<div dir="ltr"><div><div>Thanks for looking at things. You mentioned I would need to have a "key" entry matching the mark number in your<br>
config (5)<span class="gmail-im">. I am trying to find out how I would
define that key entry in the config I am reading the
<a href="https://libreswan.org/man/ipsec.conf.5.html">https://libreswan.org/man/ipsec.conf.5.html</a> and not sure what I am
missing. <br></span></div><div><span class="gmail-im">I also looked at other configs that people said they had working but still didn't see what I needed to add. <br></span></div><div><span class="gmail-im"><br></span></div><div><span class="gmail-im">The information you asked about is below but I am not seeing anything that points me in a direction.</span><br></div><div><br><br></div>IP tunnel<br><br>vti201: ip/ip remote 102.167.4.2 local 172.31.140.0 ttl inherit key 5<br>ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0<br><br><br><br></div>ipsec verify<br><br>Verifying installed system and configuration files<br><br>Version check and ipsec on-path [OK]<br>Libreswan 3.20 (netkey) on 3.10.0-693.el7.x86_64<br>Checking for IPsec support in kernel [OK]<br> NETKEY: Testing XFRM related proc values<br> ICMP default/send_redirects [NOT DISABLED]<br><br> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!<br><br> ICMP default/accept_redirects [NOT DISABLED]<br><br> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!<br><br> XFRM larval drop [OK]<br>Pluto ipsec.conf syntax [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/tun0/rp_filter [ENABLED]<br> rp_filter is not fully aware of IPsec and should be disabled<br>Checking that pluto is running [OK]<br> Pluto listening for IKE on udp 500 [OK]<br> Pluto listening for IKE/NAT-T on udp 4500 [OK]<br> Pluto ipsec.secret syntax [OK]<br>Checking 'ip' command [OK]<br>Checking 'iptables' command [OK]<br>Checking 'prelink' command does not interfere with FIPS [OK]<br>Checking for obsolete ipsec.conf options [OK]<br><br>ipsec verify: encountered <b><u>15</u></b> errors - see 'man ipsec_verify' for help<br><br><div>==========</div><div> sysctl net.ipv4 ip_forward - If I am looking at things correctly rp_forward is disabled on the vti interface<br></div><div><br></div><div>net.ipv4.cipso_cache_bucket_size = 10<br>net.ipv4.cipso_cache_enable = 1<br>net.ipv4.cipso_rbm_optfmt = 0<br>net.ipv4.cipso_rbm_strictvalid = 1<br>net.ipv4.conf.all.accept_local = 0<br>net.ipv4.conf.all.accept_redirects = 0<br>net.ipv4.conf.all.accept_source_route = 0<br>net.ipv4.conf.all.arp_accept = 0<br>net.ipv4.conf.all.arp_announce = 0<br>net.ipv4.conf.all.arp_filter = 0<br>net.ipv4.conf.all.arp_ignore = 0<br>net.ipv4.conf.all.arp_notify = 0<br>net.ipv4.conf.all.bootp_relay = 0<br>net.ipv4.conf.all.disable_policy = 0<br>net.ipv4.conf.all.disable_xfrm = 0<br>net.ipv4.conf.all.force_igmp_version = 0<br>net.ipv4.conf.all.forwarding = 1<br>net.ipv4.conf.all.log_martians = 0<br>net.ipv4.conf.all.mc_forwarding = 0<br>net.ipv4.conf.all.medium_id = 0<br>net.ipv4.conf.all.promote_secondaries = 1<br>net.ipv4.conf.all.proxy_arp = 0<br>net.ipv4.conf.all.proxy_arp_pvlan = 0<br>net.ipv4.conf.all.route_localnet = 0<br>net.ipv4.conf.all.rp_filter = 1<br>net.ipv4.conf.all.secure_redirects = 1<br>net.ipv4.conf.all.send_redirects = 1<br>net.ipv4.conf.all.shared_media = 1<br>net.ipv4.conf.all.src_valid_mark = 0<br>net.ipv4.conf.all.tag = 0<br>net.ipv4.conf.default.accept_local = 0<br>net.ipv4.conf.default.accept_redirects = 1<br>net.ipv4.conf.default.accept_source_route = 0<br>net.ipv4.conf.default.arp_accept = 0<br>net.ipv4.conf.default.arp_announce = 0<br>net.ipv4.conf.default.arp_filter = 0<br>net.ipv4.conf.default.arp_ignore = 0<br>net.ipv4.conf.default.arp_notify = 0<br>net.ipv4.conf.default.bootp_relay = 0<br>net.ipv4.conf.default.disable_policy = 0<br>net.ipv4.conf.default.disable_xfrm = 0<br>net.ipv4.conf.default.force_igmp_version = 0<br>net.ipv4.conf.default.forwarding = 1<br>net.ipv4.conf.default.log_martians = 0<br>net.ipv4.conf.default.mc_forwarding = 0<br>net.ipv4.conf.default.medium_id = 0<br>net.ipv4.conf.default.promote_secondaries = 1<br>net.ipv4.conf.default.proxy_arp = 0<br>net.ipv4.conf.default.proxy_arp_pvlan = 0<br>net.ipv4.conf.default.route_localnet = 0<br>net.ipv4.conf.default.rp_filter = 1<br>net.ipv4.conf.default.secure_redirects = 1<br>net.ipv4.conf.default.send_redirects = 1<br>net.ipv4.conf.default.shared_media = 1<br>net.ipv4.conf.default.src_valid_mark = 0<br>net.ipv4.conf.default.tag = 0<br>net.ipv4.conf.eth0.accept_local = 0<br>net.ipv4.conf.eth0.accept_redirects = 1<br>net.ipv4.conf.eth0.accept_source_route = 0<br>net.ipv4.conf.eth0.arp_accept = 0<br>net.ipv4.conf.eth0.arp_announce = 0<br>net.ipv4.conf.eth0.arp_filter = 0<br>net.ipv4.conf.eth0.arp_ignore = 0<br>net.ipv4.conf.eth0.arp_notify = 0<br>net.ipv4.conf.eth0.bootp_relay = 0<br>net.ipv4.conf.eth0.disable_policy = 0<br>net.ipv4.conf.eth0.disable_xfrm = 0<br>net.ipv4.conf.eth0.force_igmp_version = 0<br>net.ipv4.conf.eth0.forwarding = 1<br>net.ipv4.conf.eth0.log_martians = 0<br>net.ipv4.conf.eth0.mc_forwarding = 0<br>net.ipv4.conf.eth0.medium_id = 0<br>net.ipv4.conf.eth0.promote_secondaries = 1<br>net.ipv4.conf.eth0.proxy_arp = 0<br>net.ipv4.conf.eth0.proxy_arp_pvlan = 0<br>net.ipv4.conf.eth0.route_localnet = 0<br>net.ipv4.conf.eth0.rp_filter = 1<br>net.ipv4.conf.eth0.secure_redirects = 1<br>net.ipv4.conf.eth0.send_redirects = 1<br>net.ipv4.conf.eth0.shared_media = 1<br>net.ipv4.conf.eth0.src_valid_mark = 0<br>net.ipv4.conf.eth0.tag = 