDRT: Network is unreachable
Mar  6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: route-client output: /usr/local/lib/ipsec/_updown: `route add -net 192.168.0.0 netmask 255.255.255.0 dev ipsec0 gw 194.xxx.xxx.xxx' failed
Mar  6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: route-client output: /usr/local/lib/ipsec/_updown: (incorrect or missing nexthop setting??)
Mar  6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: route-client command exited with status 7
Mar  6 16:01:11 (none) Pluto[5612]: "Grevenmacher_1" #4: max number of retransmissions (2) reached STATE_QUICK_I1
Mar  6 16:01:11 (none) Pluto[5612]: "Grevenmacher_1" #4: starting keying attempt 4 of an unlimited number

Have you there a solution?  Thanks for your trouble: -)

thx

Stefan

This thread was automatically locked due to age.

Parents

0 tccoggs over 23 years ago

Well, the easiest temp fix is to edit the ipsec.conf file.

Login as root on you ASL box and do the following:

cd /
cd /var/chroot-ipsec/etc
vi ipsec.conf

Within this file, you'll see your connection properties. At one point you will see the left and right endpoints of the tunnel you are trying to create. After the left=x.x.x.x line, insert another line that reads "leftnexthop=x.x.x.x" which should be the equivlent of the DFG of the Left ASL box. Save this file.

Now, you will want to restart the ipsec dameon.

chroot /var/chroot-ipsec /usr/local/sbin/ipsec setup --restart

You should be good to go. Changes will remain through restarts, but if you add a new connection, these edits will get erased, and you will have to enter them again.

Hope this helps.
Cancel
Vote Up 0 Vote Down

Cancel
0 Polluxxx over 23 years ago in reply to tccoggs

Hi StefanS,

your logs log wired:

000 "Grevenmacher_1": 192.168.10.0/24===217.xxx.xxx.xxx...217.xxx.xxx.xxx---194.xxx.xxx.xxx===192.168.0.0/24

This line tells you:

the left subnet 192.168.10.0/24== is connected through gateway ==217.xxx.xxx.xxx.. via nextop ..217.xxx.xxx.xxx-- to gateway --194.xxx.xxx.xxx== with the right subnet --192.168.0.0/24.

Mar 6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: route-client output: /usr/local/lib/ipsec/_updown: `route add -net 192.168.0.0 netmask 255.255.255.0 dev ipsec0 gw 194.xxx.xxx.xxx' failed

But in your log _updown tries to add a route the right subnet net 192.168.0.0 netmask 255.255.255.0 via nexthop
gw 194.xxx.xxx.xxx

Could you please check you ipsec.conf and post or send it to me to take a look.

Thanks Polluxxx
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Polluxxx over 23 years ago in reply to tccoggs

Hi StefanS,

your logs log wired:

000 "Grevenmacher_1": 192.168.10.0/24===217.xxx.xxx.xxx...217.xxx.xxx.xxx---194.xxx.xxx.xxx===192.168.0.0/24

This line tells you:

the left subnet 192.168.10.0/24== is connected through gateway ==217.xxx.xxx.xxx.. via nextop ..217.xxx.xxx.xxx-- to gateway --194.xxx.xxx.xxx== with the right subnet --192.168.0.0/24.

Mar 6 16:00:01 (none) Pluto[5612]: "Grevenmacher_1" #4: route-client output: /usr/local/lib/ipsec/_updown: `route add -net 192.168.0.0 netmask 255.255.255.0 dev ipsec0 gw 194.xxx.xxx.xxx' failed

But in your log _updown tries to add a route the right subnet net 192.168.0.0 netmask 255.255.255.0 via nexthop
gw 194.xxx.xxx.xxx

Could you please check you ipsec.conf and post or send it to me to take a look.

Thanks Polluxxx
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StefanS_01 over 23 years ago in reply to Polluxxx

Thanks for your assistance. :-)

Poluxx is here ipsec.conf.

It functioned if I " leftnexthop " enters afterwards manually.

with the version 2.xx to 3,020 of ASL I did not have problems in the
thing.

#.#.#.

#
# Default Configuration File for FreeS/WAN IPSEC
#

config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
dumpdir=
manualstart=
pluto=yes
plutoload=%search
plutostart=%search
plutowait=no
fragicmp=no
packetdefault=drop
hidetos=yes
uniqueids=yes
overridemtu=16260

conn %default
rekeymargin=9m
rekeyfuzz=100%
keyingtries=0

conn Grevenmacher_1
type=tunnel
keyexchange=ike
auth=esp
pfs=yes
keylife=28800
ikelifetime=3600
compress=no
left=217.6.xx.50 (external IP-Adress ASL)
right=194.154.xxx.194 (external IP-Adress remote Firewall)
auto=start
rightnexthop=217.6.xx.1 (Router to Internet "standard Gateway")
leftsubnet=192.168.10.0/255.255.255.0
rightsubnet=192.168.0.0/255.255.255.0
leftid=217.6.xx.50 (external IP-Adress ASL)
rightid=194.154.xxx.194 (external IP-Adress remote Firewall)
authby=secret

# If you want to add additional ipsec tunnels by hand,
# please add them below here

thx

Stefan
Cancel
Vote Up 0 Vote Down

Cancel
0 Polluxxx over 23 years ago in reply to StefanS_01

Hi StefanS,

oh I think we just found a bug,
I will contact Astaro and tell them to fix this.

Thx Polluxxx
Cancel
Vote Up 0 Vote Down

Cancel