Re: [Swan] Problem with setting up ipsec
On Mon, 17 Oct 2016, Maciej Piechotka wrote: Possibly interesting data point - I was able to set up ipsec tunnel with pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan tools on CoreOS kernel. I don't know what "pure fedora (userspace + kernel)" means? Perhaps you are trying to say the userlands that work on fedora/centos do not work on coreos kernels? Its surely possible the CoreOS kernel is missing some kind of required feature for IPsec to work... Paul On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotkawrote: Hi Paul, Sorry - I've tried it before but I forgot to reenable it after recreation of VM. However it doesn't help. Matt On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters wrote: > On Sun, 16 Oct 2016, Maciej Piechotka wrote: > >> I have problem with setting up ipsec. I see ESP packets coming through >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is >> increased) so in tcpdump only the ESP packets are shown. I could not >> find any information how to proceed from here. >> >> Matt >> PS. I disabled receiving messages from this group so please include me >> in To: or Cc: list. > > > Note that your barf's did not include log files. But regardless, it > shows the kernel ip xfrm state/policy showing the tunnels are up fine. > > The only thing I can see wrong is: > > Checking for IPsec support in kernel [OK] > NETKEY: Testing XFRM related proc values > ICMP default/send_redirects [NOT DISABLED] > > Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on > or cause sending of bogus ICMP redirects! > > ICMP default/accept_redirects [NOT DISABLED] > > Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act > on or cause sending of bogus ICMP redirects! > > XFRM larval drop [OK] > Pluto ipsec.conf syntax [OK] > Hardware random device [N/A] > Two or more interfaces found, checking IP forwarding [OK] > Checking rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] > > > Please completely disable redirects and rp_filter > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F > > Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Problem with setting up ipsec
Possibly interesting data point - I was able to set up ipsec tunnel with pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan tools on CoreOS kernel. On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotkawrote: > Hi Paul, > > Sorry - I've tried it before but I forgot to reenable it after > recreation of VM. However it doesn't help. > > Matt > > On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters wrote: > > On Sun, 16 Oct 2016, Maciej Piechotka wrote: > > > >> I have problem with setting up ipsec. I see ESP packets coming through > >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is > >> increased) so in tcpdump only the ESP packets are shown. I could not > >> find any information how to proceed from here. > >> > >> Matt > >> PS. I disabled receiving messages from this group so please include me > >> in To: or Cc: list. > > > > > > Note that your barf's did not include log files. But regardless, it > > shows the kernel ip xfrm state/policy showing the tunnels are up fine. > > > > The only thing I can see wrong is: > > > > Checking for IPsec support in kernel[OK] > > NETKEY: Testing XFRM related proc values > > ICMP default/send_redirects[NOT DISABLED] > > > > Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on > > or cause sending of bogus ICMP redirects! > > > > ICMP default/accept_redirects [NOT DISABLED] > > > > Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act > > on or cause sending of bogus ICMP redirects! > > > > XFRM larval drop [OK] > > Pluto ipsec.conf syntax [OK] > > Hardware random device [N/A] > > Two or more interfaces found, checking IP forwarding[OK] > > Checking rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] > > > > > > Please completely disable redirects and rp_filter > > > > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F > > > > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F > > > > Paul > ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Problem with setting up ipsec
Hi Paul, Sorry - I've tried it before but I forgot to reenable it after recreation of VM. However it doesn't help. Matt On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouterswrote: > On Sun, 16 Oct 2016, Maciej Piechotka wrote: > >> I have problem with setting up ipsec. I see ESP packets coming through >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is >> increased) so in tcpdump only the ESP packets are shown. I could not >> find any information how to proceed from here. >> >> Matt >> PS. I disabled receiving messages from this group so please include me >> in To: or Cc: list. > > > Note that your barf's did not include log files. But regardless, it > shows the kernel ip xfrm state/policy showing the tunnels are up fine. > > The only thing I can see wrong is: > > Checking for IPsec support in kernel[OK] > NETKEY: Testing XFRM related proc values > ICMP default/send_redirects[NOT DISABLED] > > Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on > or cause sending of bogus ICMP redirects! > > ICMP default/accept_redirects [NOT DISABLED] > > Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act > on or cause sending of bogus ICMP redirects! > > XFRM larval drop [OK] > Pluto ipsec.conf syntax [OK] > Hardware random device [N/A] > Two or more interfaces found, checking IP forwarding[OK] > Checking rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED] > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] > > > Please completely disable redirects and rp_filter > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F > > Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] Problem with setting up ipsec
On Sun, 16 Oct 2016, Maciej Piechotka wrote: I have problem with setting up ipsec. I see ESP packets coming through but they are dropped during policy check (i.e. XfrmInTmplMismatch is increased) so in tcpdump only the ESP packets are shown. I could not find any information how to proceed from here. Matt PS. I disabled receiving messages from this group so please include me in To: or Cc: list. Note that your barf's did not include log files. But regardless, it shows the kernel ip xfrm state/policy showing the tunnels are up fine. The only thing I can see wrong is: Checking for IPsec support in kernel[OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects[NOT DISABLED] Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects! ICMP default/accept_redirects [NOT DISABLED] Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects! XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding[OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] Please completely disable redirects and rp_filter https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F Paul ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan