Introduction to FreeS/WAN


Table of Contents



Introduction FreeS/WAN quick start guide FreeS/WAN FAQ Installing FreeS/WAN Configuration FreeS/WAN manual pages FreeS/WAN and firewalls Linux FreeS/WAN Troubleshooting Guide Linux FreeS/WAN Compatibility Guide Interoperation with other IPsec implementations Performance of FreeS/WAN Testing FreeS/WAN Kernel configuration for FreeS/WAN Other configuration possibilities Linux FreeS/WAN background FreeS/WAN script examples History and politics of cryptography The IPsec protocols Mailing lists and newsgroups Web links Glossary for the Linux FreeS/WAN project Bibliography for the Linux FreeS/WAN project

IPsec RFCs and related documents Distribution Roadmap: What's Where in Linux FreeS/WAN

Introduction

This section gives an overview of:

This section is intended to cover only the essentials, things you should know before trying to use FreeS/WAN.

For more detailed background information, see the history and politics and IPsec protocols sections.

IPsec, Security for the Internet Protocol

FreeS/WAN is a Linux implementation of the IPsec (IP security) protocols. IPsec provides encryption and authentication services at the IP (Internet Protocol) level of the network protocol stack.

Working at this level, IPsec can protect any traffic carried over IP, unlike other encryption which generally protects only a particular higher-level protocol -- PGP for mail, SSH for remote login, SSL for web work, and so on. This approach has both considerable advantages and some limitations. For discussion, see our IPsec section

IPsec can be used on any machine which does IP networking. Dedicated IPsec gateway machines can be installed wherever required to protect traffic. IPsec can also run on routers, on firewall machines, on various application servers, and on end-user desktop or laptop machines.

Three protocols are used

Our implementation has three main parts:

IPsec is optional for the current (version 4) Internet Protocol. FreeS/WAN adds IPsec to the Linux IPv4 network stack. Implementations of IP version 6 are required to include IPsec. Work toward integrating FreeS/WAN into the Linux IPv6 stack has started.

For more information on IPsec, see our IPsec protocols section, our collection of IPsec links or the RFCs which are the official definitions of these protocols.

Interoperating with other IPsec implementations

IPsec is designed to let different implementations work together. We provide:

The VPN Consortium fosters cooperation among implementers and interoperability among implementations. Their web site has much more information.

Applications of IPsec

Because IPsec operates at the network layer, it is remarkably flexible and can be used to secure nearly any type of Internet traffic. Two applications, however, are extremely widespread:

There is enough opportunity in these applications that vendors are flocking to them. IPsec is being built into routers, into firewall products, and into major operating systems, primarily to support these applications. See our list of implementations for details.

We support both of those applications, and various less common IPsec applications as well, but we also add one of our own:

This is an extension we are adding to the protocols. FreeS/WAN is the first prototype implementation, though we hope other IPsec implementations will adopt the technique once we demonstrate it. See project goals below for why we think this is important.

A somewhat more detailed description of each of these applications is below. Our quickstart section will show you how to build each of them.

Using secure tunnels to create a VPN

A VPN, or Virtual Private N etwork lets two networks communicate securely when the only connection between them is over a third network which they do not trust.

The method is to put a security gateway machine between each of the communicating networks and the untrusted network. The gateway machines encrypt packets entering the untrusted net and decrypt packets leaving it, creating a secure tunnel through it.

If the cryptography is strong, the implementation is careful, and the administration of the gateways is competent, then one can reasonably trust the security of the tunnel. The two networks then behave like a single large private network, some of whose links are encrypted tunnels through untrusted nets.

Actual VPNs are often more complex. One organisation may have fifty branch offices, plus some suppliers and clients, with whom it needs to communicate securely. Another might have 5,000 stores, or 50,000 point-of-sale devices. The untrusted network need not be the Internet. All the same issues arise on a corporate or institutional network whenever two departments want to communicate privately with each other.

Administratively, the nice thing about many VPN setups is that large parts of them are static. You know the IP addresses of most of the machines involved. More important, you know they will not change on you. This simplifies some of the admin work. For cases where the addresses do change, see the next section.

Road Warriors

The prototypical "Road Warrior" is a traveller connecting to home base from a laptop machine. Administratively, most of the same problems arise for a telecommuter connecting from home to the office, especially if the telecommuter does not have a static IP address.

For purposes of this document:

These require somewhat different setup than VPN gateways with static addresses and with client systems behind them, but are basically not problematic.

There are some difficulties which appear for some road warrior connections:

In most situations, however, FreeS/WAN supports road warrior connections just fine.

Opportunistic encryption

One of the reasons we are working on FreeS/WAN is that it gives us the opportunity to add what we call opportuntistic encryption. This means that any two FreeS/WAN gateways will be able to encrypt their traffic, even if the two gateway administrators have had no prior contact and neither system has any preset information about the other.

Both systems pick up the authentication information they need from the DNS (domain name service), the service they already use to look up IP addresses. Of course the administrators must put that information in the DNS, and must set up their gateways with opportunistic encryption enabled. Once that is done, everything is automatic. The gateways look for opportunities to encrypt, and encrypt whatever they can. Whether they also accept unencrypted communication is a policy decision the administrator can make.

This technique can give two large payoffs:

Opportunistic encryption is not (yet?) a standard part of the IPsec protocols, but an extension we are proposing and demonstrating. For details of our design, see links below.

Only one current product we know of implements a form of opportunistic encryption. Secure sendmail will automatically encrypt server-to-server mail transfers whenever possible.

The need to authenticate gateways

A complication, which applies to any type of connection -- VPN, Road Warrior or opportunistic -- is that a secure connection cannot be created magically. There must be some mechanism which enables the gateways to reliably identify each other. Without this, they cannot sensibly trust each other and cannot create a genuinely secure link.

Any link they do create without some form of authentication will be vulnerable to a man-in-the-middle attack. If Alice and Bob are the people creating the connection, a villian who can re-route or intercept the packets can pose as Alice while talking to Bob and pose as Bob while talking to Alice. Alice and Bob then both talk to the man in the middle, thinking they are talking to each other, and the villain gets everything sent on the bogus "secure" connection.

There are two ways to build links securely, both of which exclude the man-in-the middle:

Automatic keying is much more secure, since if an enemy gets one key only messages between the previous re-keying and the next are exposed. It is therefore the usual mode of operation for most IPsec deployment, and the mode we use in our setup examples. FreeS/WAN does support manual keying for special circumstanes. See this section.

For automatic keying, the two systems must authenticate each other during the negotiations. There is a choice of methods for this:

Public key techniques are much preferable, for reasons discussed later, and will be used in all our setup examples. FreeS/WAN does also support auto-keying with shared secret authentication. See this section.

The FreeS/WAN project

For complete information on the project, see our web site, freeswan.org.

In summary, we are implementing the IPsec protocols for Linux and extending them to do opportunistic encryption.

Project goals

Our overall goal in FreeS/WAN is to make the Internet more secure and more private.

Our IPsec implementation supports VPNs and Road Warriors of course. Those are important applications. Many users will want FreeS/WAN to build corporate VPNs or to provide secure remote access.

However, our goals in building it go beyond that. We are trying to help build security into the fabric of the Internet so that anyone who choses to communicate securely can do so, as easily as they can do anything else on the net.

More detailed objectives are:

If we can get opportunistic encryption implemented and widely deployed, then it becomes impossible for even huge well-funded agencies to monitor the net.

See also our section on history and politics of cryptography, which includes our project leader's rationale for starting the project.

Project team

Two of the team are from the US and can therefore contribute no code: The rest of the team are Canadians, working in Canada. ( Why Canada?) The project is funded by civil libertarians who consider our goals worthwhile. Most of the team are paid for this work.

People outside this core team have made substantial contributions. See

Additional contributions are welcome. See the FAQ for details.

Products containing FreeS/WAN

Unfortunately the export laws of some countries restrict the distribution of strong cryptography. FreeS/WAN is therefore not in the standard Linux kernel and not in all CD or web distributions.

FreeS/WAN is, however, quite widely used. Products we know of that use it are listed below. We would appreciate hearing, via the mailing lists, of any we don't know of.

Full Linux distributions

FreeS/WAN is included in various general-purpose Linux distributions, mostly from countries (shown in brackets) with more sensible laws:

For distributions which do not include FreeS/WAN and are not Redhat (which we develop and test on), there is additional information in our compatibility section.

The server edition of Corel Linux (Canada) also had FreeS/WAN, but Corel have dropped that product line.

Office server distributions

FreeS/WAN is also included in several distributions aimed at the market for turnkey business servers:

Firewall

Several distributions intended for firewall and router applications include FreeS/WAN:

There are also several sets of scripts available for managing a firewall which is also acting as a FreeS/WAN IPsec gateway. See this list.

Firewall and VPN products

Several vendors use FreeS/WAN as the IPsec component of a turnkey firewall or VPN product.

Software-only products:

Products that include the hardware: Rebel.com, makers of the Netwinder Linux machines (ARM or Crusoe based), had a product that used FreeS/WAN. The company is in receivership so the future of the Netwinder is at best unclear. PKIX patches for FreeS/WAN developed at Rebel are listed in our web links document.

RPM sets

For some distributions which do not include FreeS/WAN, it may be possible to install using RPM (Redhat Package Manager), rather than going through our more complex procedure.

Some caution is required on this. The RPMs are specific to a Linux distribution and an attempt to use them on another distribution is likely to cause problems.

RPMs for FreeS/WAN 1.91 and Red Hat 7.1 are available for download from Steamballoon. Check there for later versions.

As of version 1.93, the FreeS/WAN distribution incorporates some of the Steamballoon work, providing a facility for building your own RPMs. Details are in our installation document.

Information sources

This HowTo, in multiple formats

FreeS/WAN documentation up to version 1.5 was available only in HTML. Now we ship two formats:

and provide a Makefile to generate other formats if required:

The Makefile assumes the htmldoc tool is available. You can download it from Easy Software. You may need to get source code and change some of the limits in #define MAX_<whatever>statements near the end of its config.h.in file. Otherwise it core dumps when those limits are exceeded on large files such as our glossary.html.

