On Mon, 17 Oct 2016, Maciej Piechotka wrote:

Possibly interesting data point - I was able to set up ipsec tunnel with pure 
Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan 
on CoreOS kernel.

I don't know what "pure fedora (userspace + kernel)" means?

Perhaps you are trying to say the userlands that work on fedora/centos
do not work on coreos kernels?

Its surely possible the CoreOS kernel is missing some kind of required
feature for IPsec to work...

On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <uzytkown...@gmail.com> wrote:
      Hi Paul,

      Sorry - I've tried it before but I forgot to reenable it after
      recreation of VM. However it doesn't help.


      On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <p...@nohats.ca> wrote:
      > On Sun, 16 Oct 2016, Maciej Piechotka wrote:
      >> I have problem with setting up ipsec. I see ESP packets coming through
      >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
      >> increased) so in tcpdump only the ESP packets are shown. I could not
      >> find any information how to proceed from here.
      >> Matt
      >> PS. I disabled receiving messages from this group so please include me
      >> in To: or Cc: list.
      > Note that your barf's did not include log files. But regardless, it
      > shows the kernel ip xfrm state/policy showing the tunnels are up fine.
      > The only thing I can see wrong is:
      > Checking for IPsec support in kernel                    [OK]
      >  NETKEY: Testing XFRM related proc values
      >          ICMP default/send_redirects                    [NOT DISABLED]
      >   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
      > or cause sending of bogus ICMP redirects!
      >          ICMP default/accept_redirects                  [NOT DISABLED]
      >   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
      > on or cause sending of bogus ICMP redirects!
      >          XFRM larval drop                               [OK]
      > Pluto ipsec.conf syntax                                 [OK]
      > Hardware random device                                  [N/A]
      > Two or more interfaces found, checking IP forwarding    [OK]
      > Checking rp_filter                                      [ENABLED]
      >  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
      >  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
      >  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
      >  /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
      >  /proc/sys/net/ipv4/conf/flannel0/rp_filter             [ENABLED]
      >  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
      > Please completely disable redirects and rp_filter
      > Paul

Swan mailing list

Reply via email to