<div dir="ltr">RP_filter is disabled but the ipsec verify shows the same message about disabling it still (rp_filter is not fully aware of IPsec and should be disabled).<br><br>cat /proc/sys/net/ipv4/conf/default/rp_filter<br>0<br>Checking rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]<br> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]<br> rp_filter is not fully aware of IPsec and should be disabled<br><div><br>I see XfrmInStateMismatch incrementing when I try to send a ping from the SRX to the Centos box via the tunnel as well as RX errors. Also the XFRM shows 3 policies for the 10.0.0.0 to 192.168.0.0 but no policy for the interface address. Should one exist so that I can ping the interface on the other side which is 192.168.10.1? I did realize previously that I had the default route with a /24 on my 0.0.0.0 so I substituted that with 192.18.50.0 which is a subnet across the tunnel since <a href="http://0.0.0.0/0">0.0.0.0/0</a> drops my connection so now all of this reflects the new changes. My pings now from the Centos do show TX packets but I dont see them on the srx side.</div><div><br></div><div>vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8981<br> inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.2<br> tunnel txqueuelen 1 (IPIP Tunnel)<br> RX packets 0 bytes 0 (0.0 B)<br> RX errors 4 dropped 4 overruns 0 frame 0<br> TX packets 21 bytes 3654 (3.5 KiB)<br> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0<br><br></div><div><br></div><div><pre><span class="gmail-l"></span></pre><div><br>cat /proc/net/xfrm_stat</div><div><br></div><div>XfrmInError 0<br>XfrmInBufferError 0<br>XfrmInHdrError 0<br>XfrmInNoStates 0<br>XfrmInStateProtoError 0<br>XfrmInStateModeError 0<br>XfrmInStateSeqError 0<br>XfrmInStateExpired 0<br>XfrmInStateMismatch 19<br><br></div><br><div>But there are XFRM policies in place for <br></div><div>use -<br> src <a href="http://10.0.0.0/8">10.0.0.0/8</a> dst <a href="http://192.168.0.0/16">192.168.0.0/16</a> uid 0<br> dir out action allow index 177 priority 2864 ptype main share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2017-11-01 17:54:27 use 2017-11-01 17:54:57<br> mark 5/0xfffffff<br> tmpl src 172.31.140.0 dst 102.167.4.2<br> proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>src <a href="http://192.168.0.0/16">192.168.0.0/16</a> dst <a href="http://10.0.0.0/8">10.0.0.0/8</a> uid 0<br> dir fwd action allow index 194 priority 2864 ptype main share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2017-11-01 17:54:27 use -<br> mark 5/0xfffffff<br> tmpl src 102.167.4.2 dst 172.31.140.0<br> proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>src <a href="http://192.168.0.0/16">192.168.0.0/16</a> dst <a href="http://10.0.0.0/8">10.0.0.0/8</a> uid 0<br> dir in action allow index 184 priority 2864 ptype main share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2017-11-01 17:54:27 use -<br> mark 5/0xfffffff<br> tmpl src 102.167.4.2 dst 172.31.140.0<br> proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br></div><div><br></div><div>Any suggestions on what else I might look at?</div><div><br></div><div>Thanks.<br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 1, 2017 at 10:10 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, 1 Nov 2017, Paul Tran wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks for looking at things. You mentioned I would need to have a "key" entry matching the mark number in your<br>
config (5). I am trying to find out how I would define that key entry in the config I am reading the<br>
<a href="https://libreswan.org/man/ipsec.conf.5.html" rel="noreferrer" target="_blank">https://libreswan.org/man/ipse<wbr>c.conf.5.html</a> and not sure what I am missing.<br>
I also looked at other configs that people said they had working but still didn't see what I needed to add.<br>
<br>
The information you asked about is below but I am not seeing anything that points me in a direction.<br>
<br>
<br>
IP tunnel<br>
<br>
vti201: ip/ip remote 102.167.4.2 local 172.31.140.0 ttl inherit key 5<br>
</blockquote>
<br></span>
At the end of the line you see "key 5" which matches your mark=5. So<br>
everything you route into this device will gain that mark value of 5,<br>
and then it would match the ip xfrm policy rule and get encrypted.<br>
(provided the source/dest also falls within that policy)<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Pluto ipsec.conf syntax <wbr> [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking rp_filter <wbr> [ENABLED]<br>
/proc/sys/net/ipv4/conf/all/r<wbr>p_filter [ENABLED]<br>
/proc/sys/net/ipv4/conf/defau<wbr>lt/rp_filter [ENABLED]<br>
/proc/sys/net/ipv4/conf/eth0/<wbr>rp_filter [ENABLED]<br>
/proc/sys/net/ipv4/conf/eth1/<wbr>rp_filter [ENABLED]<br>
/proc/sys/net/ipv4/conf/ip_vt<wbr>i0/rp_filter [ENABLED]<br>
/proc/sys/net/ipv4/conf/tun0/<wbr>rp_filter [ENABLED]<br>
rp_filter is not fully aware of IPsec and should be disabled<br>
</blockquote>
<br></span>
I would try disabling rp_filter because it might be causing your packets<br>
to be dropped.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I also disabled rf_filter via sysctl.conf for everything temporarily and still nothing.<br>
<br>
ping 192.168.10.1<br>
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.<br>
From 192.168.10.2 icmp_seq=1 Destination Host Unreachable<br>
From 192.168.10.2 icmp_seq=2 Destination Host Unreachable<br>
<br>
Route table shows<br>
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 vti201<br>
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 vti201<br>
<br>
vti201: flags=209<UP,POINTOPOINT,RUNNI<wbr>NG,NOARP> mtu 8981<br>
inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.2<br>
tunnel txqueuelen 1 (IPIP Tunnel)<br>
RX packets 0 bytes 0 (0.0 B)<br>
RX errors 0 dropped 0 overruns 0 frame 0<br>
TX packets 0 bytes 0 (0.0 B)<br>
TX errors 19 dropped 0 overruns 0 carrier 19 collisions 0<br>
</blockquote>
<br></span>
It shows TX errors, so it seemed to have gotten dropped. Check out:<br>
<br>
cat /proc/net/xfrm_stat<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>