All formats should be available at the following websites:

The distribution tarball has only the two HTML formats.

Note: If you need the latest doc version, for example to see if anyone has managed to set up interoperation between FreeS/WAN and whatever, then you should download the current snapshot. What is on the web is documentation as of the last release. Snapshots have all changes I've checked in to date.

Other documents in the distribution

Text files in the main distribution directory are README, INSTALL, CREDITS, CHANGES, BUGS and COPYING.

FreeS/WAN commands and library routines are documented in standard Unix manual pages, accessible via the man(1) command. We also provide them in HTML, accessible from this index. In the event of disagreement between this HowTo and the man pages, the man pages are more likely correct since they are written by the implementers. Please report any such inconsistency on the mailing list.

The gmp (GNU multi-precision arithmetic) and Libdes (encryption) libraries which we use each have their own documentation. You can find it in those library directories.

Background material

Throughout this documentation, I write as if the reader had at least a general familiarity with Linux, with Internet Protocol networking, and with the basic ideas of system and network security. Of course that will certainly not be true for all readers, and quite likely not even for a majority.

However, I must limit amount of detail on these topics in the main text. If I tried to explain everything here, the result would be completely unreadable.

If one or more of those areas is unknown territory for you, there are plenty of other resources you could look at:

Linux
the Linux Documentation Project or a local Linux User Group and these links
IP networks
Rusty Russell's Networking Concepts HowTo and these links
security
Schneier's book Secrets and Lies and these links

Also, I do make an effort to provide some background material in these documents. All the basic ideas behind IPsec and FreeS/WAN are explained here. Explanations that do not fit in the main text, or that not everyone will need, are often in the glossary, which is the largest single file in this document set. All files are heavily sprinkled with links to each other and to the glossary. If some passage makes no sense to you, try the links.

For other reference material, see the bibliography and our collection of web links.

Of course, no doubt I get this (and other things) wrong sometimes. Feedback via the mailing lists is welcome.

Archives of the project mailing list

Until quite recently, there was only one FreeS/WAN mailing list, and archives of it were: The two archives use completely different search engines. You might want to try both.

More recently we have expanded to five lists, each with its own archive.

More information on mailing lists.

User-written HowTo information

Various user-written HowTo documents are available. The ones covering FreeS/WAN-to-FreeS/WAN connections are:

User-wriiten HowTo material may be especially helpful if you need to interoperate with another IPsec implementation. We have neither the equipment nor the manpower to test such configurations. Users seem to be doing an admirable job of filling the gaps.

Check what version of FreeS/WAN user-written documents cover. The software is under active development and the current version may be significantly different from what an older document describes.

Papers on FreeS/WAN

Two design documents show current team thinking on new developments:

Both documents are works in progress and are frequently revised. For the latest version, see the design mailing list . Comments should go to that list.

There is now an Internet Draft on Opportunistic Encryption by Michael Richardson, Hugh Redelmeier and Henry Spencer. This is a first step toward getting the protocol standardised so there can be multiple implementations of it. Discussion of it takes place on the IETF IPsec Working Group mailing list.

A number of papers giving further background on FreeS/WAN, or exploring its future or its applications, are also available:

Several of these provoked interesting discussions on the mailing lists, worth searching for in the archives.

There are also several papers in languages other than English, see our web links.

License and copyright information

All code and documentation written for this project is distributed under either the GNU General Public License (GPL) or the GNU Library General Public License. For details see the COPYING file in the distribution.

Not all code in the distribution is ours, however. See the CREDITS file for details. In particular, note that the Libdes library and the version of MD5 that we use each have their own license.

Distribution sites

FreeS/WAN is available from a number of sites:

The "munitions" archive of Linux crypto software

There is also an archive of Linux crypto software called "munitions", with its own mirrors in a number of countries. It includes FreeS/WAN, though not always the latest version. Some of its sites are:

Any of those will have a list of other "munitions" mirrors. There is also a CD available.

Links to other sections

For more detailed background information, see:

To begin working with FreeS/WAN, go to:

FreeS/WAN quick start guide

This is a quick guide to and then setting up some common configurations: This should cover everything you need to set up

More complex requirements are covered elsewhere:

However, please read this quick start section first , before tackling the others.

Easy installation

There are two easy ways to install FreeS/WAN:

If your distribution does not include FreeS/WAN and no RPMs are available, see our installation from source document.

Enabling FreeS/WAN

Once you have FreeS/WAN on the system, ensure that it is enabled:
Set your boot loader to get the system booting with the new kernel.
On many systems, you do this by editing lilo.conf(5) and running lilo(8). See the LILO mini-HowTo.
On other systems, you might use grub(8). See the GRUB homepage.
Enable ipsec in your boot scripts.
Typically, this is done with chkconfig(8). If this is unfamiliar territory, see the Power-up to Bash Prompt HowTo.

That's it. FreeS/WAN is installed.

Creating an RSA key

The next step is to generate an RSA key for your machine. These keys are used for machine-to-machine authentication in IPsec negotiations. Any system which will be the endpoint of an IPsec tunnel must have one.

RSA is a public key cryptographic technique. Keys are created as matched pairs. Each pair includes:

For FreeS/WAN, both keys for your system are in the ipsec.secrets(5) file. Maintaining security of this file is essential since it holds your private key.

To generate your key pair, give these commands as root:

        ipsec newhostkey > /etc/ipsec.secrets
        chmod 600 /etc/ipsec.secrets

Key generation may take some time, even on a fast system. Also, it needs a lot of random numbers so you may need to switch consoles and do something like typing a lot of text or running du / > /dev/null. These give random(4) some inputs to work with.

The RSA keys we generate are suitable only for authentication, not for encryption. IPsec uses them only for authentication. See our IPsec section for details.

Setting up opportunistic encryption

Opportunistic encryption makes some aspects of the setup and administration of IPsec easier.

For opportunistic encryption, you do not need to communicate with the administrator of a site before establishing secure communications to that site. In particular, you do not have to send them your keys or collect and authenticate theirs. All you have to do is set up your end correctly and from there on, everything is automatic.

One of the major goals of the FreeS/WAN project is to get opportunistic encryption widely enough deployed that a "FAX effect" comes into play. Neither a FAX machine nor opportunistic encryption is of much value if there are only a few installed, but both become much more useful as the installed base increases.

Widespread deployment of opportunistic encryption appears to be our best hope for making the Internet more secure. See discussion in our introduction.

Initiate-only opportunistic encryption

In this section, we treat the simplest case of opportunistic encryption:

This would apply to a standalone machine, or to a home gateway with some invisible NAT clients.

Given the above conditions, you can set up opportunistic encryption without having access to the DNS reverse map for your machine. The following sections cover situations where one or more of the above restrictions do not apply.

There are two steps:

Once this is done, your system will automatically encrypt whenever it can.

ipsec.conf(5) for initiate-only opportunistism

The ipsec.conf(5) file for this setup is: 
# general IPsec setup
config setup
        # Use the default interface
        interfaces=%defaultroute
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search

# defaults for subsequent connection descriptions
conn %default
        # How to authenticate gateways
        authby=rsasig
        # default is
        # load connection description into Pluto's database
        # so it can respond if another gatway initiates
        # individual connection descriptions may override this
        auto=add

# description for opportunistic connections
conn me-to-anyone
        also=our_stuff             # our system details, stored below
        right=%opportunistic       # anyone we can authenticate
        rightrsasigkey=%dns        # look up their key in DNS
        auto=route                 # set up for opportunistic
        rekey=no                   # let unused connections die

# description of our system
# included in other connection descriptions via also= lines
# must come after the lines that use it
conn our_stuff
        # all connections should use our default route
        # also controls the source address on IPsec packets
        left=%defaultroute
        # our identity for IPsec negotiations
        # must match what is in DNS and ipsec.secrets(5)
        leftid=@xy.example.com

The last line above is the only one that you need to edit for your system. All the rest is identical for any standalone machine doing opportunistic encryption.

There is no need to provide any keys in this file. Your private key is in ipsec.secrets(5) and, for opportunistic encryption, the public keys for remote gateways are all looked up in DNS.

Also note that the left and right designations here are arbitrary. You could reverse them above with no problems.

Initiate-only DNS key

You need to put your system's RSA public key in a DNS record so that systems you communicate with can find it.
Find a helpful DNS administrator
You need the co-operation of a DNS administrator somewhere for this, to place a KEY record so that you can use a name in some domain he or she controls. This need not be either the domain you get your IP address from or a domain that points to your system.

For example, a reverse lookup on the IP address for a home gateway might give 123.adsl.kalamazoo.example.net, and a forward lookup for example.dyndns.org might point to that gateway. You could use either of these names as your ID for IPsec purposes, if the admins at either example.net or dyndns.org co-operate.

If not, you can use any domain whose DNS administrator is willing to help out. You do not need an A record (address record, associating your chosen name with an address) in that domain, only a KEY record.

Generate a KEY record

You can generate a DNS KEY record containing your system's public key with the command:

     ipsec showhostkey
The result should look like this (with the key data trimmed down for clarity): 
  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
  xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/

The name here is taken from ipsec.secrets(5). If it is not what you want, edit that file to correct it, then run ipsec showhostkey again.

The name must also match what you used for rightid= in ipsec.conf(5).

Give this record to the DNS administrator, for insertion into the zone file of the domain.

Firewalling for a standalone system

Firewall rules on a standalone system doing IPsec -- opportunistic, "road warrior" remote access, or both -- can be very simple.

The first step is to allow IPsec packets (IKE on UDP port 500 plus ESP, protocol 50) in and out of your gateway. A script to set up iptables(8) rules for this is:

# edit this line to match the interface you use as default route
# ppp0 is correct for many modem, DSL or cable connections
# but perhaps not for you
world=ppp0
#
# allow IPsec
#
# IKE negotiations
iptables -A INPUT  -p udp -i $world --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o $world --sport 500 --dport 500 -j ACCEPT
# ESP encrypton and authentication
iptables -A INPUT  -p 50 -i $world -j ACCEPT
iptables -A OUTPUT -p 50 -o $world -j ACCEPT

Optionally, you could restrict this, allowing these packets only to and from a list of known gateways.

A second firewalling step -- access controls built into the IPsec protocols -- is automatically applied:

Pluto -- the FreeS/WAN keying daemon -- deals with the IKE packets.
Pluto authenticates its partners during the IKE negotiation, and drops negotiation if authentication fails.
KLIPS -- the FreeS/WAN kernel component -- handles the ESP packets.
KLIPS drops outgoing packets
if they are routed to IPsec, but no tunnel has been negotiated for them
KLIPS drops incoming unencrypted packets
if source and destination addresses match a tunnel; the packets should have been encrypted
KLIPS drops incoming encrypted packets
if source and destination address do not match the negotiated parameters of the tunnel that delivers them
if packet-level authentication fails
These errors are logged. See our troubleshooting document for details.

Optionally, you can add a third step using whatever additional firewall rules are required for your situation. These rules can recognise packets emerging from IPsec. They are marked as arriving on an interface such as ipsec0, rather than eth0, ppp0 or whatever. For example, in an iptables(8) rule set, you would use:

-i ipsec+
to specify packets arriving on any ipsec device
-o ipsec+
to specify packets leaving via any ipsec device
It is therefore straightforward to apply whatever additional filtering you like to these packets.

Testing opportunistic connections

To check that opportunistic encryption is working, point a browser to oetest.freeswan.org, a host we have set up to do opportunistic encryption for testing. A link there will tell you whether or not you have an encrypted connection.

If using a bowser is inconvenient, take these steps:

You should see a tunnel to the opportunistic host.

When FreeS/WAN cannot set up an opportunistic connection, and no explicit tunnel has been configured, its default is to allow the traffic through in the clear. For the non-opportunistic host, you should see a %pass eroute (IPsec route), the FreeS/WAN mechanism that implements that default.

Accepting incoming requests for opportunistic encryption

If you need to let others inititiate encrypted connections to your system -- for example, if you run services on your machine and want remote clients to be able to access them securely -- then you need to do a bit more.

There are two steps in the setup.

Both need to be a little different than in the initiate-only case.

For incoming connections, you are not the initiator so you cannot use the first message to tell the other end the identity you wish to use. You must be able to handle having the other end identify you by IP address. In many cases, that will be all the remote gateway knows.

ipsec.conf(5) to accept incoming opportunistic

Only one change is need in the ipsec.conf(5) file. You use an IP address instead of a name as your identity. For example, with the address 1.2.3.4, the section describing your system becomes: 
# description of our system
# included in other connection descriptions via also= lines
# must come after the lines that use it
conn our_stuff
        # all connections should use our default route
        # also controls the source address on IPsec packets
        left=%defaultroute
        # our identity for IPsec negotiations
        # must match what is in DNS and ipsec.secrets(5)
        leftid=1.2.3.4

You must make a matching change in ipsec.secrets(5), so that the identifier for your secret key is also "1.2.3.4".

DNS for incoming opportunistic connections

To accept incoming connections, you need to put a KEY record in the DNS reverse map for your gateway. The initiator will not always know your gateway's name. It must be possible to look up the key knowing only the IP address.

The record you need looks like this:

  ; RSA 2048 bits   gateway.example.com   Sat Apr 15 13:53:22 2000
  4.3.2.1.in-addr.arpa.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/

Generate a record with ipsec showhostkey, and then edit it to insert the IP address.

As always, IP addresses in the reverse map are written backwards. In the above example, the gateway IP address is 1.2.3.4.

Firewalling incoming opportunistic connections

The basic firewalling for IPsec does not change when you support incoming connections as well as connections you initiate. You must still allow IKE (UDP port 500) and ESP (protocol 50) packets to and from your machine, as in the rules given above.

However, there are additional security concerns when you allow incoming opportunistic connections. This creates an additional path to your machine, so you need to check your rules to see that this does not provide a means for EvilDoers to bypass protections you have set up on other paths.

In particular, look at any rules you have that depend on interfaces, rules using -i ppp+, -o eth1 or similar expressions. You may need analogous rules for your ipsec interfaces.

An opportunistic gateway

Next we expand from a standalone system (which protects only its own traffic) to a gateway (which protects traffic for other systems).

There is one special case in which gateway configuration is quite simple -- if all the machines behind the gateway are hidden from the Internet. We describe that first, then go on to describe gateways for visible clients.

NAT for hidden clients

If your gateway uses NAT to allow machines to access the Internet without having their own routable IP addresses, then from the point of view of anyone else on the Internet:

For purposes of IPsec across the Internet, your gateway can be treated as a standalone machine. Consequently, For a more detailed discussion of NAT, see our background section.

Gateway for visible clients

Many gateways will need to support client systems which have routable addresses and are visible to the Internet. This involves:

ipsec.conf(5) for an opportunistic gateway

You need only make a few additions to in the ipsec.conf(5) file:

The additions to the ipsec.conf(5) file might be:

# opportunistic connections for client systems
# our gateway will build opportunistic tunnels on behalf of any
# machine in the specified subnet
conn subnet-to-anyone
        also=gate_stuff             # our system details, stored below
        also=public_subnet          # subnet description, below
        auto=route                  # set up for opportunistic
        right=%opportunistic        # anyone we can authenticate via DNS
        rekey=no                    # let unused connections die

# description of the subnet this gateway encrypts for
# numbers used here are arbitrary, just for example
conn public_subnet
       leftsubnet=42.42.42.0/24

There is one small thing to be careful of here. An also= line must appear in the file before the conn it references, so the first section above must appear before conn gate_stuff.

Supporting additional subnets
If required, a gateway can easily provide this service for more than one subnet. You just add a connection description and a subnet description for each. For example, leaving everything else above unchanged, you could add these sections: 
# opportunistic connections for additional systems
conn second-to-anyone
        also=gate_stuff             # our system details, stored below
        also=second_subnet          # subnet description, below
        right=%opportunistic        # anyone we can authenticate via DNS
        rekey=no                    # let unused connections die

# description of a second subnet this gateway encrypts for
# numbers used here are arbitrary, just for example
conn second_subnet
       leftsubnet=101.102.103.0/24

again, you need a little care so that also= lines always come before the sections they reference.

The subnets used in these descriptions need not correspond to physical subnets. This is discussed in more detail in our advanced configuration document.

DNS entries for an opportunistic gateway

We assume you already have a KEY record in the reverse map so your gateway can accept incoming connections as described above.

For the gateway to provide an opportunistic encryption service for other systems, it must be possible for the initiator of an IPsec connection to:

This is done by adding a TXT record to the reverse map for the endpoint. The record (with key shortened) looks like this: 
        ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
        IN TXT  "X-IPsec-Server(10)=1.2.3.4 AQOF8tZ2...+buFuFn/"
This record must be generated on the gateway so it can get the key from ipsec.secrets(5). The command is: 
     ipsec showhostkey --txt 1.2.3.4
You must supply the gateway IP address on the command line.

One of these records is required in the reverse map for each system using this gateway for opportunistic IPsec. You insert it in the reverse map part of the zone file right after the line for that system's IP address, so part of the file might look like this:

      1.42.42.42.in-addr.arpa. IN PTR arthur.example.com 
        ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
        IN TXT  "X-IPsec-Server(10)=1.2.3.4 AQOF8tZ2...+buFuFn/"
      2.42.42.42.in-addr.arpa. IN PTR ford.example.com 
        ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
        IN TXT  "X-IPsec-Server(10)=1.2.3.4 AQOF8tZ2...+buFuFn/"
      3.42.42.42.in-addr.arpa. IN PTR trillian.example.com 
        ; RSA 2048 bits  gateway.example.com   Sat Apr 15 13:53:22 2000
        IN TXT  "X-IPsec-Server(10)=1.2.3.4 AQOF8tZ2...+buFuFn/"
You need one TXT record per client, but the TXT records can all be identical.

Firewalling for gateways

On a gateway, the IPsec-related firewall rules applied for input and output on the Internet side are exactly as shown above. A gateway exchanges exactly the same things -- UDP 500 packets and IPsec packets -- with other gateways that a standalone system does, so it can use exactly the same firewall rules as a standalone system would.

However, on a gateway there are additional things to do:

You need additional rules to handle these things. For example, adding some rules to the set shown above we get:

# edit this line to match the interface you use as default route
# ppp0 is correct for many modem, DSL or cable connections
# but perhaps not for you
world=ppp0
#
# edit these lines to describe your internal subnet and interface
localnet=42.42.42.0/24
internal=eth1
#
# allow IPsec
#
# IKE negotiations
iptables -A INPUT  -p udp -i $world --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o $world --sport 500 --dport 500 -j ACCEPT
# ESP encrypton and authentication
iptables -A INPUT  -p 50 -i $world -j ACCEPT
iptables -A OUTPUT -p 50 -o $world -j ACCEPT
#
# packet forwarding for an IPsec gateway
# simplest possible rules
$ forward everything, with no attempt to filter
#
# handle packets emerging from IPsec
# ipsec+ means any of ipsec0, ipsec1, ...
iptables -A FORWARD -d $localnet -i ipsec+ -j ACCEPT
# simple rule for outbound packets
# let local net send anything
# IPsec will encrypt some of it
iptables -A FORWARD -s $localnet -i $internal -j ACCEPT

On a production gateway, you would no doubt need tighter rules than the above. For details, see:

"Road Warrior" remote access

A common requirement is for pre-configured connections between a specfic network and some set of remote machines. For example, an office network will often need to provide remote access services for:

We refer to the remote machines as "Road Warriors". For purposes of IPsec, anyone with a dynamic IP address is a road warrior.

