HPE Community
Operating System - Linux
1828342 Members
3389 Online
109976 Solutions
New Discussion

problem with FreeS/WAN IPsec

 
SOLVED
Go to solution
'chris'
Super Advisor

‎01-25-2004 03:49 AM

‎01-25-2004 03:49 AM

problem with FreeS/WAN IPsec

hi

I try to setup FreeS/WAN IPsec
on linux SuSE 8.2,
and if I do restart I get this message :

# /etc/init.d/ipsec restart
ipsec_setup: Stopping FreeS/WAN IPsec... done
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: ipsec ipsec_3des ipsec_md5 ipsec_sha1
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
ipsec_setup: done

I don't understand, what's wrong with:
/proc/sys/net/ipv4/conf/eth0/rp_filter = `1'
and where can I change it.

in ipsec.conf I can't find this path.

kind regards
chris


0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎01-25-2004 07:30 AM

‎01-25-2004 07:30 AM

Re: problem with FreeS/WAN IPsec

Sounds like you already have this but I NEVER assume:

http://www.freeswan.org/

maybe search your error message on the site.

Or post it hereso i can do the work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bob_176
Occasional Advisor

‎01-25-2004 03:57 PM

‎01-25-2004 03:57 PM

Re: problem with FreeS/WAN IPsec

This is a kernel setting, you can change (as root) by:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

There might be a /etc/sysctl.conf file to set selected items at startup. Then enter
net.ipv4.conf.eth0.rp_filter = 0
for permanent effect.

I have no experience with FreeS/WAN, so I don't
know what the side-effects are.
-Bob Arendt
0 Kudos
Reply
Manuel Wolfshant
Trusted Contributor

‎01-25-2004 07:19 PM

‎01-25-2004 07:19 PM

Re: problem with FreeS/WAN IPsec

rp_filter is a kernel setting which makes additional verifications on received packets.
It's location is ... /proc/sys/net/ipv4/conf/eth0/rp_filter
It is NOT a freeswan parameter, therefore of course you cannot find it in freeswan.

If you use a new version of freeswan (which you should anyway) it will modify the value to 0 itself, so you will not need to bother with it. On the other hand, do NOT and I repeat do NOT attempt to use freeswan before reading AND understanding the documentation provided at http://www.freeswan.org. You will not gain any time skiping this mandatory step. It will bite you later.
0 Kudos
Reply
Sergejs Svitnevs
Honored Contributor

‎01-25-2004 10:26 PM

‎01-25-2004 10:26 PM

Solution

Re: problem with FreeS/WAN IPsec

The rp_filter subsystem related to IP spoofing protection must be turned off on both gateways for IPSEC to work properly.
Use the commands:
# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter


Also to automatically set these values after reboot you can put those commands in your firewall script file(/etc/rc.d/init.d/firewall).

Regards,
Sergejs
Reply
U.SivaKumar_2
Honored Contributor

‎01-26-2004 03:47 PM

‎01-26-2004 03:47 PM

Re: problem with FreeS/WAN IPsec

Hi,

If rp_filter parameter is enabled , it will check the origin of packets based on network topology of the configured network interfaces and will discard the packets which are spoofed and source routed.

But it VPN scenario , enabling this parameter will cause valid VPN traffic to be discarded because of Source IP - Interface verification .

Therefore put this line in /etc/sysctl.conf file.

net.ipv4.conf.default.rp_filter = 0

and give this command.

#sysctl -p

This will make these changes permanent even after system is rebooted.

regards,

U.SivaKumar.


Innovations are made when conventions are broken
Reply
'chris'
Super Advisor

‎02-19-2004 12:21 PM

‎02-19-2004 12:21 PM

Re: problem with FreeS/WAN IPsec

now it works

and thank you ALL for your answers

greetings
chris
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.