0<br>net.ipv4.conf.eth1.accept_local = 0<br>net.ipv4.conf.eth1.accept_redirects = 1<br>net.ipv4.conf.eth1.accept_source_route = 0<br>net.ipv4.conf.eth1.arp_accept = 0<br>net.ipv4.conf.eth1.arp_announce = 0<br>net.ipv4.conf.eth1.arp_filter = 0<br>net.ipv4.conf.eth1.arp_ignore = 0<br>net.ipv4.conf.eth1.arp_notify = 0<br>net.ipv4.conf.eth1.bootp_relay = 0<br>net.ipv4.conf.eth1.disable_policy = 0<br>net.ipv4.conf.eth1.disable_xfrm = 0<br>net.ipv4.conf.eth1.force_igmp_version = 0<br>net.ipv4.conf.eth1.forwarding = 1<br>net.ipv4.conf.eth1.log_martians = 0<br>net.ipv4.conf.eth1.mc_forwarding = 0<br>net.ipv4.conf.eth1.medium_id = 0<br>net.ipv4.conf.eth1.promote_secondaries = 1<br>net.ipv4.conf.eth1.proxy_arp = 0<br>net.ipv4.conf.eth1.proxy_arp_pvlan = 0<br>net.ipv4.conf.eth1.route_localnet = 0<br>net.ipv4.conf.eth1.rp_filter = 1<br>net.ipv4.conf.eth1.secure_redirects = 1<br>net.ipv4.conf.eth1.send_redirects = 1<br>net.ipv4.conf.eth1.shared_media = 1<br>net.ipv4.conf.eth1.src_valid_mark = 0<br>net.ipv4.conf.eth1.tag = 0<br>net.ipv4.conf.ip_vti0.accept_local = 0<br>net.ipv4.conf.ip_vti0.accept_redirects = 1<br>net.ipv4.conf.ip_vti0.accept_source_route = 0<br>net.ipv4.conf.ip_vti0.arp_accept = 0<br>net.ipv4.conf.ip_vti0.arp_announce = 0<br>net.ipv4.conf.ip_vti0.arp_filter = 0<br>net.ipv4.conf.ip_vti0.arp_ignore = 0<br>net.ipv4.conf.ip_vti0.arp_notify = 0<br>net.ipv4.conf.ip_vti0.bootp_relay = 0<br>net.ipv4.conf.ip_vti0.disable_policy = 0<br>net.ipv4.conf.ip_vti0.disable_xfrm = 0<br>net.ipv4.conf.ip_vti0.force_igmp_version = 0<br>net.ipv4.conf.ip_vti0.forwarding = 1<br>net.ipv4.conf.ip_vti0.log_martians = 0<br>net.ipv4.conf.ip_vti0.mc_forwarding = 0<br>net.ipv4.conf.ip_vti0.medium_id = 0<br>net.ipv4.conf.ip_vti0.promote_secondaries = 1<br>net.ipv4.conf.ip_vti0.proxy_arp = 0<br>net.ipv4.conf.ip_vti0.proxy_arp_pvlan = 0<br>net.ipv4.conf.ip_vti0.route_localnet = 0<br>net.ipv4.conf.ip_vti0.rp_filter = 1<br>net.ipv4.conf.ip_vti0.secure_redirects = 1<br>net.ipv4.conf.ip_vti0.send_redirects = 1<br>net.ipv4.conf.ip_vti0.shared_media = 1<br>net.ipv4.conf.ip_vti0.src_valid_mark = 0<br>net.ipv4.conf.ip_vti0.tag = 0<br>net.ipv4.conf.lo.accept_local = 0<br>net.ipv4.conf.lo.accept_redirects = 1<br>net.ipv4.conf.lo.accept_source_route = 1<br>net.ipv4.conf.lo.arp_accept = 0<br>net.ipv4.conf.lo.arp_announce = 0<br>net.ipv4.conf.lo.arp_filter = 0<br>net.ipv4.conf.lo.arp_ignore = 0<br>net.ipv4.conf.lo.arp_notify = 0<br>net.ipv4.conf.lo.bootp_relay = 0<br>net.ipv4.conf.lo.disable_policy = 1<br>net.ipv4.conf.lo.disable_xfrm = 1<br>net.ipv4.conf.lo.force_igmp_version = 0<br>net.ipv4.conf.lo.forwarding = 1<br>net.ipv4.conf.lo.log_martians = 0<br>net.ipv4.conf.lo.mc_forwarding = 0<br>net.ipv4.conf.lo.medium_id = 0<br>net.ipv4.conf.lo.promote_secondaries = 0<br>net.ipv4.conf.lo.proxy_arp = 0<br>net.ipv4.conf.lo.proxy_arp_pvlan = 0<br>net.ipv4.conf.lo.route_localnet = 0<br>net.ipv4.conf.lo.rp_filter = 0<br>net.ipv4.conf.lo.secure_redirects = 1<br>net.ipv4.conf.lo.send_redirects = 1<br>net.ipv4.conf.lo.shared_media = 1<br>net.ipv4.conf.lo.src_valid_mark = 0<br>net.ipv4.conf.lo.tag = 0<br>net.ipv4.conf.tun0.accept_local = 0<br>net.ipv4.conf.tun0.accept_redirects = 1<br>net.ipv4.conf.tun0.accept_source_route = 0<br>net.ipv4.conf.tun0.arp_accept = 0<br>net.ipv4.conf.tun0.arp_announce = 0<br>net.ipv4.conf.tun0.arp_filter = 0<br>net.ipv4.conf.tun0.arp_ignore = 0<br>net.ipv4.conf.tun0.arp_notify = 0<br>net.ipv4.conf.tun0.bootp_relay = 0<br>net.ipv4.conf.tun0.disable_policy = 0<br>net.ipv4.conf.tun0.disable_xfrm = 0<br>net.ipv4.conf.tun0.force_igmp_version = 0<br>net.ipv4.conf.tun0.forwarding = 1<br>net.ipv4.conf.tun0.log_martians = 0<br>net.ipv4.conf.tun0.mc_forwarding = 0<br>net.ipv4.conf.tun0.medium_id = 0<br>net.ipv4.conf.tun0.promote_secondaries = 1<br>net.ipv4.conf.tun0.proxy_arp = 0<br>net.ipv4.conf.tun0.proxy_arp_pvlan = 0<br>net.ipv4.conf.tun0.route_localnet = 0<br>net.ipv4.conf.tun0.rp_filter = 1<br>net.ipv4.conf.tun0.secure_redirects = 1<br>net.ipv4.conf.tun0.send_redirects = 1<br>net.ipv4.conf.tun0.shared_media = 1<br>net.ipv4.conf.tun0.src_valid_mark = 0<br>net.ipv4.conf.tun0.tag = 0<br>net.ipv4.conf.vti201.accept_local = 0<br>net.ipv4.conf.vti201.accept_redirects = 1<br>net.ipv4.conf.vti201.accept_source_route = 0<br>net.ipv4.conf.vti201.arp_accept = 0<br>net.ipv4.conf.vti201.arp_announce = 0<br>net.ipv4.conf.vti201.arp_filter = 0<br>net.ipv4.conf.vti201.arp_ignore = 0<br>net.ipv4.conf.vti201.arp_notify = 0<br>net.ipv4.conf.vti201.bootp_relay = 0<br>net.ipv4.conf.vti201.disable_policy = 1<br>net.ipv4.conf.vti201.disable_xfrm = 0<br>net.ipv4.conf.vti201.force_igmp_version = 0<br>net.ipv4.conf.vti201.forwarding = 1<br>net.ipv4.conf.vti201.log_martians = 0<br>net.ipv4.conf.vti201.mc_forwarding = 0<br>net.ipv4.conf.vti201.medium_id = 0<br>net.ipv4.conf.vti201.promote_secondaries = 1<br>net.ipv4.conf.vti201.proxy_arp = 0<br>net.ipv4.conf.vti201.proxy_arp_pvlan = 0<br>net.ipv4.conf.vti201.route_localnet = 0<br>net.ipv4.conf.vti201.rp_filter = 0<br>net.ipv4.conf.vti201.secure_redirects = 1<br>net.ipv4.conf.vti201.send_redirects = 1<br>net.ipv4.conf.vti201.shared_media = 1<br>net.ipv4.conf.vti201.src_valid_mark = 0<br>net.ipv4.conf.vti201.tag = 0<br>net.ipv4.icmp_echo_ignore_all = 0<br>net.ipv4.icmp_echo_ignore_broadcasts = 1<br>net.ipv4.icmp_errors_use_inbound_ifaddr = 0<br>net.ipv4.icmp_ignore_bogus_error_responses = 1<br>net.ipv4.icmp_msgs_burst = 50<br>net.ipv4.icmp_msgs_per_sec = 1000<br>net.ipv4.icmp_ratelimit = 1000<br>net.ipv4.icmp_ratemask = 