Of course, if both the warrior and the gateway at the office are set up for opportunistic encryption, then you may not need the pre-configured connection. Here we assume that you do need it. For example:

This section has three sub-sections:

On either end, the opportunistic setup is unaffected by this. You leave it in place so both systems can continue to do opportunistic encryption with everyone but each other.

Information exchange

To set up an explicitly configured connection, you need some information about the system on the other end.

Connection descriptions use left and right to designate the two ends. We adopt the convention that, from the gateway's point of view left=local and right=remote.

The gateway administrator needs to know some things about each Road Warrior:

To get this information, in a format suitable for insertion directly into the gateway's ipsec.conf(5) file, issue this command on the Warrior machine:

        ipsec showhostkey --right
The output should look like this (with the key shortened for easy reading): 
        rightid=@xy.example.com
        rightrsasigkey=0s1LgR7/oUM...

The Road Warrior needs to know:

which can be generated by running ipsec showhostkey --left on the gateway. Each Warrior must also know:

This information should be provided in a convenient format, ready for insertion in the Warrior's ipsec.conf(5) file. For example:

        left=1.2.3.4
        leftsubnet=42.42.42.0/24
        leftid=@gateway.example.com
        leftrsasigkey=0s1LgR7/oUM...

The gateway administrator typically needs to generate this only once. The same file can be given to all Warriors.

Of course it is also possible to provide different versions (in particular, access to differnet subnets) to different groups of Warriors. See our advanced configuration document.

Setup on the Road Warrior machine

To set up a Road Warrior machine, we start from the opportunistic imitiator setup shown above.

We need to add a connection description for the pre-configured tunnel. Since we want to be right in that description, we reverse the opportunistic description so we are right there too.

Connection description for a pre-configured tunnel

We insert the new connection description before the conn our_stuff section, so that it can use an also= line referring to that section. 
# description for opportunistic connections
# reversed from previous example
conn me-to-anyone
        also=our_stuff             # our system details, stored below
        left=%opportunistic        # anyone we can authenticate
        leftrsasigkey=%dns         # look up their key in DNS
        auto=route                 # set up for opportunistic
        rekey=no                   # let unused connections die

# pre-configured link to office network
# added for this example
conn us-to-office
        also=our_stuff             # our system details, stored below
        #
        # information obtained from office system admin
        # goes to the right of the = signs in these lines
        # values shown here are just for example
        # 
        left=1.2.3.4                # gateway IP address
        lefttsubnet=42.42.42.0/24   # the office network
        leftid=@gateway.example.com
        # real keys are much longer than shown here
        leftrsasigkey=0s1LgR7/oUM...

# description of our system
# included in other connection descriptions via also= lines
# must come after the lines that use it
# reversed from previous example
conn our_stuff
        # all connections should use our default route
        # also controls the source address on IPsec packets
        right=%defaultroute
        # our identity for IPsec negotiations
        # must match what is in DNS and ipsec.secrets(5)
        righttid=@xy.example.com

Everything else remains as it was when we had only opportunistic connections.

We could easily add more connections as required, perhaps one each for his office, her office, the kid's school, ... The file would grow longer, but nothing already in the file would need to change.

Road Warrior support on an office gateway

Adding road warrior support so people can connect remotely to your office network is straightforward.

We start from the opportunistic gateway setup shown above.

Putting connection descriptions in separate files

You could put a complete connection description for each Warrior in your ipsec.conf(5) file, but this makes for a rather unmanageable file if you have many Warriors.

Instead, we suggest you give each warrior its own file, choosing some directory and naming convention that suits your system and style.

For this example, we use the directory /etc/ipsec.road and use filenames based on IPsec ID, so the Warrior using ID xy.example.com gets a file named xy.conf.

Using such files, you need add only one line to ipsec.conf(5). With our naming convention, the line is:

      include /etc/ipsec.road/*.conf

FreeS/WAN will then read all those files and behave as if they were part of the ipsec.conf(5) file.

This needs to come before the conn gate_stuff section, so that the Warriors' connection descriptions can use also=gate_stuff . A convenient place for the line is right after the conn %default section.

Each of the Road Warrior files then contains a connection description for that Warrior. For example:

# connection description for Road Warrior "xy"
conn gate-xy
        # use the gateway description in ipsec.conf(5)
        also=gate_stuff
        # allow connection attempt from any address
        # attempt fails if caller cannot authenticate
        right=%any
        # authentication information
        rightid=@xy.example.com
        rightrsasigkey=0s1LgR7/oUM...

With this technique, it becomes fairly simple to administer a gateway that supports many Road Warriors. For example:

To add a new user, simply add a suitable file.

To disable an account -- for example if a key is compromised -- first remove the file, then take any existing connection down with:

        ipsec auto --down connection
and delete it from Pluto's internal database with: 
        ipsec auto --delete connection

If you have many users, it would be worthwhile to write scripts to automate such tasks.

Network-to-network VPN

Often it is useful to have explicitly configured IPsec tunnels between different offices of an organisation, or between organisations that have joint projects.

Of course, if both offices are set up for opportunistic encryption and the security policies in place allow you to use that, explicitly configured tunnels become unnecessary. However, this will not always be the case.

Gateway setup for net-to-net

Adding up a network-to-network tunnel does not require any change to the opportunistic or Road warrior parts of your ipsec.conf(5). You can keep those parts exactly as shown above.

Of course, a network-to-network tunnel requires its own connection description, so you have to add that. There are two ways to do this.

identical connection description on the two ends
needs to specify more detail so the machine can figure out which end it is on
slightly different descriptions on the two ends
needs less detail, but you need to manage two descriptions
Choose whichever is more convenient to administer in your environment.

A connection description that works on either end

Here is a network-to-network tunnel description from our examples file: 
# sample tunnel
# The network here looks like:
#   leftsubnet====left----leftnexthop......rightnexthop----right====rightsubnet
# If left and right are on the same Ethernet, omit leftnexthop and rightnexthop.
conn sample
        # left security gateway (public-network address)
        left=10.0.0.1
        # next hop to reach right
        leftnexthop=10.44.55.66
        # subnet behind left (omit if there is no subnet)
        leftsubnet=172.16.0.0/24
        # right s.g., subnet behind it, and next hop to reach left
        right=10.12.12.1
        rightnexthop=10.88.77.66
        rightsubnet=192.168.0.0/24
        auto=start
If you give an explicit IP address for left (and left and right are not directly connected), then you must specify leftnexthop (the router which left sends packets to in order to get them delivered to right). Similarly, you may need to specify rightnexthop (vice versa).

The *nexthop parameters are needed because of an unfortunate interaction between FreeS/WAN and the kernel routing code. They will be eliminated in a future release, but perhaps not soon. We know they should go, but getting them out is not a simple problem.

This description can be generated on either machine and simply inserted in the ipsec.conf(5) file on the other. No change is required or desired.

Using slightly different descriptions

Provided both machines do IPsec over the interface that is their default route to the Internet (a common case, but by no means the only one) you can simplify the description somewhat.

When using left=%defaultroute, you do not need to specify leftnexthop. left does not need to know rightnexthop either, so on left the connection description can be:

conn sample
        # left security gateway (public-network address)
        left=%defaultroute
        # subnet behind left (omit if there is no subnet)
        leftsubnet=172.16.0.0/24
        # right s.g., subnet behind it
        right=10.12.12.1
        rightsubnet=192.168.0.0/24
        auto=start
On right it is: 
conn sample
        # left security gateway (public-network address)
        left=10.0.0.1
        # subnet behind left (omit if there is no subnet)
        leftsubnet=172.16.0.0/24
        # right s.g., subnet behind it
        right=%defaultroute
        rightsubnet=192.168.0.0/24
        auto=start

What next?

At this point, we have covered setup for opportunistic encryption and for simple cases of Road warrior and VPN connections. You have several choices for what to look at next:

FreeS/WAN FAQ

This is a collection of questions and answers, mostly taken from the FreeS/WAN mailing list. See the project web site for more information. All the FreeS/WAN documentation is online there.

Contributions to the FAQ are welcome. Please send them to the project mailing list.

Index of FAQ questions

What is FreeS/WAN?

FreeS/WAN is a Linux implementation of the IPsec protocols, providing security services at the IP (Internet Protocol) level of the network.

For more detail, see our introduction document or the FreeS/WAN project web site.

How do I report a problem or seek help?

See our troubleshooting document. It may guide you to a solution. If not, see its problem reporting section.

Basically, what it says is give us the output from ipsec barffrom both gateways. Without full information, we cannot diagnose a problem. However, ipsec barf produces a lot of output. If at all possible, please make barfs accessible via the web or FTP rather than sending enormous mail messages.

Use the mailing list for problem reports, rather than mailing developers directly. This gives you access to more expertise, including users who may have encountered and solved the same problems. In particular, for problems involving interoperation with another IPsec implementation, the users often know more than the developers.

Using the list may also be important in relation to various cryptography export laws. A US citizen who provides technical assistance to foreign cryptographic work might be charged under the arms export regulations. Such a charge would be easier to defend if the discussion took place on a public mailing list than if it were done in private mail.

Generic questions

This is too complicated. Isn't there an easier way?

There are a number of Linux distributions or firewall products which include FreeS/WAN. See this list. Using one of these, chosen to match your requirements and budget, may save you considerable time and effort. (If you don't know your requirements, start by reading Schneier's Secrets and Lies. That gives the best overview of security issues I have seen.)

If you want the help of a contractor, or to hire staff with FreeS/WAN expertise, you could:

For companies offerring support, see the next question.

Can I get commercial support for this product?

Many of the distributions or firewall products which include FreeS/WAN (see this list) come with commercial support or have it available as an option.

Various companies specialize in commercial support of open source software. Our project leader was a founder of the first such company, Cygnus Support. It has since been bought by Redhat. Another such firm is Linuxcare.

Can I modify FreeS/WAN to ...?

You are free to modify FreeS/WAN in any way. See the discussion of licensing in our introduction document.

Can I contribute to the project?

In general, we welcome contributions from the community. Various contributed patches, either to fix bugs or to add features, have been incorporated into our distribution. Other patches, not yet included in the distribution, are listed in our web links section.

