[Openswan Users] Openswan on Ubuntu 8.10

Aaron Hicks aaron.hicks at servicesphere.com
Tue Jan 6 18:52:43 EST 2009 

1.       Ah, stupid word or outlook have converted a double dash to some other character. It should be “--purge"

2.       Hmm sounds like permissions error, do you really have superuser access? Alternatively pipe the output from sysctl to  a text file and search it some other way.

 

From: Richard de Rivaz [mailto:richard at mdr.co.uk] 
Sent: Tuesday, 6 January 2009 7:45 p.m.
To: Aaron Hicks
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Openswan on Ubuntu 8.10

 

Hi Aaron

Thanks for your helpful email. I am still stuck early in the process!

1. sudo apt-get –purge remove openswan ipsec-tools raccoon vpnc

does not appear to like purge and remove in the same command line.

2. sudo sysctl -a | grep 'ip4.conf.*redirect'

gives the following errors:

error: "Invalid argument" reading key "fs.binfmt_misc.register"
error: permission denied on key 'net.ipv4.route.flush'

So I cannot progress beyond the 'ipsec verify' stage.

The config file is currently:

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=0

# Uncomment the next line to enable packet forwarding for IPv6
net.ipv6.conf.all.forwarding=0


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
#
# The contents of /proc/<pid>/maps and smaps files are only visible to 
# readers that are allowed to ptrace() the process
# sys.kernel.maps_protect = 1


Regards Richard
-- 

Richard de Rivaz
MDR Interfaces Ltd
Computer Control Specialists

Tel: +44(0)1825 790294 Fax: +44(0)1825 790119
Reg in England No. 1577056 Directors: R de Rivaz  Z de Rivaz
Reg Address: Little Bridge House, Danehill, Sussex RH17 7JD

http://www.mdr.co.uk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090107/dc97abbe/attachment.html

More information about the Users mailing list