[Openswan Users] multiple subnets ?

[Paul Wouters]

On Thu, 26 Jun 2008, Indunil Jayasooriya wrote:

> rp_filter is set to 1.

unset it. rp_filter is a feature that should be killed of.

> NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> 
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!

Add to sysctl.conf:

net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

> > Traceroute is a very bad tool to use in combination with IPsec.
> 
> Then, Can you recommnad a good tool instead?

If checking on the first ike packet, you can use ikeping. If checking
on subsequent IKE packets, use the logs on both ends. For checking
packets, the best is just tcpdump, preferably not on the machine itself
(because NETKEY confuses things)

> Command ifconfig shows the USUAL ip addresses. It does NOT show any tunnel?

That is correct. ipsec0 interfaces only appear with KLIPS, and you are
using NETKEY.

> Could you pls expalin why I can not ping their subnets.

That I don't know without more information. Try the above fixes.

> What are the areas I will have to look in to it ?

if your clients do not have the vpn server in their "default path",
them you need to add some routing on them.

be VERY sure you're not accidentally NATing ipsec packets. The digital
signatures would be broken and packets would be dropped (on netkey,
silently, on KLIPS silently too but you can define klipsdebug to make it
log those)

Paul