On Mon, 17 Oct 2016, Maciej Piechotka wrote:
Possibly interesting data point - I was able to set up ipsec tunnel with pure
Fedora (userspace + kernel) but not Fedora strongswan tools or Centos libreswan
on CoreOS kernel.
I don't know what "pure fedora (userspace + kernel)" means?
Perhaps you are trying to say the userlands that work on fedora/centos
do not work on coreos kernels?
Its surely possible the CoreOS kernel is missing some kind of required
feature for IPsec to work...
On Sun, Oct 16, 2016 at 8:56 PM Maciej Piechotka <uzytkown...@gmail.com> wrote:
Sorry - I've tried it before but I forgot to reenable it after
recreation of VM. However it doesn't help.
On Sun, Oct 16, 2016 at 6:47 PM, Paul Wouters <p...@nohats.ca> wrote:
> On Sun, 16 Oct 2016, Maciej Piechotka wrote:
>> I have problem with setting up ipsec. I see ESP packets coming through
>> but they are dropped during policy check (i.e. XfrmInTmplMismatch is
>> increased) so in tcpdump only the ESP packets are shown. I could not
>> find any information how to proceed from here.
>> PS. I disabled receiving messages from this group so please include me
>> in To: or Cc: list.
> Note that your barf's did not include log files. But regardless, it
> shows the kernel ip xfrm state/policy showing the tunnels are up fine.
> The only thing I can see wrong is:
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [NOT DISABLED]
> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on
> or cause sending of bogus ICMP redirects!
> ICMP default/accept_redirects [NOT DISABLED]
> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act
> on or cause sending of bogus ICMP redirects!
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Hardware random device [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/flannel0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
> Please completely disable redirects and rp_filter
Swan mailing list