Referencing the thread starting here:<br><br><b>Steve Zeng</b>
<a href="mailto:users%40openswan.org?Subject=Re:%20%5BOpenswan%20Users%5D%20ipsec%20verify%20reports%20%22IP%20forwarding%20failed%22&In-Reply-To=%3C8B5C6F575422414AA91B46C454126B6CC888EB4E%40EXCHMVS.exchange.airg%3E" title="[Openswan Users] ipsec verify reports "IP forwarding failed"">SteveZ at airg.com
</a><br>
<i>Mon May 31 17:24:47 EDT 2010<br><br></i>I ran across the same thing using openswan on:<br>FC12, upgraded to 2.6.32.26<br>perl --version<br>This is perl, v5.10.0 built for i386-linux-thread-multi<br># ipsec --version<br>
Linux Openswan U2.6.29/K2.6.32.26-175.fc12.i686 (netkey)<br><br><br>I made a simple change that seems to fix the problem<br>to correctly report status of /proc/sys/net/ipv4/ip_forward<br>then check NAT and MASQUERADE unconditionally<br>
I tested it with both states <br><br>echo 0 > /proc/sys/net/ipv4/ip_forward<br>echo 1 > /proc/sys/net/ipv4/ip_forward<br><br><br>/usr/libexec/ipsec/verify <br><br>sub my_tunnelchecks {<br> open("dev", "/proc/net/dev");<br>
if((grep !/(ipsec|lo:|Inter|packets)/, <dev>) > 1)<br> {<br> printfun "Two or more interfaces found, checking IP forwarding";<br> my ($data, $n);<br> open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;<br>
$n = read FILE, $data, 1;<br> if($data == 1)<br> {<br> errchk "1";<br> }<br> else<br> {<br> $reterr = 1;<br> errchk "0";<br>
}<br><br> printfun "Checking NAT and MASQUERADEing";<br> if( -e "/proc/net/ip_conntrack" )<br> {<br> run "iptables -t nat -L -n";<br> if(grep /(NAT|MASQ)/, @out)<br>
{<br> printf "\n";<br> open("cat", "/proc/net/ipsec_eroute");<br> foreach(grep /tun0x/, <cat>)<br> {<br>
@eroute=split(' ',$_);<br> checktunnel $eroute[1], $eroute[3], $eroute[5];<br> }<br> }<br> else<br> {<br>
errchk "1";<br> }<br> }<br> else<br> {<br> errchk "","N/A";<br> }<br> }<br>}<br><br><br><br>