[Openswan Users] Fwd: Lost packets after DNAT

Paul Wouters paul at xelerance.com
Mon Feb 28 23:53:23 CET 2005


On Tue, 1 Mar 2005, George Adams wrote:

> ipsec0 is bound to eth1.
> 
> the sysctl.conf file has:
> 
> # Controls source route verification
> net.ipv4.conf.default.rp_filter = 1
> net.ipv4.conf.eth1.rp_filter=0
> 
> and 
> 
> # cat /proc/sys/net/ipv4/conf/eth1/rp_filter
> 0
> 
> should I disable default.rp_filter? 

Yes, because "ipsec0" is also a device that gets packets from
"martian" sources. If you really want spoof protection, just
add those to your firewall rules. rp_filter is just too
stupid to use. 
 
> I recall having to disable eth1.rp_filter because
> IPSEC complains about it during startup.

Well, later versions just turn rp_filter off when needed.
 
[ ipsec verify ]

That looks ok.
  
> I should mention that this is running on Redhat 8 with
> kernel version 2.4.20. We are currently testing

That should work fine.

> Openswan on RHEL 3es but in the meantime I need to get
> this working.

That will be hell, since RHEL3 uses a hybrid 2.4/2.6 kernel,
and you won't be able to get KLIPS going, and the NETKEY version
in RHEL3 kernels is just too broken last time I checked.

Paul



More information about the Users mailing list