[Openswan Users] Installing OpenSwan for the first time

Arjun Datta arjun at greatgulfhomes.com
Wed Mar 12 15:07:28 EDT 2008 

Absolutely,

This script resides in my /root/bin.

I call it disable_send_accept_redirects
------
#!/bin/bash

# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/ppp0/send_redirects

# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/ppp0/accept_redirects

-----

I have also added the following line to my /etc/rc.local startup scipt:
/root/bin/disable_send_accept_redirects

So that it is called on startup.  I am using FC7 - on your system the 
startup script location may be different.

As you can see I disable both types of redirects for ALL interface - I 
am not sure if that is correct or wise but it seems to work for me ; )

I'm new to linux too, welcome to the club.

Regards,
 
Arjun Datta



Chris Thomas wrote:
>
> OK, should I worry about setting the "accept_redirects" in just my 
> interfaces or do I need to set it in "all", "default" and "lo" as well?
>
>  
>
> Care to share you script?  J  I would be most grateful.  I'm still 
> fumbling my way through Linux, so I'm not sure how to write it myself.
>
>  
>
> Thanks for the help!
>
> -Chris
>
>  
>
> *From:* Arjun Datta [mailto:arjun at greatgulfhomes.com]
> *Sent:* Wednesday, March 12, 2008 1:28 PM
> *To:* Chris Thomas; users at openswan.org
> *Subject:* RE: [Openswan Users] Installing OpenSwan for the first time
>
>  
>
> Hi Chris,
>
>  
>
> I had a similar problem and I resolved it as follows:
>
>  
>
> Those files are in the proc filesystem and contain a 0 or a 1 for 
> disabled/enabled.
>
>  
>
> Simply disable the redirects by changing the 0 to a 1 in all of those 
> files.  I used a script that I keep handy because sometimes after 
> reboot or restarting the network, those files go back to defaults and 
> the redirects are enabled.
>
>  
>
> After doing that you can check your work by running ipsec verify again.
>
>  
>
> I am not sure if this is the correct way of doing this but I did the 
> above and my VPN connection seems to work so far.
>
>  
>
> Regards,
>
>  
>
> Arjun Datta
>
>  
>
> -----Original Message-----
> *From:* users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org]*On Behalf Of *Chris Thomas
> *Sent:* Wednesday, March 12, 2008 1:07 PM
> *To:* users at openswan.org
> *Subject:* [Openswan Users] Installing OpenSwan for the first time
>
> I am attempting to install OpenSwan on a Ubuntu 7.10 server.  I ran 
> *apt-get install openswan* and received the following after running 
> *ipsec verify*:
>
>  
>
> root at gatekeeper:/home/administrator# ipsec verify
>
> Checking your system to see if IPsec got installed and started correctly:
>
> Version check and ipsec on-path                                 [OK]
>
> Linux Openswan U2.4.6/K2.6.22-14-server (netkey)
>
> Checking for IPsec support in kernel                            [OK]
>
> NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
>
>  
>
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>
>   or NETKEY will cause the sending of bogus ICMP redirects!
>
>  
>
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
>
>  
>
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>
>   or NETKEY will accept bogus ICMP redirects!
>
>  
>
> Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
>
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>
> Checking that pluto is running                                  [OK]
>
> Two or more interfaces found, checking IP forwarding            [FAILED]
>
> Checking for 'ip' command                                       [OK]
>
> Checking for 'iptables' command                                 [OK]
>
> Opportunistic Encryption Support                                [DISABLED]
>
> root at gatekeeper:/home/administrator# 
>
>  
>
> I'm not exactly sure how to disable 
> "/proc/sys/net/ipv4/conf/*/send_redirects" and I'm not sure if 
> everything else there is OK or not.  It does not match watch the wiki 
> tells me I should have, so I want to address this before I proceed.
>
>  
>
> Thanks in advance,
>
> -Chris
>
>  
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080312/365dafe6/attachment.html

More information about the Users mailing list