openswan eroute shows wrong IPs

Question

openswan eroute shows wrong IPs

washuu opened this issue 6 years ago · 4 comments

I have about 200 tunnels defined, and I noticed something weird about a few:

[root@conn]# ipsec auto --status | grep 10.10.90.0
000 "connection-209.217.112.234-64.247.154.210-0/1x0": 10.10.10.0/24===209.217.112.234[@kan-ha-gw]...64.247.154.210===10.10.90.0/28; erouted; eroute owner: #95
000 "connection-209.217.112.234-64.247.154.210-0/2x0": 151.193.141.0/24===209.217.112.234[@kan-ha-gw]...64.247.154.210===10.10.90.0/28; erouted; eroute owner: #96
000 "connection-209.217.112.234-64.247.154.210-0/3x0": 10.10.13.0/24===209.217.112.234[@kan-ha-gw]...64.247.154.210===10.10.90.0/28; erouted; eroute owner: #97
000 "connection-209.217.112.234-64.247.154.210-0/4x0": 10.50.1.0/24===209.217.112.234[@kan-ha-gw]...64.247.154.210===10.10.90.0/28; erouted; eroute owner: #98

but

[root@conn]# ipsec eroute | grep 10.10.90.0
0          10.10.10.0/24      -> 10.10.90.0/28      => tun0x1063@64.247.154.210
0          10.10.10.0/24      -> 10.10.90.0/28      => tun0x1063@64.247.154.210
0          10.10.10.0/24      -> 10.10.90.0/28      => tun0x1063@64.247.154.210

Answer 1 · 2018-08-01T14:45:20.000Z

I use Centos version of Openswan
openswan-2.6.49.1-3.x86_64

Answer 2 · 2018-08-03T12:08:56.000Z

We updated the OpenSWAN to 2.6.50, the same symptoms.

Answer 3 · 2018-08-03T13:21:11.000Z

@washuu Can you please post your ipsec configuration?

Answer 4 · 2018-08-03T15:29:47.000Z

sure.

version 2.0

config setup
    interfaces="ipsec0=eth6"
    klipsdebug=none
    plutodebug=none
    uniqueids=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.50.1.0/24
    nat_traversal=no
    nhelpers=0

conn %default
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keyingtries=2
    rekeymargin="10"
    leftupdown=/etc/ipsec.d/scripts/ipsec.updown
    rightupdown=/etc/ipsec.d/scripts/ipsec.updown
    leftsendcert=always
    ike=3des-sha1,aes-sha1,3des-md5,aes-md5,aes256-sha1,aes256-md5

# Disable opportunistic encryption
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

include /etc/ipsec.d/conn/connection-*-*-*

and there are connection files. the file containing connection to 10.10.90.0/28 is:


conn connection-209.217.112.234-64.247.154.210-0
    right=64.247.154.210
    left=209.217.112.234
    authby=secret
    rightid="xxx"
    leftid="yyy"
    leftsubnets={10.10.10.0/24,151.193.141.0/24,10.10.13.0/24,10.50.1.0/24}
    rightsubnet=10.10.90.0/28
    auto=start
    ikelifetime=86400s
    keylife=86400s
    leftupdown=""
    leftnexthop=64.247.154.210
    rightnexthop=209.217.112.234
    pfs=no