[Openswan Users] Firewall rules for openswan behind NAT

Paul Wouters paul at nohats.ca
Thu Nov 21 17:08:56 UTC 2013

On Thu, 21 Nov 2013, Fred Weston wrote:

[ cut fred from reply, as it generates errors - guess he might see this
on the list itself ]

> Each openswan box does only have one interface.  On that interface it has a 10.x.x.x IP address which serves as both access to the local subnet as well as Internet access via 1:1 NAT to a public IP.

Then check your /etc/sysctl.conf settings to ensure they contain:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

The linux kernel with xfrm is known to do really stupid icmp redirects
when used with only a single interface.

Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

More information about the Users mailing list