Users have also contributed heavily to documentation, both by creating their own HowTos and by posting things on the mailing lists which I have quoted in these HTML docs.

There are, however, some caveats.

FreeS/WAN is being implemented in Canada, by Canadians, largely to ensure that is it is entirely free of export restrictions. See this discussion. We cannot accept code contributions from US residents or citizens, not even one-line bugs fixes. The reasons for this were recently discussed extensively on the mailing list, in a thread starting here.

Not all contributions are of interest to us. The project has a set of fairly ambitious and quite specific goals, described in our introduction. Contributions that lead toward these goals are likely to be welcomed enthusiastically. Other contributions may be seen as lower priority, or even as a distraction.

Is there detailed design documentation?

There are: The only formal design documents are a few papers in the last category above. All the other categories, however, have things to say about design as well.

Will FreeS/WAN work in my environment?

Is a ... fast enough to handle FreeS/WAN with ... connections?

A quick summary:
FreeS/WAN can run happily on limited machines.
A 486 can handle a T1, ADSL or cable link, though the machine may be breathing hard.
Most requirements can be met
A current (mid-2001) technology PC handling 20 Megabits per second of IPsec processing will still have some cycles available for other tasks.
There are definite limits at the high end
A current high end CPU might handle a loaded T3 at 45 Mbit/second. However, it will not even come close to handling a fully loaded 100 Mbit/second Ethernet link, let alone 155 Mbit/second OC3.
Beyond that, the picture is not clear. Much depends on details of your network, your traffic, and other loads on both machine and net.

See our FreeS/WAN performance document for more detail.

Can FreeS/WAN talk to ...?

The IPsec protocols are designed to support interoperation. In theory, any two IPsec implementations should be able to talk to each other.

In practice, it is considerably more complex. We have a whole interop document devoted to it.

Can different FreeS/WAN versions talk to each other?

Linux FreeS/WAN can interoperate with many IPsec implementations, including earlier versions of Linux FreeS/WAN itself.

In a few cases, there are some complications. See our interoperation document for details.

Will FreeS/WAN run on my version of Linux?

We build and test on Redhat distributions, but FreeS/WAN runs just fine on several other distributions, sometimes with minor fiddles to adapt to the local environment. Details are in our compatibility document. Also, some distributions or products come with FreeS/WAN included.

FreeS/WAN is intended to run on all CPUs Linux supports . As of June 2000, we know of it being used in production on x86, ARM, Alpha and MIPS. It has also had successful tests on PPC and SPARC, though we don't know of actual use there. Details are in our compatibility document.

FreeS/WAN has been tested on multiprocessor Intel Linux and worked there. Note, however, that we do not test this often and have never tested on multiprocessor machines of other architectures.

Will FreeS/WAN work on an older kernel?

It might, but we strongly recommend using a recent 2.2 or 2.4 series kernel. Sometimes the newer versions include security fixes which can be quite important on a gateway.

The precise kernel versions supported by a particular FreeS/WAN release are given in the README file of that release.

See the follwing question for more on kernels.

Will FreeS/WAN run on the latest kernel version?

Sometimes yes, but quite often, no.

Kernel versions supported are given in the README file of each FreeS/WAN release. Typically, they are whatever production kernels were current at the time of our release (or shortly before; we might release for kernel n just as Linus releases n+1). Often FreeS/WAN will work on slightly later kernels as well, but of course this cannot be guaranteed.

For example, FreeS/WAN 1.91 was released for kernels 2.2.19 or 2.4.5, the current kernels at the time. It also worked on 2.4.6, 2.4.7 and 2.4.8, but 2.4.9 had changes that caused compilation errors if it was patched with FreeS/WAN 1.91.

When such changes appear, we put a fix in the FreeS/WAN snapshots, and distribute it with our next release. However, this is not a high priority for us, and it may take anything from a few days to several weeks for such a problem to find its way to the top of our kernel programmer's To-Do list. In the meanwhile, you have two choices:

We don't even try to keep up with kernel changes outside the main 2.2 and 2.4 branches, such as the 2.4.x-ac patched versions from Alan Cox or the 2.5 series of development kernels. We'd rather work on developing the FreeS/WAN code than on chasing these moving targets. We are, however, happy to get patches for problems discovered there.

See also the Choosing a kernel section of our installation document.

Will FreeS/WAN work on ... network hardware?

IPsec is designed to work over any network that IP works over, and FreeS/WAN is intended to work over any network interface hardware that Linux supports.

If you have working IP on some unusual interface -- perhaps Arcnet, Token Ring, ATM or Gigabit Ethernet -- then IPsec should "just work".

That said, practice is sometimes less tractable than theory. Our testing is done almost entirely on:

If you have some other interface, especially an uncommon one, it is entirely possible you will get bitten by a FreeS/WAN bug which our testing did not turn up. It is also possible you will be bitten by a bug in the driver that shows up only with our loads. Another FAQ section describes the commonest of this class of problem.

If IP works on your interface and FreeS/WAN doesn't, seek help on the mailing lists.

Does FreeS/WAN support ...

For a discussion of which parts of the IPsec specifications FreeS/WAN does and does not implement, see our compatibility document.

For information on some often-requested features, see below.

Does FreeS/WAN support site-to-site VPN applications

Yes, FreeS/WAN can be used to build site-to-site Virtual Private Networks.

This application is discussed in our introduction and an example given in our FreeS/WAN configuration document.

Does FreeS/WAN support remote users connecting to a LAN

Yes, FreeS/WAN can be used to connect remote users. In the documentation, we refer to them as "Road Warriors".

This application is discussed in our introduction and an example given in our FreeS/WAN configuration document.

Road warriors using Windows or Macintosh may need an IPsec client program for their machines.

Does FreeS/WAN support wireless networks

Yes, it is a common practice to use IPsec over wireless networks because their built-in encryption, WEP, is insecure.

There is some discussion in our configuration document.

Does FreeS/WAN support X.509 or other PKI certificates?

FreeS/WAN, as distributed, does not currently support use of X.509 or other PKI certificates for authentication of gateways. We are concentrating on moving toward authentication via Secure DNS and opportunistic encryption; X.509 support is not (or at least not yet) on the priority list.

On the other hand, it is a priority for some users and user-contributed patches to add X.509 certificate support to FreeS/WAN have been available for some time. From mailing list reports, they seem to be quite widely used and to work well.

See the patches section of our web references document for details.

Does FreeS/WAN support user authentication (Radius, SecureID, ...)?

Not yet. So far, there is no standard way to authenticate users for IPsec, though there is a very active IETF working group looking at the problem, and several vendors have implemented various things already.

In the absence of a standard, user authentication has not been a priority for the FreeS/WAN team, and is unlikely to become one. This would be a good project for a volunteer, perhaps a staff member or contractor at some company that needs the feature. Certainly our team would co-operate with such an effort; we just don't have time to do it.

The patches section of our web links document has links to some user work on this.

Of course, there are various ways to avoid any requirement for user authentication in IPsec. Consider the situation where road warriors build IPsec tunnels to your office net and you are considering requiring user authentication during tunnel negotiation. Alternatives include:

If either of those is trustworthy, it is not clear that you need user authentication in IPsec.

Does FreeS/WAN support single DES encryption?

No, single DES is not used either at the IKE level for negotiating connections or at the IPsec level for actually building them.

Single DES is insecure. As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods. See this discussion.

If you want to interoperate with an IPsec implementation which offers only DES, see our interoperation document.

Can I ...

Can I reload connection info without restarting?

Yes, you can do this. Here are the details, in a mailing list message from Pluto programmer Hugh Redelmeier: 
| How can I reload config's without restarting all of pluto and klips?  I am using
| FreeSWAN -> PGPNet in a medium sized production environment, and would like to be
| able to add new connections ( i am using include config/* ) without dropping current
| SA's.
| 
| Can this be done?
| 
| If not, are there plans to add this kind of feature?

        ipsec auto --add whatever
This will look in the usual place (/etc/ipsec.conf) for a conn named
whatever and add it.

If you added new secrets, you need to do
        ipsec auto --rereadsecrets
before Pluto needs to know those secrets.

| I have looked (perhaps not thoroughly enough tho) to see how to do this:

There may be more bits to look for, depending on what you are trying
to do.

Another useful command here is ipsec auto --replace <conn_name>which re-reads data for a named connection.

Can I use several masqueraded subnets?

Yes. This is done all the time. See the discussion in our setup document. The only restriction is that the subnets on the two ends must not overlap. See the next question.

Here is a mailing list message on the topic. The user incorrectly thinks you need a 2.4 kernel for this -- actually various people have been doing it on 2.0 and 2.2 for quite some time -- but he has it right for 2.4.

Subject: Double NAT and freeswan working :)
   Date: Sun, 11 Mar 2001
   From: Paul Wouters <paul@xtdnet.nl>

Just to share my pleasure, and make an entry for people who are searching
the net on how to do this. Here's the very simple solution to have a double
NAT'ed network working with freeswan. (Not sure if this is old news, but I'm
not on the list (too much spam) and I didn't read this in any HOWTO/FAQ/doc
on the freeswan site yet (Sandy, put it in! :)

10.0.0.0/24 --- 10.0.0.1 a.b.c.d  ---- a.b.c.e {internet} ----+
                                                              |
10.0.1.0/24 --- 10.0.1.1 f.g.h.i  ---- f.g.h.j {internet} ----+

the goal is to have the first network do a VPN to the second one, yet also
have NAT in place for connections not destinated for the other side of the
NAT. Here the two Linux security gateways have one real IP number (cable
modem, dialup, whatever.

The problem with NAT is you don't want packets from 10.*.*.* to 10.*.*.*
to be NAT'ed. While with Linux 2.2, you can't, with Linux 2.4 you can.

