ipsec/strongswan Problem - Lug-dd

5 May 2009


      Hi,
ich habe ein Problem mit Strongswan: der Handshake an sich funktioniert, aber 
die virtuelle Route durch den Tunnel kann nicht hergestellt werden. Hat 
jemand eine Idee, was noch schiefläuft?
Strongswan: 4.2.4 (lenny), 4.2.9 (squeeze) (beide gleichermaßen betroffen)
Konrad
Tunnel-Config (Laptop):
------
conn devantv4
  left=%defaultroute
  leftsubnet=2001:6f8:125f:1001::/64
  leftsourceip=2001:6f8:125f:1001::ffff
  leftcert=devantCert.pem
  leftsendcert=yes
  right=dyn.silmor.de
  rightallowany=yes
  rightsubnet=2001:6f8:125f:1::/64
  rightsourceip=%config
  rightcert=bistromaticCert.pem
  type=tunnel
  auto=add
-------
Output von ipsec up:
----
initiating IKE_SA devantv4[1] to 217.235.121.202
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.16[500] to 217.235.121.202[500]
received packet: from 217.235.121.202[500] to 192.168.1.16[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
local host is behind NAT, sending keep alives
received cert request for "C=DE, O=home.silmor.de, CN=home.silmor.de, 
E=konrad@home.silmor.de"
received cert request for "C=AT"
sending cert request for "C=DE, O=home.silmor.de, CN=home.silmor.de, 
E=konrad@home.silmor.de"
authentication of 'C=AT' (myself) with RSA signature successful
establishing CHILD_SA devantv4
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH CP SA TSi TSr 
N(MOBIKE_SUP) N(ADD_6_ADDR) ]
sending packet: from 192.168.1.16[4500] to 217.235.121.202[4500]
received packet: from 217.235.121.202[4500] to 192.168.1.16[4500]
parsed IKE_AUTH response 1 [ IDr AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
  using trusted certificate "C=DE, O=home.silmor.de, CN=home.silmor.de, 
E=konrad@home.silmor.de"
authentication of 'C=DE, O=home.silmor.de, CN=home.silmor.de, 
E=konrad@home.silmor.de' with RSA signature successful
scheduling reauthentication in 3269s
maximum IKE_SA lifetime 3449s
IKE_SA devantv4[1] established between 192.168.1.16[C=AT]...217.235.121.202
[C=DE, O=home.silmor.de, CN=home.silmor.de, E=konrad@home.silmor.de]
installing new virtual IP 2001:6f8:125f:1001::ffff
received netlink error: Numerical result out of range (34)
unable to install source route for 2001:6f8:125f:1001::ffff
--------