[vpn-help] racoon & ike: Missing the last tiny bit ... [solved!]
Clemens Perz
cperz at gmx.net
Sun Mar 21 17:07:22 CDT 2010
Hi Matthew,
this was it! Exactly the missing link :))
I went into it a bit more and found out that having it working depends
on two settings:
sysctl net.ipv4.conf.all.rp_filter=0
sysctl net.ipv4.conf.eth0.rp_filter=0
You can set that at runtime. If you want to configure it on system boot,
add a file /etc/sysctl.d/60-network-security.conf or edit
/etc/sysctl.conf, enabling these three lines
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
Obviously, its a bit static - so putting it into a wrapper script and
handle the device having the default route would be the most flexible
solution.
Thanks again,
Clemens
Matthew Grooms wrote:
> On 3/19/2010 9:01 AM, Clemens Perz wrote:
>>
>> Hmm, but it is not the best solution. Because now all connections inside
>> the vpn are originating from my internal eth0 ip address, which might
>> change when I move between DHCP driven networks.
>>
>> Will need to get back to tap then. It seems, that packages make it to
>> the kernel, but somehow do not arrive at the tap device. Does that make
>> sense to someone? Which screw I have to turn to make it work?
>>
>
> Please have a look at this post.
>
> http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html
>
> -Matthew
>
More information about the vpn-help
mailing list