(This has been tested and works for 2.4.2 with Freeswan snapshot2001mar8b)

relevant parts of /etc/ipsec.conf:

        left=f.g.h.i
        leftsubnet=10.0.1.0/24
        leftnexthop=f.g.h.j
        leftfirewall=yes
        leftid=@firewall.netone.nl
        leftrsasigkey=0x0........
        right=a.b.c.d
        rightsubnet=10.0.0.0/24
        rightnexthop=a.b.c.e
        rightfirewall=yes
        rightid=@firewall.nettwo.nl
        rightrsasigkey=0x0......
        # To authorize this connection, but not actually start it, at startup,
        # uncomment this.
        auto=add

and now the real trick. Setup the NAT correctly on both sites:

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -d \! 10.0.0.0/8 -j MASQUERADE

This tells the NAT code to only do NAT for packets with destination other then
10.* networks. note the backslash to mask the exclamation mark to protect it
against the shell.

Happy painting :)

Paul

Can I use subnets masqueraded to the same addresses?

No. The notion that IP addresses are unique is one of the fundamental principles of the IP protocol. Messing with it is exceedingly perilous.

Fairly often a situation comes up where a company has several branches, all using the same non-routable addresses, perhaps 192.168.0.0/24. This works fine as long as those nets are kept distinct. The IP masquerading on their firewalls ensures that packets reaching the Internet carry the firewall address, not the private address.

This can break down when IPsec enters the picture. FreeS/WAN builds a tunnel that pokes through both masquerades and delivers packets from leftsubnet to rightsubnet and vice versa. For this to work, the two subnets must be distinct.

There are several solutions to this problem.

Can I assign a road warrior an address on my net (a virtual identity)?

Often it would be convenient to be able to give a Road Warrior an IP address which appears to be on the local network. Some IPsec implementations have support for this, sometimes calling the feature "virtual identity".

At time of writing (Feb 2002) FreeS/WAN does not support this, and we have no definite plans to add it. The difficulty is that is not yet a standard mechanism for it. There is an Internet Draft for a method of doing it using DHCP which looks promising. FreeS/WAN may support that in a future release.

In the meanwhile, you can do it yourself using the Linux iproute2(8) facilities. Details are in this paper.

Another method has also been discussed on the mailing list.:

For example, you might have:

leftsubnet=a.b.c.0/25
head office network
rightsubnet=a.b.c.240/32
extruded to a road warrior
a.b.c.0/24
whole network, including both the above

Can I support many road warriors with one gateway?

Yes. This is easily done, using

either RSA authentication
standard in the FreeS/WAN distribution
or X.509 certificates
requires patches to FreeS/WAN

In either case, each Road Warrior must have a different key or certificate.

This cannot be made to work using pre-shared key authentication; see the next question for details.

If you expect to have more than a few dozen Road Warriors connecting simultaneously, you may need a fairly powerful gateway machine. See our document on FreeS/WAN performance.

Can I have many road warriors using shared secret authentication?

No. This does not work and there is no way to fix it.

This is a designed-in limitation of the IKE key negotiation protocol, not a problem with our implementation.

When using shared secrets, the protocol requires that the responding gateway be able to determine which secret to use at a time when all it knows about the initiator is an IP address. This works fine if you know the initiator's address in advance and can use it to look up the appropiriate secret. However, it fails for Road Warriors since the gateway cannot know their IP addresses in advance.

With RSA signatures (or certificates) the protocol is slightly different. The initiator provides an identifier early in the exchange and the responder can use that identifier to look up the correct key or certificate. See above.

Can I use Quality of Service routing with FreeS/WAN?

From project technical lead Henry Spencer: 
> Do QoS add to FreeS/WAN?
> For example integrating DiffServ and FreeS/WAN?

With a current version of FreeS/WAN, you will have to add hidetos=no to
the config-setup section of your configuration file.  By default, the TOS
field of tunnel packets is zeroed; with hidetos=no, it is copied from the
packet inside.  (This is a modest security hole, which is why it is no
longer the default.)

DiffServ does not interact well with tunneling in general.  Ways of
improving this are being studied.

Copying the TOS information from the encapsulated packet to the outer header reveals the TOS information to an eavesdropper. It is not clear whether or how an attacker could use this information, but since we do not have to give it to him, our default is not to.

See ipsec.conf(5) for more on the hidetos= parameter.

Can I recognise dead tunnels and shut them down?

There is no general mechanism to do this is in the IPsec protocols.

From time to time, there is discussion on the IETF Working Group mailing list of adding a "keep-alive" mechanism (which some say should be called "make-dead"), but it is a fairly complex problem and no consensus has been reached on whether or how it should be done.

The protocol does have optional delete-SA messages which one side can send when it closes a connection in hopes this will cause the other side to do the same. FreeS/WAN does not currently support these. In any case, they would not solve the problem since:

However, connections do have limited lifetimes and you can control how many attempts your gateway makes to rekey before giving up. For example, you can set:

conn default
        keyingtries=3
        keylife=30m
With these settings old connections will be cleaned up. Within 30 minutes of the other end dying, rekeying will be attempted. If it succeeds, the new connection replaces the old one. If it fails, no new connection is created. Either way, the old connection is taken down when its lifetime expires.

Here is a mailing list message on the topic from FreeS/WAN tech support person Claudia Schmeing:

You ask how to determine whether a tunnel is redundant:

> Can anybody explain the best way to determine this. Esp when a RW has
> disconnected? I thought 'ipsec auto --status' might be one way.

If a tunnel goes down from one end, Linux FreeS/WAN on the
other end has no way of knowing this until it attempts to rekey.
Once it tries to rekey and fails, it will 'know' that the tunnel is 
down.

Because it doesn't have a way of knowing the state until this point, 
it will also not be able to tell you the state via ipsec auto --status.

> However, comparing output from a working tunnel with that of one that
> was closed 
> did not show clearly show tunnel status.

If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
should not be able to ping the opposite side of the tunnel. You can
use this as an indicator of tunnel status.

On a related note, you may be interested to know that as of 1.7, 
redundant tunnels caused by RW disconnections are likely to be 
less of a pain. From doc/CHANGES:

    There is a new configuration parameter, uniqueids, to control a new Pluto
    option:  when a new connection is negotiated with the same ID as an old
    one, the old one is deleted immediately.  This should help eliminate
    dangling Road Warrior connections when the same Road Warrior reconnects. 
    It thus requires that IDs not be shared by hosts (a previously legal but
    probably useless capability).  NOTE WELL:  the sample ipsec.conf now has
    uniqueids=yes in its config-setup section.


Cheers,

Claudia

Can I build IPsec tunnels over a demand-dialed link?

This is possible, but not easy. FreeS/WAN technical lead Henry Spencer wrote: 
> 5. If the ISDN link goes down in between and is reestablished, the SAs
> are still up but the eroute are deleted and the IPsec interface shows
> garbage (with ifconfig)
> 6. Only restarting IPsec will bring the VPN back online.

This one is awkward to solve.  If the real interface that the IPsec
interface is mounted on goes down, it takes most of the IPsec machinery
down with it, and a restart is the only good way to recover. 

The only really clean fix, right now, is to split the machines in two: 

1. A minimal machine serves as the network router, and only it is aware
that the link goes up and down. 

2. The IPsec is done on a separate gateway machine, which thinks it has
a permanent network connection, via the router.

This is clumsy but it does work.  Trying to do both functions within a
single machine is tricky.  There is a software package (diald) which will
give the illusion of a permanent connection for demand-dialed modem
connections; I don't know whether it's usable for ISDN, or whether it can
be made to cooperate properly with FreeS/WAN. 

Doing a restart each time the interface comes up *does* work, although it
is a bit painful.  I did that with PPP when I was running on a modem link;
it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
the right times.  (I'd meant to investigate diald but never found time.)

In principle you don't need to do a complete restart on reconnect, but you
do have to rebuild some things, and we have no nice clean way of doing
only the necessary parts.
In the same thread, one user commented: 
Subject: Re: linux-ipsec: IPsec and Dial Up Connections
   Date: Wed, 22 Nov 2000
   From: Andy Bradford <andyb@calderasystems.com>

On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:

> Are there any ideas what might be the cause of the problem and any way
> to work around it.
> Any help is highly appreciated.

On my laptop, when using ppp there is a ip-up script in /etc/ppp that 
will be executed each time that the ppp interface is brought up.  
Likewise there is an ip-down script that is called when it is taken 
down.  You might consider custimzing those to stop and start FreeS/Wan 
with each connection.  I believe that ISDN uses the same files, though 
I could be wrong---there should be something similar though.

Can I build GRE tunnels over IPsec?

This is possible in theory, but we are short on practical details. If you do this, please let us know via the mailing lists.

There is a list message with links to relevant resources.

Life's little mysteries

FreeS/WAN is a fairly complex product. (Neither the networks it runs on nor the protocols it uses are simple, so it could hardly be otherwise.) It therefore sometimes exhibits behaviour which can be somewhat confusing, or has problems which are not easy to diagnose. This section tries to explain those problems.

Setup and configuration of FreeS/WAN are covered in other documentation sections:

However, we also list some of the commonest problems here.

I cannot ping ....

This question is dealt with in the configuration section under the heading multiple tunnels.

The standard subnet-to-subnet tunnel protects traffic only between the subnets. To test it, you must use pings that go from one subnet to the other.

For example, suppose you have:

      subnet a.b.c.0/24
             |
      eth1 = a.b.c.1
         gate1
      eth0 = 1.2.3.4
             |

       ~ internet ~

             |
      eth0 = 4.3.2.1
         gate2
      eth1 = x.y.z.1
              |
       subnet x.y.z.0/24
and the connection description:
conn abc-xyz
     left=1.2.3.4
     leftsubnet=a.b.c.0/24
     right=4.3.2.1
     rightsubnet=x.y.z.0/24

You can test this connection description only by sending a ping that will actually go through the tunnel. Assuming you have machines at addresses a.b.c.2 and x.y.z.2, pings you might consider trying are:

ping from x.y.z.2 to a.b.c.2 or vice versa
Succeeds if tunnel is working. This is the only valid test of the tunnel.
ping from gate2 to a.b.c.2 or vice versa
Does not use tunnel. gate2 is not on protected subnet.
ping from gate1 to x.y.z.2 or vice versa
Does not use tunnel. gate1 is not on protected subnet.
ping from gate1 to gate2 or vice versa
Does not use tunnel. Neither gate is on a protected subnet.

