Possibly interesting data point - I was able to set up ipsec tunnel with pure Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan tools on CoreOS kernel.
On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <[email protected]> wrote: > Hi Paul, > > Sorry - I've tried it before but I forgot to reenable it after > recreation of VM. However it doesn't help. > > Matt > > On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <[email protected]> wrote: > > On Sun, 16 Oct 2016, Maciej Piechotka wrote: > > > >> I have problem with setting up ipsec. I see ESP packets coming through > >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is > >> increased) so in tcpdump only the ESP packets are shown. I could not > >> find any information how to proceed from here. > >> > >> Matt > >> PS. I disabled receiving messages from this group so please include me > >> in To: or Cc: list. > > > > > > Note that your barf's did not include log files. But regardless, it > > shows the kernel ip xfrm state/policy showing the tunnels are up fine. > > > > The only thing I can see wrong is: > > > > Checking for IPsec support in kernel [OK] > > NETKEY: Testing XFRM related proc values > > ICMP default/send_redirects [NOT DISABLED] > > > > Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on > > or cause sending of bogus ICMP redirects! > > > > ICMP default/accept_redirects [NOT DISABLED] > > > > Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act > > on or cause sending of bogus ICMP redirects! > > > > XFRM larval drop [OK] > > Pluto ipsec.conf syntax [OK] > > Hardware random device [N/A] > > Two or more interfaces found, checking IP forwarding [OK] > > Checking rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED] > > /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] > > > > > > Please completely disable redirects and rp_filter > > > > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F > > > > > https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F > > > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
