Operating System - Linux
1828330 Members
5287 Online
109976 Solutions
New Discussion

problem with FreeS/WAN IPsec

 
SOLVED
Go to solution
'chris'
Super Advisor

problem with FreeS/WAN IPsec

hi

I try to setup FreeS/WAN IPsec
on linux SuSE 8.2,
and if I do restart I get this message :

# /etc/init.d/ipsec restart
ipsec_setup: Stopping FreeS/WAN IPsec... done
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: ipsec ipsec_3des ipsec_md5 ipsec_sha1
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
ipsec_setup: done

I don't understand, what's wrong with:
/proc/sys/net/ipv4/conf/eth0/rp_filter = `1'
and where can I change it.

in ipsec.conf I can't find this path.

kind regards
chris


6 REPLIES 6
Steven E. Protter
Exalted Contributor

Re: problem with FreeS/WAN IPsec

Sounds like you already have this but I NEVER assume:

http://www.freeswan.org/

maybe search your error message on the site.

Or post it hereso i can do the work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Bob_176
Occasional Advisor

Re: problem with FreeS/WAN IPsec

This is a kernel setting, you can change (as root) by:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

There might be a /etc/sysctl.conf file to set selected items at startup. Then enter
net.ipv4.conf.eth0.rp_filter = 0
for permanent effect.

I have no experience with FreeS/WAN, so I don't
know what the side-effects are.
-Bob Arendt
Manuel Wolfshant
Trusted Contributor

Re: problem with FreeS/WAN IPsec

rp_filter is a kernel setting which makes additional verifications on received packets.
It's location is ... /proc/sys/net/ipv4/conf/eth0/rp_filter
It is NOT a freeswan parameter, therefore of course you cannot find it in freeswan.

If you use a new version of freeswan (which you should anyway) it will modify the value to 0 itself, so you will not need to bother with it. On the other hand, do NOT and I repeat do NOT attempt to use freeswan before reading AND understanding the documentation provided at http://www.freeswan.org. You will not gain any time skiping this mandatory step. It will bite you later.
Sergejs Svitnevs
Honored Contributor
Solution

Re: problem with FreeS/WAN IPsec

The rp_filter subsystem related to IP spoofing protection must be turned off on both gateways for IPSEC to work properly.
Use the commands:
# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter


Also to automatically set these values after reboot you can put those commands in your firewall script file(/etc/rc.d/init.d/firewall).

Regards,
Sergejs
U.SivaKumar_2
Honored Contributor

Re: problem with FreeS/WAN IPsec

Hi,

If rp_filter parameter is enabled , it will check the origin of packets based on network topology of the configured network interfaces and will discard the packets which are spoofed and source routed.

But it VPN scenario , enabling this parameter will cause valid VPN traffic to be discarded because of Source IP - Interface verification .

Therefore put this line in /etc/sysctl.conf file.

net.ipv4.conf.default.rp_filter = 0

and give this command.

#sysctl -p

This will make these changes permanent even after system is rebooted.

regards,

U.SivaKumar.


Innovations are made when conventions are broken
'chris'
Super Advisor

Re: problem with FreeS/WAN IPsec

now it works

and thank you ALL for your answers

greetings
chris