[Swan] Problem with setting up ipsec
Maciej Piechotka
uzytkownik2 at gmail.com
Mon Oct 17 08:05:40 UTC 2016
Possibly interesting data point - I was able to set up ipsec tunnel with
pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos
libreswan tools on CoreOS kernel.
On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <uzytkownik2 at gmail.com>
wrote:
> Hi Paul,
>
> Sorry - I've tried it before but I forgot to reenable it after
> recreation of VM. However it doesn't help.
>
> Matt
>
> On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <paul at nohats.ca> wrote:
> > On Sun, 16 Oct 2016, Maciej Piechotka wrote:
> >
> >> I have problem with setting up ipsec. I see ESP packets coming through
> >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
> >> increased) so in tcpdump only the ESP packets are shown. I could not
> >> find any information how to proceed from here.
> >>
> >> Matt
> >> PS. I disabled receiving messages from this group so please include me
> >> in To: or Cc: list.
> >
> >
> > Note that your barf's did not include log files. But regardless, it
> > shows the kernel ip xfrm state/policy showing the tunnels are up fine.
> >
> > The only thing I can see wrong is:
> >
> > Checking for IPsec support in kernel [OK]
> > NETKEY: Testing XFRM related proc values
> > ICMP default/send_redirects [NOT DISABLED]
> >
> > Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
> > or cause sending of bogus ICMP redirects!
> >
> > ICMP default/accept_redirects [NOT DISABLED]
> >
> > Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
> > on or cause sending of bogus ICMP redirects!
> >
> > XFRM larval drop [OK]
> > Pluto ipsec.conf syntax [OK]
> > Hardware random device [N/A]
> > Two or more interfaces found, checking IP forwarding [OK]
> > Checking rp_filter [ENABLED]
> > /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
> > /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> > /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> > /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
> > /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]
> > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
> >
> >
> > Please completely disable redirects and rp_filter
> >
> >
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
> >
> >
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
> >
> > Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161017/04ee5783/attachment.html>
More information about the Swan
mailing list