[Openswan Users] Solution to ipsec verify reports "IP forwarding failed"
Nick Howitt
n1ck.h0w1tt at gmail.com
Thu Nov 3 14:41:16 EDT 2011
Paul,
I have mentioned a problem with ipsec verify before to you where it
showed for me that it failed the forwarding check even though
/proc/sys/net/ipv4/ip_forward was set to 1. You told me not to worry
about it. This is the response I get from the vanilla ipsec verify:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K2.6.18-194.8.1.v5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
and with Steve's modified one I get:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K2.6.18-194.8.1.v5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
So it seems that Steve's version correctly reports IP forwarding whereas
the vanilla one does not.
Regards,
Nick
On 03/11/2011 13:49, Paul Wouters wrote:
> On Wed, 2 Nov 2011, steve delaney wrote:
>
>> Referencing the thread starting here:
>>
>> Steve Zeng SteveZ at airg.com
>> Mon May 31 17:24:47 EDT 2010
>>
>> I ran across the same thing using openswan on:
>> FC12, upgraded to 2.6.32.26
>> perl --version
>> This is perl, v5.10.0 built for i386-linux-thread-multi
>> # ipsec --version
>> Linux Openswan U2.6.29/K2.6.32.26-175.fc12.i686 (netkey)
>>
>>
>> I made a simple change that seems to fix the problem
>> to correctly report status of /proc/sys/net/ipv4/ip_forward
>> then check NAT and MASQUERADE unconditionally
>> I tested it with both states
>>
>> echo 0> /proc/sys/net/ipv4/ip_forward
>> echo 1> /proc/sys/net/ipv4/ip_forward
>>
>>
>> /usr/libexec/ipsec/verify
>>
>> sub my_tunnelchecks {
>> open("dev", "/proc/net/dev");
>> if((grep !/(ipsec|lo:|Inter|packets)/,<dev>)> 1)
>> {
>> printfun "Two or more interfaces found, checking IP forwarding";
>> my ($data, $n);
>> open FILE, "/proc/sys/net/ipv4/ip_forward" or die $!;
>> $n = read FILE, $data, 1;
>> if($data == 1)
>> {
>> errchk "1";
>> }
>> else
>> {
>> $reterr = 1;
>> errchk "0";
>> }
>>
>> printfun "Checking NAT and MASQUERADEing";
>> if( -e "/proc/net/ip_conntrack" )
>> {
>> run "iptables -t nat -L -n";
>> if(grep /(NAT|MASQ)/, @out)
>> {
>> printf "\n";
>> open("cat", "/proc/net/ipsec_eroute");
>> foreach(grep /tun0x/,<cat>)
>> {
>> @eroute=split(' ',$_);
>> checktunnel $eroute[1], $eroute[3], $eroute[5];
>> }
>> }
>> else
>> {
>> errchk "1";
>> }
>> }
>> else
>> {
>> errchk "","N/A";
>> }
>> }
>> }
>
> I'm not sure what this change is fixing? For me reporting the forward setting works fine.
> If we only find one interface, we assume no NAT/MASQ is happening and skip checking it.
>
> What is it that this patch fixes for you?
>
> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list