[Swan] Problem with setting up ipsec

Maciej Piechotka uzytkownik2 at gmail.com
Mon Oct 17 08:05:40 UTC 2016 

Possibly interesting data point - I was able to set up ipsec tunnel with
pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos
libreswan tools on CoreOS kernel.

On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <uzytkownik2 at gmail.com>
wrote:

> Hi Paul,
>
> Sorry - I've tried it before but I forgot to reenable it after
> recreation of VM. However it doesn't help.
>
> Matt
>
> On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <paul at nohats.ca> wrote:
> > On Sun, 16 Oct 2016, Maciej Piechotka wrote:
> >
> >> I have problem with setting up ipsec. I see ESP packets coming through
> >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
> >> increased) so in tcpdump only the ESP packets are shown. I could not
> >> find any information how to proceed from here.
> >>
> >> Matt
> >> PS. I disabled receiving messages from this group so please include me
> >> in To: or Cc: list.
> >
> >
> > Note that your barf's did not include log files. But regardless, it
> > shows the kernel ip xfrm state/policy showing the tunnels are up fine.
> >
> > The only thing I can see wrong is:
> >
> > Checking for IPsec support in kernel                    [OK]
> >  NETKEY: Testing XFRM related proc values
> >          ICMP default/send_redirects                    [NOT DISABLED]
> >
> >   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
> > or cause sending of bogus ICMP redirects!
> >
> >          ICMP default/accept_redirects                  [NOT DISABLED]
> >
> >   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
> > on or cause sending of bogus ICMP redirects!
> >
> >          XFRM larval drop                               [OK]
> > Pluto ipsec.conf syntax                                 [OK]
> > Hardware random device                                  [N/A]
> > Two or more interfaces found, checking IP forwarding    [OK]
> > Checking rp_filter                                      [ENABLED]
> >  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
> >  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
> >  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
> >  /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
> >  /proc/sys/net/ipv4/conf/flannel0/rp_filter             [ENABLED]
> >  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
> >
> >
> > Please completely disable redirects and rp_filter
> >
> >
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
> >
> >
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
> >
> > Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161017/04ee5783/attachment.html>

More information about the Swan mailing list