6168<br>net.ipv4.igmp_max_memberships = 20<br>net.ipv4.igmp_max_msf = 10<br>net.ipv4.igmp_qrv = 2<br>net.ipv4.inet_peer_maxttl = 600<br>net.ipv4.inet_peer_minttl = 120<br>net.ipv4.inet_peer_threshold = 65664<br>net.ipv4.ip_default_ttl = 64<br>net.ipv4.ip_dynaddr = 0<br>net.ipv4.ip_early_demux = 1<br>net.ipv4.ip_forward = 1<br>net.ipv4.ip_forward_use_pmtu = 0<br>net.ipv4.ip_local_port_range = 32768 60999<br>net.ipv4.ip_local_reserved_ports =<br>net.ipv4.ip_no_pmtu_disc = 0<br>net.ipv4.ip_nonlocal_bind = 0<br>net.ipv4.ipfrag_high_thresh = 4194304<br>net.ipv4.ipfrag_low_thresh = 3145728<br>net.ipv4.ipfrag_max_dist = 64<br>net.ipv4.ipfrag_secret_interval = 600<br>net.ipv4.ipfrag_time = 30<br>net.ipv4.neigh.default.anycast_delay = 100<br>net.ipv4.neigh.default.app_solicit = 0<br>net.ipv4.neigh.default.base_reachable_time_ms = 30000<br>net.ipv4.neigh.default.delay_first_probe_time = 5<br>net.ipv4.neigh.default.gc_interval = 30<br>net.ipv4.neigh.default.gc_stale_time = 60<br>net.ipv4.neigh.default.gc_thresh1 = 128<br>net.ipv4.neigh.default.gc_thresh2 = 512<br>net.ipv4.neigh.default.gc_thresh3 = 1024<br>net.ipv4.neigh.default.locktime = 100<br>net.ipv4.neigh.default.mcast_solicit = 3<br>net.ipv4.neigh.default.proxy_delay = 80<br>net.ipv4.neigh.default.proxy_qlen = 64<br>net.ipv4.neigh.default.retrans_time_ms = 1000<br>net.ipv4.neigh.default.ucast_solicit = 3<br>net.ipv4.neigh.default.unres_qlen = 31<br>net.ipv4.neigh.default.unres_qlen_bytes = 65536<br>net.ipv4.neigh.eth0.anycast_delay = 100<br>net.ipv4.neigh.eth0.app_solicit = 0<br>net.ipv4.neigh.eth0.base_reachable_time_ms = 30000<br>net.ipv4.neigh.eth0.delay_first_probe_time = 5<br>net.ipv4.neigh.eth0.gc_stale_time = 60<br>net.ipv4.neigh.eth0.locktime = 100<br>net.ipv4.neigh.eth0.mcast_solicit = 3<br>net.ipv4.neigh.eth0.proxy_delay = 80<br>net.ipv4.neigh.eth0.proxy_qlen = 64<br>net.ipv4.neigh.eth0.retrans_time_ms = 1000<br>net.ipv4.neigh.eth0.ucast_solicit = 3<br>net.ipv4.neigh.eth0.unres_qlen = 31<br>net.ipv4.neigh.eth0.unres_qlen_bytes = 65536<br>net.ipv4.neigh.eth1.anycast_delay = 100<br>net.ipv4.neigh.eth1.app_solicit = 0<br>net.ipv4.neigh.eth1.base_reachable_time_ms = 30000<br>net.ipv4.neigh.eth1.delay_first_probe_time = 5<br>net.ipv4.neigh.eth1.gc_stale_time = 60<br>net.ipv4.neigh.eth1.locktime = 100<br>net.ipv4.neigh.eth1.mcast_solicit = 3<br>net.ipv4.neigh.eth1.proxy_delay = 80<br>net.ipv4.neigh.eth1.proxy_qlen = 64<br>net.ipv4.neigh.eth1.retrans_time_ms = 1000<br>net.ipv4.neigh.eth1.ucast_solicit = 3<br>net.ipv4.neigh.eth1.unres_qlen = 31<br>net.ipv4.neigh.eth1.unres_qlen_bytes = 65536<br>net.ipv4.neigh.ip_vti0.anycast_delay = 100<br>net.ipv4.neigh.ip_vti0.app_solicit = 0<br>net.ipv4.neigh.ip_vti0.base_reachable_time_ms = 30000<br>net.ipv4.neigh.ip_vti0.delay_first_probe_time = 5<br>net.ipv4.neigh.ip_vti0.gc_stale_time = 60<br>net.ipv4.neigh.ip_vti0.locktime = 100<br>net.ipv4.neigh.ip_vti0.mcast_solicit = 3<br>net.ipv4.neigh.ip_vti0.proxy_delay = 80<br>net.ipv4.neigh.ip_vti0.proxy_qlen = 64<br>net.ipv4.neigh.ip_vti0.retrans_time_ms = 1000<br>net.ipv4.neigh.ip_vti0.ucast_solicit = 3<br>net.ipv4.neigh.ip_vti0.unres_qlen = 31<br>net.ipv4.neigh.ip_vti0.unres_qlen_bytes = 65536<br>net.ipv4.neigh.lo.anycast_delay = 100<br>net.ipv4.neigh.lo.app_solicit = 0<br>net.ipv4.neigh.lo.base_reachable_time_ms = 30000<br>net.ipv4.neigh.lo.delay_first_probe_time = 5<br>net.ipv4.neigh.lo.gc_stale_time = 60<br>net.ipv4.neigh.lo.locktime = 100<br>net.ipv4.neigh.lo.mcast_solicit = 3<br>net.ipv4.neigh.lo.proxy_delay = 80<br>net.ipv4.neigh.lo.proxy_qlen = 64<br>net.ipv4.neigh.lo.retrans_time_ms = 1000<br>net.ipv4.neigh.lo.ucast_solicit = 3<br>net.ipv4.neigh.lo.unres_qlen = 31<br>net.ipv4.neigh.lo.unres_qlen_bytes = 65536<br>net.ipv4.neigh.tun0.anycast_delay = 100<br>net.ipv4.neigh.tun0.app_solicit = 0<br>net.ipv4.neigh.tun0.base_reachable_time_ms = 30000<br>net.ipv4.neigh.tun0.delay_first_probe_time = 5<br>net.ipv4.neigh.tun0.gc_stale_time = 60<br>net.ipv4.neigh.tun0.locktime = 100<br>net.ipv4.neigh.tun0.mcast_solicit = 3<br>net.ipv4.neigh.tun0.proxy_delay = 80<br>net.ipv4.neigh.tun0.proxy_qlen = 64<br>net.ipv4.neigh.tun0.retrans_time_ms = 1000<br>net.ipv4.neigh.tun0.ucast_solicit = 3<br>net.ipv4.neigh.tun0.unres_qlen = 31<br>net.ipv4.neigh.tun0.unres_qlen_bytes = 65536<br>net.ipv4.neigh.vti201.anycast_delay = 100<br>net.ipv4.neigh.vti201.app_solicit = 0<br>net.ipv4.neigh.vti201.base_reachable_time_ms = 30000<br>net.ipv4.neigh.vti201.delay_first_probe_time = 5<br>net.ipv4.neigh.vti201.gc_stale_time = 60<br>net.ipv4.neigh.vti201.locktime = 100<br>net.ipv4.neigh.vti201.mcast_solicit = 3<br>net.ipv4.neigh.vti201.proxy_delay = 80<br>net.ipv4.neigh.vti201.proxy_qlen = 64<br>net.ipv4.neigh.vti201.retrans_time_ms = 1000<br>net.ipv4.neigh.vti201.ucast_solicit = 3<br>net.ipv4.neigh.vti201.unres_qlen = 31<br>net.ipv4.neigh.vti201.unres_qlen_bytes = 65536<br>net.ipv4.ping_group_range = 1 0<br>net.ipv4.route.error_burst = 5000<br>net.ipv4.route.error_cost = 1000<br>net.ipv4.route.gc_elasticity = 8<br>net.ipv4.route.gc_interval = 60<br>net.ipv4.route.gc_min_interval = 0<br>net.ipv4.route.gc_min_interval_ms = 500<br>net.ipv4.route.gc_thresh = -1<br>net.ipv4.route.gc_timeout = 300<br>net.ipv4.route.max_size = 2147483647<br>net.ipv4.route.min_adv_mss = 256<br>net.ipv4.route.min_pmtu = 552<br>net.ipv4.route.mtu_expires = 600<br>net.ipv4.route.redirect_load = 20<br>net.ipv4.route.redirect_number = 9<br>net.ipv4.route.redirect_silence = 20480<br>net.ipv4.tcp_abort_on_overflow = 0<br>net.ipv4.tcp_adv_win_scale = 1<br>net.ipv4.tcp_allowed_congestion_control = cubic reno<br>net.ipv4.tcp_app_win = 31<br>net.ipv4.tcp_autocorking = 1<br>net.ipv4.tcp_available_congestion_control = cubic reno<br>net.ipv4.tcp_base_mss = 512<br>net.ipv4.tcp_challenge_ack_limit = 1000<br>net.ipv4.tcp_congestion_control = cubic<br>net.ipv4.tcp_dsack = 1<br>net.ipv4.tcp_early_retrans = 3<br>net.ipv4.tcp_ecn = 2<br>net.ipv4.tcp_fack = 1<br>net.ipv4.tcp_fastopen = 0<br>net.ipv4.tcp_fastopen_key = 00000000-00000000-00000000-00000000<br>net.ipv4.tcp_fin_timeout = 60<br>net.ipv4.tcp_frto = 2<br>net.ipv4.tcp_invalid_ratelimit = 500<br>net.ipv4.tcp_keepalive_intvl = 75<br>net.ipv4.tcp_keepalive_probes = 9<br>net.ipv4.tcp_keepalive_time = 7200<br>net.ipv4.tcp_limit_output_bytes = 262144<br>net.ipv4.tcp_low_latency = 0<br>net.ipv4.tcp_max_orphans = 4096<br>net.ipv4.tcp_max_ssthresh = 0<br>net.ipv4.tcp_max_syn_backlog = 128<br>net.ipv4.tcp_max_tw_buckets = 4096<br>net.ipv4.tcp_mem = 22155 29543 44310<br>net.ipv4.tcp_min_tso_segs = 2<br>net.ipv4.tcp_moderate_rcvbuf = 1<br>net.ipv4.tcp_mtu_probing = 0<br>net.ipv4.tcp_no_metrics_save = 0<br>net.ipv4.tcp_notsent_lowat = -1<br>net.ipv4.tcp_orphan_retries = 0<br>net.ipv4.tcp_reordering = 3<br>net.ipv4.tcp_retrans_collapse = 1<br>net.ipv4.tcp_retries1 = 3<br>net.ipv4.tcp_retries2 = 15<br>net.ipv4.tcp_rfc1337 = 0<br>net.ipv4.tcp_rmem = 4096 87380 6291456<br>net.ipv4.tcp_sack = 1<br>net.ipv4.tcp_slow_start_after_idle = 1<br>net.ipv4.tcp_stdurg = 0<br>net.ipv4.tcp_syn_retries = 6<br>net.ipv4.tcp_synack_retries = 5<br>net.ipv4.tcp_syncookies = 1<br>net.ipv4.tcp_thin_dupack = 0<br>net.ipv4.tcp_thin_linear_timeouts = 0<br>net.ipv4.tcp_timestamps = 1<br>net.ipv4.tcp_tso_win_divisor = 3<br>net.ipv4.tcp_tw_recycle = 0<br>net.ipv4.tcp_tw_reuse = 0<br>net.ipv4.tcp_window_scaling = 1<br>net.ipv4.tcp_wmem = 4096 16384 4194304<br>net.ipv4.tcp_workaround_signed_windows = 0<br>net.ipv4.udp_mem = 22815 30420 45630<br>net.ipv4.udp_rmem_min = 4096<br>net.ipv4.udp_wmem_min = 4096<br>net.ipv4.xfrm4_gc_thresh = 32768<br>======</div><div><br></div><div>cat /proc/sys/net/ipv4/ip_forward<br></div><div>1<br></div><div><br></div><div>I also disabled rf_filter via sysctl.conf for everything temporarily and still nothing.</div><div><br></div><div> ping 192.168.10.1<br>PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.<br>From 192.168.10.2 icmp_seq=1 Destination Host Unreachable<br>From 192.168.10.2 icmp_seq=2 Destination Host Unreachable</div><div><br></div><div>Route table shows<br></div><div>192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 vti201<br>192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 vti201</div><div><br></div><div>vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8981<br> inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.2<br> tunnel txqueuelen 1 (IPIP Tunnel)<br> RX packets 0 bytes 0 (0.0 B)<br> RX errors 0 dropped 0 overruns 0 frame 0<br> TX packets 0 bytes 0 (0.0 B)<br> TX errors 19 dropped 0 overruns 0 carrier 19 collisions 0<br></div><div><br></div><div>Thank you.