Only the first of these is a useful test of this tunnel. The others do not use the tunnel. Depending on other details of your setup and routing, they:

In some cases, you may be able to get around this. For the example network above, you could use:

        ping -I a.b.c.1 x.y.z.1
Both the adresses given are within protected subnets, so this should go through the tunnel.

If required, you can build additional tunnels so that all the machines involved can talk to all the others. See multiple tunnels in the configuration document for details.

It takes forever to ...

Users fairly often report various problems involving long delays, sometimes on tunnel setup and sometimes on operations done through the tunnel, occasionally on simple things like ping or more often on more complex operations like doing NFS or Samba through the tunnel.

Almost always, these turn out to involve failure of a DNS lookup. The timeouts waiting for DNS are typically set long so that you won't time out when a query involves multiple lookups or long paths. Genuine failures therefore produce long delays before they are detected.

A mailing list message from project technical lead Henry Spencer:

> ... when i run /etc/rc.d/init.d/ipsec start, i get:
> ipsec_setup: Starting FreeS/WAN IPsec 1.5...
> and it just sits there, doesn't give back my bash prompt.

Almost certainly, the problem is that you're using DNS names in your
ipsec.conf, but DNS lookups are not working for some reason.  You will
get your prompt back... eventually.  But the DNS timeouts are long.
Doing something about this is on our list, but it is not easy.

In the meanwhile, we recommend that connection descriptions in ipsec.conf(5) use numeric IP addresses rather than names which will require a DNS lookup.

Names that do not require a lookup are fine. For example:

These are fine. The @ sign prevents any DNS lookup. However, do not attempt to give the gateway address as left=camelot.example.org . That requires a lookup.

A post from one user after solving a problem with long delays:

Subject: Final Answer to Delay!!!
   Date: Mon, 19 Feb 2001
   From: "Felippe Solutions" <felippe@solutionstecnologia.com.br>

Sorry people, but seems like the Delay problem had nothing to do with
freeswan.

The problem was DNS as some people sad from the beginning, but not the way
they thought it was happening. Samba, ssh, telnet and other apps try to
reverse lookup addresses when you use IP numbers (Stupid that ahh).

I could ping very fast because I always ping with "-n" option, but I don't
know the option on the other apps to stop reverse addressing so I don't use
it.
This post is fairly typical. These problems are often tricky and frustrating to diagnose, and most turn out to be DNS-related.

One suggestion for diagnosis: test with both names and addresses if possible. For example, try all of:

If these behave differently, the problem must be DNS-related since the three commands do exactly the same thing except for DNS lookups.

I send packets to the tunnel with route(8) but they vanish

IPsec connections are designed to carry only packets travelling between pre-defined connection endpoints. As project technical lead Henry Spencer put it:
IPsec tunnels are not just virtual wires; they are virtual wires with built-in access controls. Negotiation of an IPsec tunnel includes negotiation of access rights for it, which don't include packets to/from other IP addresses. (The protocols themselves are quite inflexible about this, so there are limits to what we can do about it.)
For fairly obvious security reasons, and to comply with the IPsec RFCs, KLIPS drops any packets it receives that are not allowed on the tunnels currently defined. So if you send it packets with route(8) , and suitable tunnels are not defined, the packets vanish. Whether this is reported in the logs depends on the setting of klipsdebug in your ipsec.conf(5) file.

To rescue vanishing packets, you must ensure that suitable tunnels for them exist, by editing the connection descriptions in ipsec.conf(5). For example, supposing you have a simple setup:

         leftsubnet -- leftgateway === internet === roadwarrior
If you want to give the roadwarrior access to some resource that is located behind the left gateway but is not in the currently defined left subnet, then the usual procedure is to define an additional tunnel for those packets by creating a new connection description.

In some cases, it may be easier to alter an existing connection description, enlarging the definition of leftsubnet. For example, instead of two connection descriptions with 192.168.8.0/24 and 192.168.9.0/24 as their leftsubnet parameters, you can use a single description with 192.168.8.0/23.

If you have multiple endpoints on each side, you need to ensure that there is a route for each pair of endpoints. See this example.

When a tunnel goes down, packets vanish

This is a special case of the vanishing packet problem described in the previous question. Whenever KLIPS sees packets for which it does not have a tunnel, it drops them.

When a tunnel goes away, either because negotiations with the other gateway failed or because you gave an ipsec auto --down command, the route to its other end is left pointing into KLIPS, and KLIPS will drop packets it has no tunnel for.

This is a documented design decision, not a bug. FreeS/WAN must not automatically adjust things to send packets via another route. The other route might be insecure.

Of course, re-routing may be necessary in many cases. In those cases, you have to do it manually or via scripts. We provide the ipsec auto --unroutecommand for these cases.

From ipsec_auto(8):

Normally, pluto establishes a route to the destination specified for a connection as part of the --up operation. However, the route and only the route can be established with the --route operation. Until and unless an actual connection is established, this discards any packets sent there, which may be preferable to having them sent elsewhere based on a more general route (e.g., a default route).
Normally, pluto's route to a destination remains in place when a --down operation is used to take the connection down (or if connection setup, or later automatic rekeying, fails). This permits establishing a new connection (perhaps using a different specification; the route is altered as necessary) without having a ``window'' in which packets might go elsewhere based on a more general route. Such a route can be removed using the --unroute operation (and is implicitly removed by --delete).

See also this mailing list message.

The firewall ate my packets!

If firewalls filter out:

then IPsec cannot work. The first thing to check if packets seem to be vanishing is the firewall rules on the two gateway machines and any other machines along the path that you have access to.

For details, see our document on firewalls .

Some advice from technical lead Henry Spencer on diagnosing such problems:

> > Packets vanishing between the hardware interface and the ipsecN interface
> > is usually the result of firewalls not being configured to let them in...
> 
> Thanks for the suggestion. If only it were that simple! My ipchains startup
> script does take care of that, but just in case I manually inserted rules 
> accepting everything from london on dublin. No difference.

The other thing to check is whether the "RX packets dropped" count on the
ipsecN interface (run "ifconfig ipsecN", for N=1 or whatever, to see the
counts) is rising.  If so, then there's some sort of configuration mismatch
between the two ends, and IPsec itself is rejecting them.  If none of the
ipsecN counts is rising, then the packets are never reaching the IPsec
machinery, and the problem is almost certainly in firewalls etc.

Dropped connections

Networks being what they are, IPsec connections can be broken for any number of reasons, ranging from hardware failures to various software problems such as the path MTU problems discussed elsewhere in the FAQ. Fortunately, various diagnostic tools exist that help you sort out many of the possible problems.

There is one situation, however, where FreeS/WAN (using default settings) may destroy a connection for no readily apparent reason. This occurs when things are misconfigured so that two tunnels from the same gateway expect the same subnet on the far end.

In this situation, the first tunnel comes up fine and works until the second is established. At that point, because of the way we track connections internally, the first tunnel ceases to exist as far as this gateway is concerned. Of course the far end does not know that, and a storm of error messages appears on both systems as it tries to use the tunnel.

If the far end gives up, goes back to square one and negotiates a new tunnel, then that wipes out the second tunnel and ...

The solution is simple. Do not build multiple conn descriptions with the same remote subnet.

This is actually intended to be a feature, rather than a bug. Consider the situation where a single remote system goes down, then comes back up and reconnects to the gateway. It is useful to have the gateway tear down the old tunnel and recover resources when the reconnection is made. It recognises that situation by checking the remote subnet for each tunnel it builds and discarding duplicates. This works fine as long as you don't configure multiple tunnels with the same remote subnet.

If this behaviour is inconvenient for you, you can disable it by setting uniqueids=no in ipsec.conf(5).

TCPdump on the gateway shows strange things

Attempting to look at IPsec packets by running monitoring tools on the IPsec gateway machine can produce silly results. That machine is mangling the packets for IPsec, and possibly for firewall or NAT purposes as well. If the internals of the machine's IP stack are not what the monitoring tool expects, then the tool can misinterpret them and produce nonsense output.

See our testing document for more detail.

Traceroute does not show anything between the gateways

As far as traceroute can see, the two gateways are one hop apart; the data packet goes directly from one to the other through the tunnel. Of course the outer packets that implement the tunnel pass through whatever lies between the gateways, but those packets are built and dismantled by the gateways. Traceroute does not see them and cannot report anything about their path.

Here is a mailing list message with more detail.

Date: Mon, 14 May 2001
To: linux-ipsec@freeswan.org
From: "John S. Denker" <jsd@research.att.com<
Subject: Re: traceroute: one virtual hop

At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
>
>> > A bonus question: traceroute in subnet to subnet enviroment looks like:
>> > 
>> > traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
>> > 1  drama (172.20.1.1)  0.716 ms  0.942 ms  0.434 ms
>> > 2  * * *
>> > 3  andris.dmz (172.20.24.10)  73.576 ms  78.858 ms  79.434 ms
>> > 
>> > Why aren't there the other hosts which take part in the delivery during 
>    * * * ?
>
>If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a 
>'virtual wire'.  When it is tunneled, the original packet becomes an inner 
>packet, and new ESP and/or AH headers are added to create an outer packet 
>around it. You can see an example of how this is done for AH at 
>doc/ipsec.html#AH . For ESP it is similar.
>
>Think about the packet's path from the inner packet's perspective.
>It leaves the subnet, goes into the tunnel, and re-emerges in the second
>subnet. This perspective is also the only one available to the
>'traceroute' command when the IPSec tunnel is up.

Claudia got this exactly right.  Let me just expand on a couple of points:

*) GateB is exactly one (virtual) hop away from GateA.  This is how it
would be if there were a physically private wire from A to B.  The
virtually private connection should work the same, and it does.

