[Openswan Users] Solution to ipsec verify reports "IP forwarding failed"

steve delaney sdelaney39 at gmail.com
Thu Nov 3 02:24:25 EDT 2011


Referencing the thread starting here:

*Steve Zeng* SteveZ at airg.com
<users%40openswan.org?Subject=Re:%20%5BOpenswan%20Users%5D%20ipsec%20verify%20reports%20%22IP%20forwarding%20failed%22&In-Reply-To=%3C8B5C6F575422414AA91B46C454126B6CC888EB4E%40EXCHMVS.exchange.airg%3E>
*Mon May 31 17:24:47 EDT 2010

*I ran across the same thing using openswan on:
FC12, upgraded to 2.6.32.26
perl --version
This is perl, v5.10.0 built for i386-linux-thread-multi
# ipsec --version
Linux Openswan U2.6.29/K2.6.32.26-175.fc12.i686 (netkey)


I made a simple change that seems to fix the problem
to correctly report status of /proc/sys/net/ipv4/ip_forward
then check NAT and MASQUERADE unconditionally
I tested it with  both states

echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward


/usr/libexec/ipsec/verify

sub my_tunnelchecks {
    open("dev", "/proc/net/dev");
    if((grep !/(ipsec|lo:|Inter|packets)/, <dev>) > 1)
    {
        printfun "Two or more interfaces found, checking IP forwarding";
        my ($data, $n);
        open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;
        $n = read FILE, $data, 1;
        if($data == 1)
        {
             errchk "1";
        }
        else
        {
             $reterr = 1;
             errchk "0";
        }

         printfun "Checking NAT and MASQUERADEing";
         if( -e "/proc/net/ip_conntrack" )
         {
                run "iptables -t nat -L -n";
                if(grep /(NAT|MASQ)/, @out)
                {
                    printf "\n";
                    open("cat", "/proc/net/ipsec_eroute");
                    foreach(grep /tun0x/, <cat>)
                    {
                        @eroute=split(' ',$_);
                        checktunnel $eroute[1], $eroute[3], $eroute[5];
                    }
                }
                else
                {
                    errchk "1";
                }
        }
        else
        {
                errchk "","N/A";
        }
    }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111102/6d03c345/attachment.html 


More information about the Users mailing list