<br></div><br><div class="gmail_extra"><div class="gmail_quote">On Wed, Nov 1, 2017 at 4:05 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>On Tue, 31 Oct 2017, Paul Tran wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
VTI interfaces and ST interface on the srx set to IPs on the <a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> network<br>
<br>
I have users sitting on <a href="http://10.8.0.0/24" target="_blank">10.8.0.0/24</a> that I am trying to have use this tunnel that are connected off of the CENTOS box.<br>
</blockquote>
<br>
</span><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Ifconfig<br>
vti201: flags=209<UP,POINTOPOINT,RUNNI<wbr>NG,NOARP> mtu 8981<br>
inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.1<br>
tunnel txqueuelen 1 (IPIP Tunnel)<br>
RX packets 0 bytes 0 (0.0 B)<br>
RX errors 0 dropped 0 overruns 0 frame 0<br>
TX packets 0 bytes 0 (0.0 B)<br>
TX errors 0 dropped 0 overruns 0 carrier 0 colliconn SRX<br>
</blockquote>
<br></span>
Can you also show: ip tun<br>
<br>
It would need to have a "key" entry matching the mark number in your<br>
config (5)<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
IPSECON.CONF config<br>
authby=secret<br>
#aggressive=no<br>
#type=tunnel<br>
left=172.31.140.0<br>
leftid=34.204.126.142<br>
right=102.167.4.2<br>
auto=start<br>
mark=5/0xfffffff<br>
keyingtries=%forever<br>
rightsubnet=<a href="http://0.0.0.0/24" target="_blank">0.0.0.0/24</a><br>
leftsubnet=<a href="http://10.8.0.0/24" target="_blank">10.8.0.0/24</a><br>
ike=aes-sha1;modp1536<br>
phase2=esp<br>
phase2alg=aes256-sha1;modp1536<br>
vti-interface=vti201<br>
vti-routing=yes<br>
leftvti=<a href="http://192.168.10.2/24" target="_blank">192.168.10.2/24</a><br>
</blockquote>
<br></span>
This looks fine.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
ip -s xfrm policy<br>
<br>
src <a href="http://10.8.0.0/24" target="_blank">10.8.0.0/24</a> dst <a href="http://0.0.0.0/24" target="_blank">0.0.0.0/24</a> uid 0<br>
dir out action allow index 625 priority 2344 ptype main share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-10-31 12:22:43 use -<br>
mark 5/0xfffffff<br>
</blockquote>
<br></span>
Looks okay too.<br>
<br>
So I'm not sure what is going on. It might not be mark related? Check<br>
"ipsec verify" for errors, eg rp_filter settings or ip_forwarding<br>
settings?<span class="gmail-m_-548206923301591707HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div></div>