On Mon, 17 Oct 2016, Maciej Piechotka wrote:

Possibly interesting data point - I was able to set up ipsec tunnel with pure 
Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan 
tools
on CoreOS kernel.


I don't know what "pure fedora (userspace + kernel)" means?

Perhaps you are trying to say the userlands that work on fedora/centos
do not work on coreos kernels?

Its surely possible the CoreOS kernel is missing some kind of required
feature for IPsec to work...

Paul
On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <uzytkown...@gmail.com> wrote:
      Hi Paul,

      Sorry - I've tried it before but I forgot to reenable it after
      recreation of VM. However it doesn't help.

      Matt

      On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <p...@nohats.ca> wrote:
      > On Sun, 16 Oct 2016, Maciej Piechotka wrote:
      >
      >> I have problem with setting up ipsec. I see ESP packets coming through
      >> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
      >> increased) so in tcpdump only the ESP packets are shown. I could not
      >> find any information how to proceed from here.
      >>
      >> Matt
      >> PS. I disabled receiving messages from this group so please include me
      >> in To: or Cc: list.
      >
      >
      > Note that your barf's did not include log files. But regardless, it
      > shows the kernel ip xfrm state/policy showing the tunnels are up fine.
      >
      > The only thing I can see wrong is:
      >
      > Checking for IPsec support in kernel                    [OK]
      >  NETKEY: Testing XFRM related proc values
      >          ICMP default/send_redirects                    [NOT DISABLED]
      >
      >   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
      > or cause sending of bogus ICMP redirects!
      >
      >          ICMP default/accept_redirects                  [NOT DISABLED]
      >
      >   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
      > on or cause sending of bogus ICMP redirects!
      >
      >          XFRM larval drop                               [OK]
      > Pluto ipsec.conf syntax                                 [OK]
      > Hardware random device                                  [N/A]
      > Two or more interfaces found, checking IP forwarding    [OK]
      > Checking rp_filter                                      [ENABLED]
      >  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
      >  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
      >  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
      >  /proc/sys/net/ipv4/conf/eth1/rp_filter                 [ENABLED]
      >  /proc/sys/net/ipv4/conf/flannel0/rp_filter             [ENABLED]
      >  /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
      >
      >
      > Please completely disable redirects and rp_filter
      >
      > 
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
      >
      > 
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
      >
      > Paul



_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to