[Cialug] IPSec Routing & Evil NETKEY

Nathan C. Smith nathan.smith at ipmvs.com
Sat Nov 20 22:37:44 CST 2010 

I've not done this in Linux, only on firewalls (Juniper, pfSense), but usually you have to set a route to the subnet on the other side of the VPN through the local ipsec interface.  All the devices that are going to send  traffic through the interface also need to know about the route too - that gets more complicated if the device with the VPN is not your gateway.


-----Original Message-----
From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
Sent: Saturday, November 20, 2010 10:33 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY

What kind of route do you speak of? My routing table has the internal subnet, external subnet, and the default gateway on the external side.

I've also tried a "ip rule" with the source as the 192.168.101.0/24 subnet and various default gateways, but no luck there either..

-Jon

----- Original Message -----
From: "Nathan C. Smith" <nathan.smith at ipmvs.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Saturday, November 20, 2010 10:20:46 PM
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY

And do you have a route set as well?

-----Original Message-----
From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
Sent: Saturday, November 20, 2010 9:43 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY

Yup... I've got the following in sysctl.conf:

net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.default.log_martians = 0


----- Original Message -----
From: "Zachary Kotlarek" <zach at kotlarek.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Saturday, November 20, 2010 9:25:10 PM
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY


On Nov 20, 2010, at 9:10 PM, Jonathan C. Bailey wrote:

> Based on the captures I'm have, it seems that the traffic is being successfully decrypted on eth1, but then it just goes "nowhere". I can't seem to find *anything* that would indicate how to move this decrypted traffic out the correct interface, or do anything else with it..
> 
> Anyone have some thoughts on this? About to go bald from pulling my hair out...


Is IP forwarding enabled? I often forget that bit when first setting up a router.

	Zach


_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list