[Vpn-help] Linux communications issues ...

lartc lartc at manchotnetworks.net
Fri Nov 28 02:32:32 CST 2008 

Hi Matthew,

Thanks for this fantastic study ... 

I actually am experiencing the same problem with a pfsense box running
1.0.1 (haven't been able to get to clients box to upgrade).

Is there a BSD equivalent to your finding ??

Cheers

Charles



On Thu, 2008-11-27 at 13:04 -0600, Matthew Grooms wrote:
> All,
> 
> I have been troubleshooting an issue on Linux which has been reported by 
> several people. The problem was difficult to identify since the client 
> can establish a connection and negotiate IPSec SAs, but return traffic 
> never makes it to the userland applications. For example, ping displays 
> the following stalled output ...
> 
> mgrooms at ubuntu8-64:~$ ping 10.1.2.100
> PING 10.1.2.100 (10.1.2.100) 56(84) bytes of data.
> 
> ... even though you can see response packets using tcpdump ...
> 
> mgrooms at ubuntu8-64:~$ sudo tcpdump -n icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:46:45.102547 IP 10.1.2.100 > 10.2.20.5: ICMP echo reply, id 32537, 
> seq 1, length 64
> 12:46:46.102905 IP 10.1.2.100 > 10.2.20.5: ICMP echo reply, id 32537, 
> seq 2, length 64
> 
> After a lot of tinkering, I was able to determine that the following 
> sysctl setting will cause the kernel to drop packets received on one 
> interface when the destination address is owned by another interface.
> 
> net.ipv4.conf.all.rp_filter
> 
> The documentation states the following ...
> 
> rp_filter - INTEGER
>          2 - do source validation by reversed path, as specified in RFC1812
>              Recommended option for single homed hosts and stub network
>              routers. Could cause troubles for complicated (not loop free)
>              networks running a slow unreliable protocol (sort of RIP),
>              or using static routes.
> 
>          1 - (DEFAULT) Weaker form of RP filtering: drop all the packets
>              that look as sourced at a directly connected interface, but
>              were input from another interface.
> 
>          0 - No source validation.
> 
> For the client to work properly, this option value must be set to 0. 
> Making the value stick on some systems can be a bit challenging. For 
> example, the 8.10 Ubuntu host I used for testing has the following 
> references to this sysctl option under etc ...
> 
> mgrooms at ubuntu8-64:/etc$ grep -r rp_filter *
> sysctl.conf:#net.ipv4.conf.default.rp_filter=1
> sysctl.conf:#net.ipv4.conf.all.rp_filter=1
> sysctl.d/10-network-security.conf:net.ipv4.conf.default.rp_filter=1
> sysctl.d/10-network-security.conf:net.ipv4.conf.all.rp_filter=1
> ufw/sysctl.conf:net/ipv4/conf/all/rp_filter=1
> ufw/sysctl.conf:net/ipv4/conf/default/rp_filter=1
> 
> I'm not sure which one should be set under what circumstances, but I was 
> able to comment out all but the 10-network-security.conf line and set it 
> to 0. After rebooting the host, the sysctl values looked like this ...
> 
> mgrooms at ubuntu8-64:/etc$ sysctl -a | grep rp_filter | grep -v arp
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.lo.rp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.pan0.rp_filter = 0
> net.ipv4.conf.tap0.rp_filter = 0
> 
> And finally, everything works as expected using the VPN client ...
> 
> mgrooms at ubuntu8-64:/etc$ ping 10.1.2.100
> PING 10.1.2.100 (10.1.2.100) 56(84) bytes of data.
> 64 bytes from 10.1.2.100: icmp_seq=1 ttl=64 time=1.55 ms
> 64 bytes from 10.1.2.100: icmp_seq=2 ttl=64 time=0.873 ms
> 
> Hope this helps,
> 
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
-- 
"simplified chinese" is not nearly as easy as they would
have you believe ... a superlative oxymoron --anonymous

More information about the vpn-help mailing list