[Openswan Users] Problem with networking traffic past the tunnel

Jay Smith me at jayftw.com
Wed Nov 4 12:30:23 EST 2009


Hello,
   It's not there either. I found an /etc/sysctl.conf and it says
------
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1
# enable ipV6 forwarding
#net.ipv6.conf.all.forwarding = 1
# increase the number of possible inotify(7) watches
fs.inotify.max_user_watches = 65536
# avoid deleting secondary IPs on deleting the primary IP
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
------

I don't know if that's the same one or not. I wanted to make sure it was
safe to make changes to that actual file.

Sincerely,

Jay


On Wed, Nov 4, 2009 at 10:07 AM, Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 4 Nov 2009, Jay Smith wrote:
>
>      Okay, I do not see an examples folder. Where else can that sysctl.conf
>> file be? To give you more info:
>> We are indeed using 1 interface. This device also serves as the gateway
>> for the network. It serves as our
>> DHCP system and router. It does not serve DNS services though, the Domain
>> Controller does. Not sure if
>> that additional info helps at all or not.
>>
>
> It might be in /usr/share/doc/openswan*
>
> What you need is:
>
> # when using 1 interface for two networks when using NETKEY, the kernel
> # kernel thinks it can be clever by sending a redirect (cause it cannot
> # tell an encrypted packet came in, but a decrypted packet came out),
> # so it sends a bogus ICMP redirect
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> net.ipv4.conf.all.log_martians = 0
> net.ipv4.conf.default.log_martians = 0
>
> You also need to enable forwarding and disable rp_filter:
>
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091104/fb44a7ce/attachment.html 


More information about the Users mailing list