<div dir="ltr">Possibly interesting data point - I was able to set up ipsec tunnel with pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan tools on CoreOS kernel.<br></div><br><div class="gmail_quote"><div dir="ltr">On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <<a href="mailto:uzytkownik2@gmail.com">uzytkownik2@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Paul,<br class="gmail_msg">
<br class="gmail_msg">
Sorry - I've tried it before but I forgot to reenable it after<br class="gmail_msg">
recreation of VM. However it doesn't help.<br class="gmail_msg">
<br class="gmail_msg">
Matt<br class="gmail_msg">
<br class="gmail_msg">
On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <<a href="mailto:paul@nohats.ca" class="gmail_msg" target="_blank">paul@nohats.ca</a>> wrote:<br class="gmail_msg">
> On Sun, 16 Oct 2016, Maciej Piechotka wrote:<br class="gmail_msg">
><br class="gmail_msg">
>> I have problem with setting up ipsec. I see ESP packets coming through<br class="gmail_msg">
>> but they are dropped during policy check (i.e. XfrmInTmplMismatch is<br class="gmail_msg">
>> increased) so in tcpdump only the ESP packets are shown. I could not<br class="gmail_msg">
>> find any information how to proceed from here.<br class="gmail_msg">
>><br class="gmail_msg">
>> Matt<br class="gmail_msg">
>> PS. I disabled receiving messages from this group so please include me<br class="gmail_msg">
>> in To: or Cc: list.<br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
> Note that your barf's did not include log files. But regardless, it<br class="gmail_msg">
> shows the kernel ip xfrm state/policy showing the tunnels are up fine.<br class="gmail_msg">
><br class="gmail_msg">
> The only thing I can see wrong is:<br class="gmail_msg">
><br class="gmail_msg">
> Checking for IPsec support in kernel [OK]<br class="gmail_msg">
> NETKEY: Testing XFRM related proc values<br class="gmail_msg">
> ICMP default/send_redirects [NOT DISABLED]<br class="gmail_msg">
><br class="gmail_msg">
> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on<br class="gmail_msg">
> or cause sending of bogus ICMP redirects!<br class="gmail_msg">
><br class="gmail_msg">
> ICMP default/accept_redirects [NOT DISABLED]<br class="gmail_msg">
><br class="gmail_msg">
> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act<br class="gmail_msg">
> on or cause sending of bogus ICMP redirects!<br class="gmail_msg">
><br class="gmail_msg">
> XFRM larval drop [OK]<br class="gmail_msg">
> Pluto ipsec.conf syntax [OK]<br class="gmail_msg">
> Hardware random device [N/A]<br class="gmail_msg">
> Two or more interfaces found, checking IP forwarding [OK]<br class="gmail_msg">
> Checking rp_filter [ENABLED]<br class="gmail_msg">
> /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]<br class="gmail_msg">
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]<br class="gmail_msg">
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]<br class="gmail_msg">
> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]<br class="gmail_msg">
> /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]<br class="gmail_msg">
> /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]<br class="gmail_msg">
><br class="gmail_msg">
><br class="gmail_msg">
> Please completely disable redirects and rp_filter<br class="gmail_msg">
><br class="gmail_msg">
> <a href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F" rel="noreferrer" class="gmail_msg" target="_blank">https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F</a><br class="gmail_msg">
><br class="gmail_msg">
> <a href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F" rel="noreferrer" class="gmail_msg" target="_blank">https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F</a><br class="gmail_msg">
><br class="gmail_msg">
> Paul<br class="gmail_msg">
</blockquote></div>