[Swan] Problem with setting up ipsec
Paul Wouters
paul at nohats.ca
Mon Oct 17 01:47:14 UTC 2016
On Sun, 16 Oct 2016, Maciej Piechotka wrote:
> I have problem with setting up ipsec. I see ESP packets coming through
> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
> increased) so in tcpdump only the ESP packets are shown. I could not
> find any information how to proceed from here.
>
> Matt
> PS. I disabled receiving messages from this group so please include me
> in To: or Cc: list.
Note that your barf's did not include log files. But regardless, it
shows the kernel ip xfrm state/policy showing the tunnels are up fine.
The only thing I can see wrong is:
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
Please completely disable redirects and rp_filter
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
Paul
More information about the Swan
mailing list