[Vpn-help] Linux communications issues ...

Matthew Grooms mgrooms at shrew.net
Thu Nov 27 13:04:32 CST 2008


I have been troubleshooting an issue on Linux which has been reported by 
several people. The problem was difficult to identify since the client 
can establish a connection and negotiate IPSec SAs, but return traffic 
never makes it to the userland applications. For example, ping displays 
the following stalled output ...

mgrooms at ubuntu8-64:~$ ping
PING ( 56(84) bytes of data.

... even though you can see response packets using tcpdump ...

mgrooms at ubuntu8-64:~$ sudo tcpdump -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:46:45.102547 IP > ICMP echo reply, id 32537, 
seq 1, length 64
12:46:46.102905 IP > ICMP echo reply, id 32537, 
seq 2, length 64

After a lot of tinkering, I was able to determine that the following 
sysctl setting will cause the kernel to drop packets received on one 
interface when the destination address is owned by another interface.


The documentation states the following ...

rp_filter - INTEGER
         2 - do source validation by reversed path, as specified in RFC1812
             Recommended option for single homed hosts and stub network
             routers. Could cause troubles for complicated (not loop free)
             networks running a slow unreliable protocol (sort of RIP),
             or using static routes.

         1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
             that look as sourced at a directly connected interface, but
             were input from another interface.

         0 - No source validation.

For the client to work properly, this option value must be set to 0. 
Making the value stick on some systems can be a bit challenging. For 
example, the 8.10 Ubuntu host I used for testing has the following 
references to this sysctl option under etc ...

mgrooms at ubuntu8-64:/etc$ grep -r rp_filter *

I'm not sure which one should be set under what circumstances, but I was 
able to comment out all but the 10-network-security.conf line and set it 
to 0. After rebooting the host, the sysctl values looked like this ...

mgrooms at ubuntu8-64:/etc$ sysctl -a | grep rp_filter | grep -v arp
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.pan0.rp_filter = 0
net.ipv4.conf.tap0.rp_filter = 0

And finally, everything works as expected using the VPN client ...

mgrooms at ubuntu8-64:/etc$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.55 ms
64 bytes from icmp_seq=2 ttl=64 time=0.873 ms

Hope this helps,


More information about the vpn-help mailing list