This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NET2 NET IPSEC Problems

Hello all.  I have Astaro 3.202 on one end, and a Nortel VPN Router on the other end.  I have set up a PSK tunnel between those two boxes, and the logs look fine. However, I am not able to ping/telnet/traceroute between the two different networks.  Gives me a route error, telling me it is not able to set the route.  See the log:

Sep  6 14:09:04 wall Pluto[16319]: | pfkey_get: SADB_X_ADDFLOW message 317
Sep  6 14:09:04 wall Pluto[16319]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='mortentest_1' PLUTO_NEXT_HOP='213.151.148.147' PLUTO_INTERFACE='ipsec0' PLUTO_ME='194.29.200.37' PLUTO_MY_ID='194.29.200.37' PLUTO_MY_CLIENT='192.168.120.0/24' PLUTO_MY_CLIENT_NET='192.168.120.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='213.151.148.147' PLUTO_PEER_ID='213.151.148.147' PLUTO_PEER_CLIENT='172.19.0.0/16' PLUTO_PEER_CLIENT_NET='172.19.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0.0' ipsec _updown
Sep  6 14:09:04 wall Pluto[16319]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='mortentest_1' PLUTO_NEXT_HOP='213.151.148.147' PLUTO_INTERFACE='ipsec0' PLUTO_ME='194.29.200.37' PLUTO_MY_ID='194.29.200.37' PLUTO_MY_CLIENT='192.168.120.0/24' PLUTO_MY_CLIENT_NET='192.168.120.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='213.151.148.147' PLUTO_PEER_ID='213.151.148.147' PLUTO_PEER_CLIENT='172.19.0.0/16' PLUTO_PEER_CLIENT_NET='172.19.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0.0' ipsec _updown
Sep  6 14:09:04 wall Pluto[16319]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='mortentest_1' PLUTO_NEXT_HOP='213.151.148.147' PLUTO_INTERFACE='ipsec0' PLUTO_ME='194.29.200.37' PLUTO_MY_ID='194.29.200.37' PLUTO_MY_CLIENT='192.168.120.0/24' PLUTO_MY_CLIENT_NET='192.168.120.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='213.151.148.147' PLUTO_PEER_ID='213.151.148.147' PLUTO_PEER_CLIENT='172.19.0.0/16' PLUTO_PEER_CLIENT_NET='172.19.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0.0' ipsec _updown
Sep  6 14:09:04 wall Pluto[16319]: "mortentest_1" #14: route-client output: SIOCADDRT: Network is unreachable
Sep  6 14:09:04 wall Pluto[16319]: "mortentest_1" #14: route-client output: /usr/local/lib/ipsec/_updown: `route add -net 172.19.0.0 netmask 255.255.0.0 dev ipsec0 gw 213.151.148.147' failed
Sep  6 14:09:04 wall Pluto[16319]: "mortentest_1" #14: route-client output: /usr/local/lib/ipsec/_updown: (incorrect or missing nexthop setting??)
Sep  6 14:09:04 wall Pluto[16319]: "mortentest_1" #14: route-client command exited with status 7
Sep  6 14:09:04 wall Pluto[16319]: | executing down-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='mortentest_1' PLUTO_NEXT_HOP='213.151.148.147' PLUTO_INTERFACE='ipsec0' PLUTO_ME='194.29.200.37' PLUTO_MY_ID='194.29.200.37' PLUTO_MY_CLIENT='192.168.120.0/24' PLUTO_MY_CLIENT_NET='192.168.120.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='213.151.148.147' PLUTO_PEER_ID='213.151.148.147' PLUTO_PEER_CLIENT='172.19.0.0/16' PLUTO_PEER_CLIENT_NET='172.19.0.0' PLUTO_PEER_CLIENT_MASK='255.255.0.0' ipsec _updown
Sep  6 14:09:04 wall Pluto[16319]: | delete eroute 192.168.120.0/24 -> 172.19.0.0/16 => tun.103e@213.151.148.147
Sep  6 14:09:04 wall Pluto[16319]: | finish_pfkey_msg: SADB_X_DELFLOW message 318 for flow tun.103e@213.151.148.147

Anyone have any idea what this is, and how to solve it?

Brgds,

Morten Pedersen

This thread was automatically locked due to age.

0 coronmang over 23 years ago

did you enable the network on the other end of the tunnel in your rules config ????
Cancel
Vote Up 0 Vote Down

Cancel
0 Morten Pedersen over 23 years ago in reply to coronmang

If I recall correctly, Yes I did enable the other network in my rules config.

I have been busy with other tasks the last months, but now I am ready to start with this problem again. This time with possibilities to do some research (I hope).

- Morten
Cancel
Vote Up 0 Vote Down

Cancel