subject:"\[Swan\] Problem with setting up ipsec"

Re: [Swan] Problem with setting up ipsec

2016-10-17 Thread Paul Wouters


On Mon, 17 Oct 2016, Maciej Piechotka wrote:


Possibly interesting data point - I was able to set up ipsec tunnel with pure 
Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan 
tools
on CoreOS kernel.


I don't know what "pure fedora (userspace + kernel)" means?

Perhaps you are trying to say the userlands that work on fedora/centos
do not work on coreos kernels?

Its surely possible the CoreOS kernel is missing some kind of required
feature for IPsec to work...

Paul

On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka  wrote:
  Hi Paul,

  Sorry - I've tried it before but I forgot to reenable it after
  recreation of VM. However it doesn't help.

  Matt

  On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters  wrote:
  > On Sun, 16 Oct 2016, Maciej Piechotka wrote:
  >
  >> I have problem with setting up ipsec. I see ESP packets coming through
  >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
  >> increased) so in tcpdump only the ESP packets are shown. I could not
  >> find any information how to proceed from here.
  >>
  >> Matt
  >> PS. I disabled receiving messages from this group so please include me
  >> in To: or Cc: list.
  >
  >
  > Note that your barf's did not include log files. But regardless, it
  > shows the kernel ip xfrm state/policy showing the tunnels are up fine.
  >
  > The only thing I can see wrong is:
  >
  > Checking for IPsec support in kernel                    [OK]
  >  NETKEY: Testing XFRM related proc values
  >          ICMP default/send_redirects                    [NOT DISABLED]
  >
  >   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
  > or cause sending of bogus ICMP redirects!
  >
  >          ICMP default/accept_redirects                  [NOT DISABLED]
  >
  >   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
  > on or cause sending of bogus ICMP redirects!
  >
  >          XFRM larval drop                               [OK]
  > Pluto ipsec.conf syntax                                 [OK]
  > Hardware random device                                  [N/A]
  > Two or more interfaces found, checking IP forwarding    [OK]
  > Checking rp_filter                                      [ENABLED]
  >  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
  >  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
  >  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
  >  /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
  >  /proc/sys/net/ipv4/conf/flannel0/rp_filter             [ENABLED]
  >  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
  >
  >
  > Please completely disable redirects and rp_filter
  >
  > 
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
  >
  > 
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
  >
  > Paul




___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Problem with setting up ipsec

2016-10-17 Thread Maciej Piechotka

Possibly interesting data point - I was able to set up ipsec tunnel with
pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos
libreswan tools on CoreOS kernel.

On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka 
wrote:

> Hi Paul,
>
> Sorry - I've tried it before but I forgot to reenable it after
> recreation of VM. However it doesn't help.
>
> Matt
>
> On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters  wrote:
> > On Sun, 16 Oct 2016, Maciej Piechotka wrote:
> >
> >> I have problem with setting up ipsec. I see ESP packets coming through
> >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
> >> increased) so in tcpdump only the ESP packets are shown. I could not
> >> find any information how to proceed from here.
> >>
> >> Matt
> >> PS. I disabled receiving messages from this group so please include me
> >> in To: or Cc: list.
> >
> >
> > Note that your barf's did not include log files. But regardless, it
> > shows the kernel ip xfrm state/policy showing the tunnels are up fine.
> >
> > The only thing I can see wrong is:
> >
> > Checking for IPsec support in kernel[OK]
> >  NETKEY: Testing XFRM related proc values
> >  ICMP default/send_redirects[NOT DISABLED]
> >
> >   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
> > or cause sending of bogus ICMP redirects!
> >
> >  ICMP default/accept_redirects  [NOT DISABLED]
> >
> >   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
> > on or cause sending of bogus ICMP redirects!
> >
> >  XFRM larval drop   [OK]
> > Pluto ipsec.conf syntax [OK]
> > Hardware random device  [N/A]
> > Two or more interfaces found, checking IP forwarding[OK]
> > Checking rp_filter  [ENABLED]
> >  /proc/sys/net/ipv4/conf/all/rp_filter  [ENABLED]
> >  /proc/sys/net/ipv4/conf/default/rp_filter  [ENABLED]
> >  /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> >  /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
> >  /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]
> >  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter  [ENABLED]
> >
> >
> > Please completely disable redirects and rp_filter
> >
> >
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
> >
> >
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
> >
> > Paul
>
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Problem with setting up ipsec

2016-10-16 Thread Maciej Piechotka

Hi Paul,

Sorry - I've tried it before but I forgot to reenable it after
recreation of VM. However it doesn't help.

Matt

On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters  wrote:
> On Sun, 16 Oct 2016, Maciej Piechotka wrote:
>
>> I have problem with setting up ipsec. I see ESP packets coming through
>> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
>> increased) so in tcpdump only the ESP packets are shown. I could not
>> find any information how to proceed from here.
>>
>> Matt
>> PS. I disabled receiving messages from this group so please include me
>> in To: or Cc: list.
>
>
> Note that your barf's did not include log files. But regardless, it
> shows the kernel ip xfrm state/policy showing the tunnels are up fine.
>
> The only thing I can see wrong is:
>
> Checking for IPsec support in kernel[OK]
>  NETKEY: Testing XFRM related proc values
>  ICMP default/send_redirects[NOT DISABLED]
>
>   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
> or cause sending of bogus ICMP redirects!
>
>  ICMP default/accept_redirects  [NOT DISABLED]
>
>   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
> on or cause sending of bogus ICMP redirects!
>
>  XFRM larval drop   [OK]
> Pluto ipsec.conf syntax [OK]
> Hardware random device  [N/A]
> Two or more interfaces found, checking IP forwarding[OK]
> Checking rp_filter  [ENABLED]
>  /proc/sys/net/ipv4/conf/all/rp_filter  [ENABLED]
>  /proc/sys/net/ipv4/conf/default/rp_filter  [ENABLED]
>  /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
>  /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
>  /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]
>  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter  [ENABLED]
>
>
> Please completely disable redirects and rp_filter
>
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
>
> https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
>
> Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Problem with setting up ipsec

2016-10-16 Thread Paul Wouters


On Sun, 16 Oct 2016, Maciej Piechotka wrote:


I have problem with setting up ipsec. I see ESP packets coming through
but they are dropped during policy check (i.e. XfrmInTmplMismatch is
increased) so in tcpdump only the ESP packets are shown. I could not
find any information how to proceed from here.

Matt
PS. I disabled receiving messages from this group so please include me
in To: or Cc: list.


Note that your barf's did not include log files. But regardless, it
shows the kernel ip xfrm state/policy showing the tunnels are up fine.

The only thing I can see wrong is:

Checking for IPsec support in kernel[OK]
 NETKEY: Testing XFRM related proc values
 ICMP default/send_redirects[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
or cause sending of bogus ICMP redirects!

 ICMP default/accept_redirects  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
on or cause sending of bogus ICMP redirects!

 XFRM larval drop   [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device  [N/A]
Two or more interfaces found, checking IP forwarding[OK]
Checking rp_filter  [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter  [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
 /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
 /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter  [ENABLED]


Please completely disable redirects and rp_filter

https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F

https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Problem with setting up ipsec

Re: [Swan] Problem with setting up ipsec

Re: [Swan] Problem with setting up ipsec

Re: [Swan] Problem with setting up ipsec

4 matches

Site Navigation

Mail list logo

Footer information