topic Re: problem with FreeS/WAN IPsec in Operating System - Linux

problem with FreeS/WAN IPsec

'chris' — Sun, 25 Jan 2004 11:49:33 GMT

hi

I try to setup FreeS/WAN IPsec
on linux SuSE 8.2,
and if I do restart I get this message :

# /etc/init.d/ipsec restart
ipsec_setup: Stopping FreeS/WAN IPsec... done
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: ipsec ipsec_3des ipsec_md5 ipsec_sha1
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
ipsec_setup: done

I don't understand, what's wrong with:
/proc/sys/net/ipv4/conf/eth0/rp_filter = `1'
and where can I change it.

in ipsec.conf I can't find this path.

kind regards
chris

Re: problem with FreeS/WAN IPsec

Steven E. Protter — Sun, 25 Jan 2004 15:30:57 GMT

Sounds like you already have this but I NEVER assume:

http://www.freeswan.org/

maybe search your error message on the site.

Or post it hereso i can do the work.

SEP

Re: problem with FreeS/WAN IPsec

Bob_176 — Sun, 25 Jan 2004 23:57:16 GMT

This is a kernel setting, you can change (as root) by:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

There might be a /etc/sysctl.conf file to set selected items at startup. Then enter
net.ipv4.conf.eth0.rp_filter = 0
for permanent effect.

I have no experience with FreeS/WAN, so I don't
know what the side-effects are.
-Bob Arendt

Re: problem with FreeS/WAN IPsec

Manuel Wolfshant — Mon, 26 Jan 2004 03:19:38 GMT

rp_filter is a kernel setting which makes additional verifications on received packets.
It's location is ... /proc/sys/net/ipv4/conf/eth0/rp_filter
It is NOT a freeswan parameter, therefore of course you cannot find it in freeswan.

If you use a new version of freeswan (which you should anyway) it will modify the value to 0 itself, so you will not need to bother with it. On the other hand, do NOT and I repeat do NOT attempt to use freeswan before reading AND understanding the documentation provided at http://www.freeswan.org. You will not gain any time skiping this mandatory step. It will bite you later.

Re: problem with FreeS/WAN IPsec

Sergejs Svitnevs — Mon, 26 Jan 2004 06:26:52 GMT

The rp_filter subsystem related to IP spoofing protection must be turned off on both gateways for IPSEC to work properly.
Use the commands:
# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Also to automatically set these values after reboot you can put those commands in your firewall script file(/etc/rc.d/init.d/firewall).

Regards,
Sergejs

Re: problem with FreeS/WAN IPsec

U.SivaKumar_2 — Mon, 26 Jan 2004 23:47:30 GMT

Hi,

If rp_filter parameter is enabled , it will check the origin of packets based on network topology of the configured network interfaces and will discard the packets which are spoofed and source routed.

But it VPN scenario , enabling this parameter will cause valid VPN traffic to be discarded because of Source IP - Interface verification .

Therefore put this line in /etc/sysctl.conf file.

net.ipv4.conf.default.rp_filter = 0

and give this command.

#sysctl -p

This will make these changes permanent even after system is rebooted.

regards,

U.SivaKumar.

Re: problem with FreeS/WAN IPsec

'chris' — Thu, 19 Feb 2004 20:21:12 GMT

now it works

and thank you ALL for your answers

greetings
chris