[Openswan Users] Solution to ipsec verify reports "IP forwarding failed"
Paul Wouters
paul at xelerance.com
Thu Nov 3 09:49:11 EDT 2011
On Wed, 2 Nov 2011, steve delaney wrote:
> Referencing the thread starting here:
>
> Steve Zeng SteveZ at airg.com
> Mon May 31 17:24:47 EDT 2010
>
> I ran across the same thing using openswan on:
> FC12, upgraded to 2.6.32.26
> perl --version
> This is perl, v5.10.0 built for i386-linux-thread-multi
> # ipsec --version
> Linux Openswan U2.6.29/K2.6.32.26-175.fc12.i686 (netkey)
>
>
> I made a simple change that seems to fix the problem
> to correctly report status of /proc/sys/net/ipv4/ip_forward
> then check NAT and MASQUERADE unconditionally
> I tested it with both states
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> /usr/libexec/ipsec/verify
>
> sub my_tunnelchecks {
> open("dev", "/proc/net/dev");
> if((grep !/(ipsec|lo:|Inter|packets)/, <dev>) > 1)
> {
> printfun "Two or more interfaces found, checking IP forwarding";
> my ($data, $n);
> open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;
> $n = read FILE, $data, 1;
> if($data == 1)
> {
> errchk "1";
> }
> else
> {
> $reterr = 1;
> errchk "0";
> }
>
> printfun "Checking NAT and MASQUERADEing";
> if( -e "/proc/net/ip_conntrack" )
> {
> run "iptables -t nat -L -n";
> if(grep /(NAT|MASQ)/, @out)
> {
> printf "\n";
> open("cat", "/proc/net/ipsec_eroute");
> foreach(grep /tun0x/, <cat>)
> {
> @eroute=split(' ',$_);
> checktunnel $eroute[1], $eroute[3], $eroute[5];
> }
> }
> else
> {
> errchk "1";
> }
> }
> else
> {
> errchk "","N/A";
> }
> }
> }
I'm not sure what this change is fixing? For me reporting the forward setting works fine.
If we only find one interface, we assume no NAT/MASQ is happening and skip checking it.
What is it that this patch fixes for you?
Paul
More information about the Users
mailing list