[Vpn-help] Linux communications issues ...

Matthew Grooms mgrooms at shrew.net
Thu Nov 27 13:04:32 CST 2008 

All,

I have been troubleshooting an issue on Linux which has been reported by 
several people. The problem was difficult to identify since the client 
can establish a connection and negotiate IPSec SAs, but return traffic 
never makes it to the userland applications. For example, ping displays 
the following stalled output ...

mgrooms at ubuntu8-64:~$ ping 10.1.2.100
PING 10.1.2.100 (10.1.2.100) 56(84) bytes of data.

... even though you can see response packets using tcpdump ...

mgrooms at ubuntu8-64:~$ sudo tcpdump -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:46:45.102547 IP 10.1.2.100 > 10.2.20.5: ICMP echo reply, id 32537, 
seq 1, length 64
12:46:46.102905 IP 10.1.2.100 > 10.2.20.5: ICMP echo reply, id 32537, 
seq 2, length 64

After a lot of tinkering, I was able to determine that the following 
sysctl setting will cause the kernel to drop packets received on one 
interface when the destination address is owned by another interface.

net.ipv4.conf.all.rp_filter

The documentation states the following ...

rp_filter - INTEGER
         2 - do source validation by reversed path, as specified in RFC1812
             Recommended option for single homed hosts and stub network
             routers. Could cause troubles for complicated (not loop free)
             networks running a slow unreliable protocol (sort of RIP),
             or using static routes.

         1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
             that look as sourced at a directly connected interface, but
             were input from another interface.

         0 - No source validation.

For the client to work properly, this option value must be set to 0. 
Making the value stick on some systems can be a bit challenging. For 
example, the 8.10 Ubuntu host I used for testing has the following 
references to this sysctl option under etc ...

mgrooms at ubuntu8-64:/etc$ grep -r rp_filter *
sysctl.conf:#net.ipv4.conf.default.rp_filter=1
sysctl.conf:#net.ipv4.conf.all.rp_filter=1
sysctl.d/10-network-security.conf:net.ipv4.conf.default.rp_filter=1
sysctl.d/10-network-security.conf:net.ipv4.conf.all.rp_filter=1
ufw/sysctl.conf:net/ipv4/conf/all/rp_filter=1
ufw/sysctl.conf:net/ipv4/conf/default/rp_filter=1

I'm not sure which one should be set under what circumstances, but I was 
able to comment out all but the 10-network-security.conf line and set it 
to 0. After rebooting the host, the sysctl values looked like this ...

mgrooms at ubuntu8-64:/etc$ sysctl -a | grep rp_filter | grep -v arp
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.pan0.rp_filter = 0
net.ipv4.conf.tap0.rp_filter = 0

And finally, everything works as expected using the VPN client ...

mgrooms at ubuntu8-64:/etc$ ping 10.1.2.100
PING 10.1.2.100 (10.1.2.100) 56(84) bytes of data.
64 bytes from 10.1.2.100: icmp_seq=1 ttl=64 time=1.55 ms
64 bytes from 10.1.2.100: icmp_seq=2 ttl=64 time=0.873 ms

Hope this helps,

-Matthew

More information about the vpn-help mailing list