[Openswan Users] Fwd: Lost packets after DNAT
Paul Wouters
paul at xelerance.com
Mon Feb 28 23:53:23 CET 2005
On Tue, 1 Mar 2005, George Adams wrote:
> ipsec0 is bound to eth1.
>
> the sysctl.conf file has:
>
> # Controls source route verification
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.eth1.rp_filter=0
>
> and
>
> # cat /proc/sys/net/ipv4/conf/eth1/rp_filter
> 0
>
> should I disable default.rp_filter?
Yes, because "ipsec0" is also a device that gets packets from
"martian" sources. If you really want spoof protection, just
add those to your firewall rules. rp_filter is just too
stupid to use.
> I recall having to disable eth1.rp_filter because
> IPSEC complains about it during startup.
Well, later versions just turn rp_filter off when needed.
[ ipsec verify ]
That looks ok.
> I should mention that this is running on Redhat 8 with
> kernel version 2.4.20. We are currently testing
That should work fine.
> Openswan on RHEL 3es but in the meantime I need to get
> this working.
That will be hell, since RHEL3 uses a hybrid 2.4/2.6 kernel,
and you won't be able to get KLIPS going, and the NETKEY version
in RHEL3 kernels is just too broken last time I checked.
Paul
More information about the Users
mailing list