*) While the information is in transit from GateA to GateB, the hop count
of the outer header (the "envelope") is being decremented.  The hop count
of the inner header (the "contents" of the envelope) is not decremented and
should not be decremented.  The hop count of the outer header is not
derived from and should not be derived from the hop count of the inner header.

Indeed, even if the packets did time out in transit along the tunnel, there
would be no way for traceroute to find out what happened.  Just as
information cannot leak _out_ of the tunnel to the outside, information
cannot leak _into_ the tunnel from outside, and this includes ICMP messages
from routers along the path.

There are some cases where one might wish for information about what is
happening at the IP layer (below the tunnel layer) -- but the protocol
makes no provision for this.  This raises all sorts of conceptual issues.
AFAIK nobody has ever cared enough to really figure out what _should_
happen, let alone implement it and standardize it.

*) I consider the "* * *" to be a slight bug.  One might wish for it to be
replaced by "GateB GateB GateB".  It has to do with treating host-to-subnet
traffic different from subnet-to-subnet traffic (and other gory details).
I fervently hope KLIPS2 will make this problem go away.

*) If you want to ask questions about the link from GateA to GateB at the
IP level (below the tunnel level), you have to ssh to GateA and launch a
traceroute from there.

Testing in stages

It is often useful in debugging to test things one at a time:

FreeS/WAN releases are tested for all of these, so you can be reasonably certain they can do them all. Of course, that does not mean they will on the first try, especially if you have some unusual configuration.

The rest of this section gives information on diagnosing the problem when each of the above steps fails.

Manually keyed connections don't work

Suspect one of:

One manual connection works, but second one fails

This is fairly common problem when attempting to configure multiple manually keyed connections from a single gateway.

Each connection must be identified by a unique SPI value. For automatic connections, these values are assigned automatically. For manual connections, you must set them with spi= statements in ipsec.conf(5).

Each manual connection must have a unique SPI value in the range 0x100 to 0x999. Two or more with the same value will fail. For details, see our HTML doc section Using manual keying in production and the man page ipsec.conf(5).

Manual connections work, but automatic keying doesn't

The most common reason for this behaviour is a firewall dropping the UDP port 500 packets used in key negotiation.

Other possibilities:

IPsec works, but connections using compression fail

Suspect one of:

Small packets work, but large transfers fail

If tests with ping(1) and a small packet size succeed, but tests or transfers with larger packet sizes fail, suspect problems with packet fragmentation and perhaps path MTU discovery.

Our troubleshooting document covers these problems. Information on the underlying mechanism is in our background document.

Subnet-to-subnet works, but tests from the gateways don't

This is described under I cannot ping... above.

Compilation problems

gmp.h: No such file or directory

Pluto needs the GMP (GNU Multi- Precision) library for the large integer calculations it uses in public key cryptography. This error message indicates a failure to find the library. You must install it before Pluto will compile.

The GMP library is included in most Linux distributions. Typically, there are two RPMs, libgmp and libgmp-devel, You need to install both, either from your distribution CDs or from your vendor's web site.

On Debian, a mailing list message reports that the command to give is apt-get install gmp2.

For more information and the latest version, see the GMP home page.

... virtual memory exhausted

We have had several reports of this message appearing, all on SPARC Linux. Here is a mailing message on a solution: 
> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.

Interpreting error messages

route-client (or host) exited with status 7

Here is a discussion of this error from FreeS/WAN "listress" (mailing list tech support person) Claudia Schmeing. The "FAQ on the network unreachable error" which she refers to is the next question below. 
> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:



IPsec works, but connections using compression fail


 Suspect one of: 


Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:



IPsec works, but connections using compression fail


 Suspect one of: 


Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of Linux
   FreeS/WAN, as recommended? You need to ensure the two machines that
   will be running Linux FreeS/WAN can route to one another before trying to 
   make a secure connection.
2. Is there anything obviously wrong with the sense of your m the peer's atements in ipsec.conf(5).


Each manual connection must have a unique SPI value in the range 
0x100 to 0x999. Two or more with the same value will fail. For details, 
see our HTML doc section Using manual keying in 
production and the man page 
ipsec.conf(5).


Manual connections work, but automatic keying 
doesn't

 The most common reason for this behaviour is a firewall dropping the 
UDP port 500 packets used in key negotiation. 

Other possibilities:


    

  • mis-configuration of auto connection in the /etc/ipsec.conf file. 
    • 

    One common configuration error is forgetting that you need 
 auto=add to load the connection description on the receiving 
 end so it recognises the connection when the other end asks for it.
    

  • error in shared secret in /etc/ipsec.secrets
    • 

  • one gateway lacks a route to the other so Pluto's UDP packets are 
 lost
    • 

  • bugs in Pluto
    • 

  • incompatibilities between Pluto's IKE
 implementation and the IKE at the other end of the tunnel. 
    • 

    Some possibile problems are discussed in out 
interoperation document.
    



IPsec works, but connections using compression fail


 Suspect one of: 

    

  • (especially if small packets are OK, but large ones fail) 
compatibility  issues with other implementations. We follow the RFCs 
and omit some extra  material that many compression libraries add by 
default. Others may have  the extras left in.
    • 



Small packets work, but large transfers fail



If tests with ping(1) and a small packet size succeed, but tests or 
transfers with larger packet sizes fail, suspect problems with packet 
fragmentation and perhaps path MTU discovery.


Our troubleshooting document covers these 
problems. Information on the underlying mechanism is in our 
background document.


Subnet-to-subnet works, but tests from the 
gateways don't

 This is described under I cannot ping...
 above. 

Compilation problems


gmp.h: No such file or directory

 Pluto needs the GMP (GNU Multi-
Precision) library for the large integer calculations it uses 
in public key cryptography. This error message 
indicates a failure to find the library. You must install it before 
Pluto will compile. 

The GMP library is included in most Linux distributions. Typically, 
there are two RPMs, libgmp and libgmp-devel, You need to install 
both, either from your distribution CDs or from your vendor's web 
site.


On Debian, a mailing list message reports that the command to give 
is apt-get install gmp2.


For more information and the latest version, see the 
GMP home page.


... virtual memory exhausted

 We have had several reports of this message appearing, all on SPARC 
Linux. Here is a mailing message on a solution: 

> ipsec_sha1.c: In function `SHA1Transform':
> ipsec_sha1.c:95: virtual memory exhausted

I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
MB swap.  Except I am compiling version 1.5 and its Red Hat 6.2.

I can get around this by using -O instead of -O2 for the optimization
level.  So it is probably a bug in the optimizer on the sparc complier. 
I'll try and chase this down on the sparc lists.


Interpreting error messages


route-client (or host) exited with status 7


 Here is a discussion of this error from FreeS/WAN "listress" (mailing 
list tech support person) Claudia Schmeing. The "FAQ on the network 
unreachable error" which she refers to is the next question below. 

> I reached the point where the two boxes (both on dial-up connections, but
> treated as static IPs by getting the IP and editing ipsec.conf after the
> connection is established) to the point where they exchange some info, but I
> get an error like "route-client command exited with status 7 \n internal
> error".
> Where can I find a description of this error?

In general, if the FAQ doesn't cover it, you can search the mailing list 
archives - I like to use
http://www.sandelman.ottawa.on.ca/linux-ipsec/
but you can see doc/mail.html for different archive formats.


Your error comes from the _updown script, which performs some
routing and firewall functions to help Linux FreeS/WAN. More info
is available at doc/firewall.html and man ipsec.conf. Its routing
is integral to the health of Linux FreeS/WAN; it also provides facility
to insert custom firewall rules to be executed when you create or destroy
a connection.

Yours is, of course, a routing error. You can be fairly sure the routing 
machinery is saying "network is unreachable". There's a FAQ on the 
"network is unreachable" error, but more information is available now; read on.

If your _updown script is recent (for example if it shipped with 
Linux FreeS/WAN 1.91), you will see another debugging line in your logs 
that looks something like this:

> output: /usr/local/lib/ipsec/_updown: `route add -net 128.174.253.83 
> netmask 255.255.255.255 dev ipsec0 gw 66.92.93.161' failed

This is, of course, the system route command that exited with status 7, 
(ie. failed). Man route for details. Seeing the command typed out yields 
more information. If your _updown script is older, you may wish to update 
it to show the command explicitly.

Three parameters fed to the route command: net, netmask and gw [gateway] 
are derived from things you've put in ipsec.conf.

Net and netmask are derived from the peer's IP and mask. In more detail:

You may see a routing error when routing to a client (ie. subnet), or 
to a host (IPSec gateway or freestanding host; a box that does IPSec for
itself). In _updown, the "route-client" section  is responsible to set up 
the route for IPSec'd (usually, read 'tunneled') packets headed to a 
peer subnet. Similarly, route-host routes IPSec'd packets to a peer host
or IPSec gateway.

When routing to a 'client', net and netmask are ipsec.conf's left- or 
rightsubnet (whichever is not local). Similarly, when routing to a 
'host' the net is left or right. Host netmask is always /32, indicating a 
single machine.

Gw is nexthop's value. Again, the value in question is left- or rightnexthop,
whichever is local. Where left/right or left-/rightnexthop has the special 
value %defaultroute (described in man ipsec.conf), gw will automagically get
the value of the next hop on the default route.

Q: "What's a nexthop and why do I need one?"

A: 'nexthop' is a routing kluge; its value is the next hop away
   from the machine that's doing IPSec, and toward your IPSec peer. 
   You need it to get the processed packets out of the local system and 
   onto the wire. While we often route other packets through the machine 
   that's now doing IPSec, and are done with it, this does not suffice here. 
   After packets are processed with IPSec, this machine needs to know where 
   they go next. Of course using the 'IPSec gateway' as their routing gateway 
   would cause an infinite loop! [To visualize this, see the packet flow 
   diagram at doc/firewall.html.] To avoid this, we route packets through 
   the next hop down their projected path.

Now that you know the background, consider:
1. Did you test routing between the gateways in the absence of L