[Openswan Users] Fwd: Lost packets after DNAT
George Adams
georgebadams at yahoo.com.au
Tue Mar 1 10:27:51 CET 2005
--- Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 1 Mar 2005, George Adams wrote:
>
> > ipsec0 is bound to eth1.
> >
> > the sysctl.conf file has:
> >
> > # Controls source route verification
> > net.ipv4.conf.default.rp_filter = 1
> > net.ipv4.conf.eth1.rp_filter=0
> >
> > and
> >
> > # cat /proc/sys/net/ipv4/conf/eth1/rp_filter
> > 0
> >
> > should I disable default.rp_filter?
>
> Yes, because "ipsec0" is also a device that gets
> packets from
> "martian" sources. If you really want spoof
> protection, just
> add those to your firewall rules. rp_filter is just
> too
> stupid to use.
>
Done. I'll get the client to test later since I dont
have acess to the client end.
> > I recall having to disable eth1.rp_filter because
> > IPSEC complains about it during startup.
>
> Well, later versions just turn rp_filter off when
> needed.
>
> [ ipsec verify ]
>
> That looks ok.
>
> > I should mention that this is running on Redhat 8
> with
> > kernel version 2.4.20. We are currently testing
>
> That should work fine.
>
> > Openswan on RHEL 3es but in the meantime I need to
> get
> > this working.
>
> That will be hell, since RHEL3 uses a hybrid 2.4/2.6
> kernel,
> and you won't be able to get KLIPS going, and the
> NETKEY version
Not my choice really and quite annoyed about the lack
of KLIPS, but some management feel better when they
pay. :-)
> in RHEL3 kernels is just too broken last time I
> checked.
>
> Paul
>
The new setup Openswan+L2TP is being used with WINXP
SP2 roadwarriors. So far I've been very happy with it.
Many thanks for your help.
George.
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com
More information about the Users
mailing list