[Openswan Users] Problem with networking traffic past the tunnel

Paul Wouters paul at xelerance.com
Wed Nov 4 11:07:05 EST 2009

On Wed, 4 Nov 2009, Jay Smith wrote:

>     Okay, I do not see an examples folder. Where else can that sysctl.conf file be? To give you more info:
> We are indeed using 1 interface. This device also serves as the gateway for the network. It serves as our
> DHCP system and router. It does not serve DNS services though, the Domain Controller does. Not sure if
> that additional info helps at all or not.

It might be in /usr/share/doc/openswan*

What you need is:

# when using 1 interface for two networks when using NETKEY, the kernel
# kernel thinks it can be clever by sending a redirect (cause it cannot
# tell an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

You also need to enable forwarding and disable rp_filter:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

More information about the Users mailing list