[Openswan Users] Solution to ipsec verify reports "IP forwarding failed"
steve delaney
sdelaney39 at gmail.com
Thu Nov 3 02:24:25 EDT 2011
Referencing the thread starting here:
*Steve Zeng* SteveZ at airg.com
<users%40openswan.org?Subject=Re:%20%5BOpenswan%20Users%5D%20ipsec%20verify%20reports%20%22IP%20forwarding%20failed%22&In-Reply-To=%3C8B5C6F575422414AA91B46C454126B6CC888EB4E%40EXCHMVS.exchange.airg%3E>
*Mon May 31 17:24:47 EDT 2010
*I ran across the same thing using openswan on:
FC12, upgraded to 2.6.32.26
perl --version
This is perl, v5.10.0 built for i386-linux-thread-multi
# ipsec --version
Linux Openswan U2.6.29/K2.6.32.26-175.fc12.i686 (netkey)
I made a simple change that seems to fix the problem
to correctly report status of /proc/sys/net/ipv4/ip_forward
then check NAT and MASQUERADE unconditionally
I tested it with both states
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/libexec/ipsec/verify
sub my_tunnelchecks {
open("dev", "/proc/net/dev");
if((grep !/(ipsec|lo:|Inter|packets)/, <dev>) > 1)
{
printfun "Two or more interfaces found, checking IP forwarding";
my ($data, $n);
open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;
$n = read FILE, $data, 1;
if($data == 1)
{
errchk "1";
}
else
{
$reterr = 1;
errchk "0";
}
printfun "Checking NAT and MASQUERADEing";
if( -e "/proc/net/ip_conntrack" )
{
run "iptables -t nat -L -n";
if(grep /(NAT|MASQ)/, @out)
{
printf "\n";
open("cat", "/proc/net/ipsec_eroute");
foreach(grep /tun0x/, <cat>)
{
@eroute=split(' ',$_);
checktunnel $eroute[1], $eroute[3], $eroute[5];
}
}
else
{
errchk "1";
}
}
else
{
errchk "","N/A";
}
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111102/6d03c345/attachment.html
More information about the Users
mailing list