Topic: SME 5.5u6 + FreeSwan

[Paul F]

Interesting. I have still to figure out how to modify the template to do this when FreeSwan starts. I'm sure you will notice that on a reboot it is set back to 1.

Also, I came back in this morning and the tunnels were down. With 5.1.2 I had tunnels up for weeks straight. So I will have to keep watch.

Thanks again for all your help!

[Peter Schubert]

Hmm .......

The template fragment for mask should do this:  

 # Turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 0 > $f
    done

maybe try to insert this also in the ipsec-start script.

[Paul F]

Has anyone tried using this in a situation where one client is dynamic IP and using the hostname instead?

Thanks!

[guestHH]

Peter,

dont't know programming but is it possible that 'echo 0 > $f' should be:
'echo 0 > /proc/sys/net/ipv4/conf/$f/rp_filter'

Just a thought...

[Peter Schubert]

No ....

try it out:

for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo -n Old value of $f" is "
cat $f
echo 0 >$f
echo -n New value of $f" is "
cat $f
done

>
> Peter,
>
> dont't know programming but is it possible that 'echo 0 > $f'
> should be:
> 'echo 0 > /proc/sys/net/ipv4/conf/$f/rp_filter'
>
> Just a thought...

[guestHH]

Ok Peter, that's clear. Thx.

Now I just rebooted my machine and rp_filter is back to 1. When I echo > 0 to the device it still remains 1...??

Anyting I overlook ?

TIA
Regards,
guestHH

[Peter Schubert]

I made an update to the source an add 2 new things:
update ot /etc/sysctl.conf (to set rp_filter default to 0)
panel function to change the public ID (domainname oder external IP)

You can download the new
devinfo-freeswan-1.99-8sme56.noarch.rpm
at
http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/

You only need devinfo-freeswan-1.99-8sme56.noarch.rpm, all other rpms are unchanged.

Good Luck
Peter
guestHH wrote:
>
> Ok Peter, that's clear. Thx.
>
> Now I just rebooted my machine and rp_filter is back to 1.
> When I echo > 0 to the device it still remains 1...??
>
> Anyting I overlook ?
>
> TIA
> Regards,
> RequestedDeletion

[guestHH]

Thanks Peter i'll test it over the weekend.

btw:

I try to set up a VPN between two 5.6U4 server both behind a Alcatel ADSL modem. Yep, it's not working because the public IP on the modem is not the IP of the eth1 of the servers. The adsl (Altcatel speedtouch) do NAT.

I read trough the Freeswan lists and it comes up a few times, but not a real solution or procedure. And it's all very high technical...

Does anybody have some hints/tips  

TIA
Regards,
guestHH

[guestHH]

As promised Paul the feedback,

the latest dev-info adjustment makes 'rp_filter = 1' go away Using 5.6U4.

Thx.

issue with sme -> xdsl modem -> Internet <- Xdsl modem <- sme remains...
Maybe a roadwarrior setup...?

Regards,
guestHH

[Paul F]

Thanks to Peter and RequestedDeletion for clearing this up!